October 23, 2012
My kindle reading list

I’ve been asked if I could share what kind of technology publication I own and read on my Kindle devices. So I thought why not put them up here. 

I use Kindle (on all of my devices) for the technical reference books all the time. It makes my job so much easier (and flights so much shorter).

This is the list at the moment (in no particular order). For any 802.11 professional I wholeheartedly recommend CWNP study guides:

  • Implementing 802.1X Security Solutions for Wired and Wireless Networks by Geier, Jim
  • Active Directory: Designing, Deploying, and Running Active Directory by Allen, Robbie, Desmond, Brian, Richards, Joe, Alistair G. Lowe-Norris
  • Microsoft® Windows Server™ 2003 Inside Out (Inside Out (Microsoft)) by Stanek, William R.
  • VMware Cookbook: A Real-World Guide to Effective VMware Use by Helmke, Matthew, Troy, Ryan
  • Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide by Allen, Lee
  • Vim and Vi Tips: Essential Vim and Vi Editor Skills, 3rd ed. By Artymiak, Jacek
  • Windows Powershell Pocket Reference (Pocket Reference (O’Reilly)) by Holmes, Lee 
  • Managing iOS Devices with OS X Lion Server by Dreyer, Arek
  • SNMP Over Wi-Fi Wireless Networks by Kerdsri, Jiradett
  • CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide by Gibson, Darril
  • IP Design for Mobile Networks by Wainner, Scott, Grayson, Mark, Shatzkamer, Kevin
  • Building the Mobile Internet (Networking Technology) by Grayson, Mark, Shatzkamer, Kevin, Wierenga, Klaas
  • 802.11n: A Survival Guide by Matthew Gast
  • 802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast
  • Fundamentals of LTE (Prentice Hall Communications Engineering and Emerging Technologies Series) by Andrews, Jeffrey G., Ghosh, Arunabha, Muhamed, Rias, Zhang, Jun
  • Session Initiation Protocol (SIP) : Controlling Convergent Networks (McGraw-Hill Communication Series) by Russell, Travis
  • Linux Networking Cookbook by Schroder, Carla
  • How to Use the Unix-Linux vi Text Editor by Smith, Larry
  • Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems by Sanders, Chris
  • Nmap Cookbook: The Fat-free Guide to Network Scanning by Marsh, Nicholas
  • The Ubuntu Beginner’s Guide - Fourth Edition (Computer Beginner’s Guides) by Moeller, Jonathan
  • Working at the Ubuntu Command-Line Prompt (Linux Nitty Gritty) by Thomas, Keir
  • Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition) by Goleniewski, Lillian, Jarrett, Kitty Wilson, (editor)
  • OmniGraffle 5 Diagramming Essentials by Olsen, Ruben Olsen
  • Essential SNMP by Mauro, Douglas R., Schmidt, Kevin J. Low Tech Hacking:
  • Street Smarts for Security Professionals by Wiles, Jack, Lowther, Sean, Gudaitis, Terry, Jabbusch, Jennifer, Rogers, Russ
  • Zenoss Core 3.x Network and System Monitoring by Badger, Michael
  • Understanding Linux Network Internals by Benvenuti, Christian
  • Cacti 0.8 Beginner’s Guide by Urban, Thomas
  • Kismet Hacking by Brad Haines, Frank Thornton, Michael Schearer
  • How to Config ISP for CentOS for Server by Ho, Phuong
  • FreeRADIUS Beginner’s Guide by van der Walt, Dirk
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204 (CWNP Official Study Guides) Coleman, David D., Westcott, David A., Jackman, Shawn M., Harkins, Bryan E.
  • BackTrack 5 Wireless Penetration Testing Beginner’s Guide by Ramachandran, Vivek 
  • CCNA Wireless Official Exam Certification Guide (CCNA IUWNE 640-721) by Carroll, Bran
  • CWAP Certified Wireless Analysis Professional Official Study Guide: Exam PW0-270 (CWNP Official Study Guides) by Coleman, David D., Westcott, David A., Miller, Ben, Mackenzie, Peter
  • CWDP Certified Wireless Design Professional Official Study Guide: Exam PW0-250 (Study Guide Pw0-250) by Jackman, Shawn M., Swartz, Matt, Burton, Marcus, Head, Thomas W.
  • CCNA Official Exam Certification Library (CCNA Exam 640-802) (3rd Edition) by Odom, Wendell
  • Deploying and Troubleshooting Cisco Wireless LAN Controllers by Gress, Mark L., Johnson, Lee Learn
  • RouterOS by Burgess, Dennis
  • Official Exam Prep Guide: Wireshark Certified Network Analyst by Chappell, Laura
  • CWNA Certified Wireless Network Administrator Official Study Guide: Exam PW0-104 (CWNP Official Study Guides) by Coleman, David D., Westcott, David A.

I think this is it. I’ll add new ones as I extend my reading list. Plus vendor white papers are a great resource as well.



September 23, 2012
Here comes the beast. WFD3

We all heard it before. 802.11ac is the next big thing in WiFi (while I disagree with that personally, believing 802.11u will bring more significant changes to the industry) bringing multi gigabit speeds to our WiFi devices. 

A couple of SOHO vendors have already introduced 802.11ac products but it is well known that enterprise gear is slower at adopting new technology as it needs to mature to cope with enterprise requirements. 

The industry consensus is that we will be seeing enterprise 802.11ac capable APs in second half of 2013, depending on the vendor. 

A couple of months ago Cisco introduced a new, flagship 3600 series AP. It is 4x4:3 behemoth with a module slot for future expansion. Fist module introduced was the security module but more interesting is the announcement of 802.11ac module. 

Cisco 3600 .11ac module

Cisco was a returning presenter for WFD3 having skipped the WFD2 event. In comparison to WFD1, they have been much better prepared for this one. One of the highlights was demoing a working 802.11ac module.

And it was impressive. 550 - 700 Mbps of pure WiFi bliss. Come on, look at the pretty colours. But as with any alpha release the screenshot below is not representative of what we can expect with fully matured 802.11 ac standard. Speaking of the standard, just looking at the utilisation of the spectrum, one can observe that no arbitration is performed on the 802.11ac demo. See my comments on the picture below. 

Still, Cisco is the first enterprise vendor that demoed 802.11ac in any factor or form, so kudos to them.



11:27pm  |   URL: http://tmblr.co/ZkKBTwTyPu63
Filed under: WFD3 cisco 802.11ac 
September 21, 2012
WFD3 - Thanks for the experience.

I have been invited to attend Wireless Field Day #3 as a delegate last week. The event was held in greater San Jose area where we were hosted by bunch of WLAN vendors.

In short, it was great. Extremely condensed but very focused, entertaining and well organized

WFD3 Group Photo

I realy have to take my hat of to Stephen Foskett /@sfoskett) and all of the GestaltIT crew for organization of the event. I can not even phantom the time and effort it took to organize this. Come on, just check the video material Benjamin Freedman and the rest of the crew did on the event. And it was all live streamed:


Mr. Foskett. You rock sir!


This was the third iteration of WFD. I’ve watched first two events via live streaming so I have seen previous presentations by vendors, the good and the bad. All in all I must say that the vendors learned and I can say that all of the presentations were satisfying. 

The presenters were, in order of appearance: Wildpackets, Aerohive* (dinner, no streamed event), Metageek, Ruckus Wireless, Tanaza, Meraki, Aruba, Cisco and Juniper. 


I will be writing about each presentation separately but I just wanted to highlight some things that I found particularly cool:

Bob Friday, CTO of Cisco opening the presentation for Cisco and talking about 802.11u and WiFi impact on carrier market. His presence on the event not only gives extra value to the event itself but also shows the dedication of a giant like Cisco to WLAN vertical. The WiFi industry is growing my friends, fast and furious. 

Bob Friday

I also enjoyed listening about the HW design from super smart people like Jay Pochop, Director of Engineering at Juniper Networks and the “dirty neardy” team, Victor Shtrom and Bill Kish from Ruckus Wireless. 


Bill Kish and Victor Shtrom

So do your self a favour, watch the videos at this link: http://www.youtube.com/user/stephenfoskett?feature=results_main



September 10, 2012
WFD#3. What I’d like to see.

Upgrading to Mountain Lion on my iMac broke a couple of things. One thing I like with the update though is the new, slick integration of the notification.

And it was displaying “WFD#3 - tomorrow” as I set behind the keyboard today. I am very excited to be able to be a part of this event.

Events focused on the WiFi industry are few and far in between. So I was very aware of the previous events and followed live streaming sessions and watched recordings of the first two events. So I was able to watch all presentations. There were good ones and there were bad less than good presentations.

WFD#3 is organised by Gestalt IT. Read more about the event here: http://techfieldday.com/event/wfd3/

Also, I am very excited that Keith Parsons is joining us as a delegate. Keith is a giant in the WiFi industry, a friend and a mentor. You can follow Keith on twitter on @KeithRParsons and read more about the wonders of the WiFi on his webpage: www.wlanpros.com

So what are my expectations of the vendors presenting?


I know what marketing is for. I appreciate competition. I understand hows and whys of FUD and I do not hold that against anybody but please… the group attending will be technically sound, with the hands on the equipment expertise and experience. So we will cry bloody murder if you go that way. Just focus on the technical problems and the solutions your product line provides. 

Please do the hands on as much as possible. Labs, wires sticking out of the products, etc. I’d also like you to talk about your support capabilities and support flow. How do you go about helping your customers, what are the procedures your customers have to go trough to get help, etc. 

General topics of interest: data offload, 802.11r, 802.11u, 802.11w (client support finally showing up), IPv6.

TO INDIVIDUAL VENDORS (in alphabetical order):


One of the three fastest growing WLAN companies (all three are presenting on the event) is interesting because of the extreme focus on particular market verticals: enterprise, education and health. While they can successfully cater others there are features not being persued aggressively. I’d like Aerohive to talk about IPv6, northbound APIs from HiveManager to the OSS for huge networks, integration to HMS for hospitality vertical and future 802.11u support. Also talk about 802.11r.

"Yes, 802.11u will be widely accepted and used outside carrier and WISP verticals. Mark my words".


The leader of bells and whistles supported, Aruba Wireless is a company to be respected. I’d like to hear about Aruba’s vision of the development in regarding to centralised, or distributed network controll. While not providing fully distributed controll, Aruba has options of providing controllerless solutions with their Insant line and controller solutions to the customer. The diplomatic answer is “we are not religius in architecture”. Fair but still, what is your vision with WiFi going further, introduction of 802.11ac, introduction of MIMO capable tablets and smartphones…

I’d also like Aruba to talk more about it’s oudoor portfolio. It has been more than a year since Aruba purchased Azalea and its mesh productline. What is the status of integration of the product?

"And yes. Market is growing, you are making good sales. But when will the licensing be simplified?. BTW I’d like to have a presentation about Aruba licensing to understand it fully". 


The big daddy of the enterprise WiFi. I’d like to hear more about virtual WLC and cloud WLC offerings. What is the roadmap regarding the feature discrepancy between WLC/virtualised WLC and cloud based WLC. Cisco indoor AP line is slick and robust at the same time. With the blue led it is just as strong brand as is the logo itself. So what is that about with the ugly not so good looking outdoor units? And what is with the interfaces placing on the units. And the weight? And…. Lets just talk about it.

Cisco is also the leader in 802.11u. What is the potential of the standard. How does Cisco see it implemented in various industries? Talk about data offload architecture as well.

"I know about 802.11ac module. Its sweet. Cool, you will probably be talking about it. Just do not go overboard with this, pretty please."


Whoa! Where have you been? Its hard to have any really and concrete expectations about this vendor. Juniper acquired Trapeze in late 2010. So, what is new besides the logo? Is the product running JUNOS (now that wold be sweet). Juniper being a bit behind the game in the fast growing enterprise market, what are you bringing to the game?

"Just no extensive powerpoint, pretty please. And good luck, nothing better than more competition out there for further developing WiFi". 


The best looker of the group. GUI design to die for. Simple, elegant and it works. I have had no extensive hands on the equipment my self, other than just clicking trough the GUI. So I’d like to see some labs, maybe some performance testing (delegates running iperf clients to an iperf server behind a Meraki AP, L2 roaming, L3 roaming…). I’d also like to understand what happens when the connection between the APs and cloud controller gets broken? How do the APs communicate to each other then? What features are not supported, etc?

"Sure, I’d like to see switches and firewalls as well. But with as much hands on as possible please."


Love you guys. That is all.

"Seriously. I have nothing but respect for Metageek. Building affordable yet extremely useful troubleshooting equipment has become standard for them. And seriously. No WiFi vendor acquired Metageek to this date? The GUI experience alone would make it worthwhile. 


The bark is getting louder and louder. Are we making bets yet? Acquisition (and by whom) or IPO?.

I always enjoyed presentations from Ruckus. They have guys that can just nail it. On the topics though, I’d like them to talk about 802.11u (use cases, vision), SSG phantom platform (show me the money!!!), data offload options with SSG, Channelfly feedback from deployments…

"Or if Victor does his excel presentation again. Maybe even teach us how to do it. That would be cool enough for me".


A relative unknown of the bunch, Tanaza is not pursuing the enterprise or carrier verticals but is providing tools for simplifying small deployments. I do not have specific expectations for this one, but am looking forward to learning something new.

"Dazzle us. That is all."


Arguably one of the most robust and feature full frame/packet capture tool vendor out there. I do not have any experience with it so I am looking forward how it compares to the tools I know and use (CommView for WiFi and Wireshark). I’d also like to see if the 802.11u standard capture is supported.

"I know what I am going to read on the plane to prepare for this presentation - CWAP book".

See you all out there!!!



July 14, 2012
Wireless Field Day 3

 Woohooo. Daddy is going to Disneyland! Well not exactly but I sure feel like a kid being invited to attend Wireless Field Day 3 as a delegate. Having followed this event for the past few years I am super excited to be able to experience this first hand.

So what is all the commotion about?

Brilliant folks at Gestalt IT lead by Stephen Foskett (you can follow him on Twitter @@SFoskett) came up with the brilliant idea of organizing events where vendors in different IT fields would pitch their solutions and product to a group of independent professionals and those would write, post, twit about their experience based on vendor presentations. 

And we are not talking about classical sales presentations here, remember, the attendees are all very technical so the presentations are very tech focused, often bringing the “nerd meeter to score 10/10). So who are the delegates?

 Ryan Adzima A Boring Look @radzima
Tom Carpenter CWNP @carpentertom
 Sam Clements SC-WiFi @samuel_clements
Daniel Cybulskie Simply WiFi @SimplyWiFi
Rocky GregoryIntensified@bionicrocky
Jennifer HuberI ♥ WiFi@JenniferLucille
Blake KroneDigital Lifestyle NSA Show@blakekrone
Chris LyttleWiFi Kiwi’s Blog@wifikiwi
Sean RynearsonWiFiGeeks@Srynearson
Scott StapletonNot your fathers WiFi@scottpstapleton
George Stefanickmy802.11@wirelesssguru
Gregor Vučajnk802dot11@gregorvucajnk

All the delegates are well known and respected in the WiFi community so the presentations should be fun!

At this point there are three vendors confirmed for the event with a couple more to be announced shortly:




Oh. Almost forgot. The event will be held on September the 12th trough 14th in San Jose, and there will be live streams available for all the viewers together with an onslaught of blog posts, twitter feeds and gazzilons of photos coming from the delegates and vendors themselves.



p.s.: I love WiFi.

July 5, 2012
Hotspot 2.0/Passpoint blog series part 1

Passpoint Capabilities and requirements for APs

I think the requirements and capabilities of Passpoint certification would be a good start to the this blog series. To be able to support features introduced with 802.11u standard and get certified by WiFi Alienace to comply with Passpoint certification specific requirements from equipment vendors and operators has to be met.

To be able to make the user happy and user internet experience buttery smooth, the technical requirements have to be met by mobile device, access point devices, hotspot operators and service providers. 

To make sure that all devices have the same authentication method the following credential types and EAP methods have to be supported: 

  • If using certificate as a credential type, EAP-TLS EAP method has to be used, 
  • if using SIM or USIM credentials, EAP-SIM and EAP-AKA must be supported, 
  • if using username and password (with serv side certs) credentials, EAP-TTLS with MSCHAPv2 has to be supported.

Personally I see WiFi Alliance extending the EAP methods to MD5, LEAP and PEAP (keep calm, I am just kidding about MD5 and LEAP), to make it easier for enterprises to adopt 802.11u. Contrary to the common believe 802.11u can bring tons of added value to enterprise networks.

So lets browse trough required capabilities for the Access Points:

  • WPA-2 enterprise only. No WEP and TKIP supported (thank you!!!),
  • All EAP methods listed above,
  • The “Internetworking” information element supporting “Venue Info” and “Homogeneous extended service set identifier or HESSID” fields as defined in 802.11u standard (do not worry, I will explain in details every element for my blog readers convenience),
  • The “Roaming Consortium” information element has to be supported (again referring to 802.11u standard),
  • Interworking bit in the “Extended Capabilities” information element has to be set to comply with 802.11u,
  • The “Basic Service Set Load” element has to be supported as it contains the information on the current device population and channel utilization in the Basic Service Set,
  • These ANQP elements (Access Network Query Protocol, defined in 802.11u… yes, we will talk extensively about this bugger) has to have: “Venue Name” information, “Network Authentication Type” information, “Roaming Consortium” list, “IP Address Type Availability” information, “Network Access Identifier Realm” list, “3GPP Cellular Network” information, “Domain Name” list.
  • Hotspot 2.0 (HS) specific ANQP elements have to be supported: “HS Query list”, “HS Capability list”, “Operator Friendly Name”, “WAN Metrics”, “Connection Capability” and “Network Access Identifier Realm query”. 
  • Proxy ARP service has to be supported to comply with 802.11v-2011, Amendment 8.
  • L2 traffic inspection and filtering has to be implemented if the Access Network type element is set to “Free Public Network” or “Chargeable Public Network”. 
  • AP has to have the capability to disable downstream forwarding of multicast and broadcast frames,
  • AP has to have the ability to disable P2P cross connect. This is done by advertising the P2P Manageability attribute with the Cross Connection Permitted field set as 0.

Enough for the part one of the series. I will continue with mobile devices, operators and service providers requirements on the next blog and then we will dive deep into the 802.11u standard itself.



June 29, 2012
Hotspot 2.0 - Passpoint. The next huge step in 802.11 technology blog series INTRO.

WiFi Aliance started with the certification of 802.11u spec called WiFi certified Passpoint certification program. The program itself will be released in two parts, starting with Rrelease 1 focusing on network selection and security, followed with Release 2 covering online signup and policy provisioning. 

This blog series will focus on the Release 1 certification and its requirements. I will cover these topics in-depth, probably a separate blog post or more for each one bullet points below:

* Required Capabilities for Access Points,

* Required Capabilities for Mobile Devices,

* Requirements for Operators,

* Requirements for Service providers,

* Deep dive into 802.11u MAC ANQP (access network query protocol) elements :

* Hotspot query list,

* Hotspot capability list, 

* Operator friendly name,

* WAN metrics,

* Connection capability, 

* Network access identifier home realm query,

* Operating class indicator.

* Hotspot procedures,

* Mobile devices procedures,

* Etc.

During the writing of the blog series I may steer away from the topic as I see fit or if any good questions arise from the readers. 

Cheers, Gregor

February 10, 2012
Ruckus Wireless Channelfly feature

As posted in my previous blog, I will be writing some articles about vendor presentations on WFD2. I’ve picked up WFD2 video n. 152 on vimeo to start with.

GT Hill demonstrates Ruckus Wireless’ ChannelFly technology from Stephen Foskett on Vimeo.

Ruckus Wireless introduced a feature called Channelfly in the 9.3 main stream code (this feature has been tested for some time now in 9.2.x code but with selected customers). Channelfly is a method of statistically picking the most potent channel (ie, the channel with the most capacity). It uses statistical prediction (based on the info gathered in the break in period) to allocate channel with the most capacity (looking at throughput (L3) not data rate (L2)). Ruckus has posted a video explaining predictive capacity here (its still weird seing David Stiff running with the pack after all this years preaching Cisco) and the Channelfly whitepaper PDF can be found here

Basic idea of Channelfly is that the capacity is spread trough the whole spectrum and not just on the standard channels (channel 1, 6 and 11 for 2.4 GHz). In other words, even in dense deployments, non standard channels like 4 or 10 may carry more capacity and if so it should be used. Furthermore, based on the data gathered in measuring the throughput on channels, the AP may be predicting the time of the day that one channel is better and on another time of the day that the other channel preferred.

Read More

February 9, 2012
Wireless tech field day 2

Tech field day is an event organized by Gestalt IT, focusing on bringing the network vendors closer to its customers. What they do is organize events, bringing a dozen independent network professionals together directly to vendors. The event is 2 days long, and is divided in 6 slots all together. Each vendor has a slot (2 hours) to engage with the delegates (as the invited independent network professionals are addressed).

Wireless field tech day (abbreviated as WFD) is a subset of field tech days and as the name implies it focuses on the WLAN industry. A fortnight ago, a second consecutive WFD was organized, following the first one that was held a year ago. 

For the first time a WiFi mobility symposium was held prior to the WFD, where industry giants were discussing topics as BYOD and mobile devices, 802.11u protocol, 802.11ac/ad protocol (gigabit WiFi). The whole event was streamed live and also recorded:

  1. WiFi mobility symposium introduction.
  2. BYOD and mobile devices.
  3. 802.11u.
  4. 802.11ac/ad.

A couple of additional videos of panelists introduction (Devin Akin of Aerohive, GT Hill of Ruckus Wireless, Carlos Gomez and Peter Thornycroft of Aruba and Paul Congdon of HP)are available on Vimeo for all interested. 

As for the WFD2, the vendors presenting were as follows: Aerohive Networks, Metageek, Ekahau, Meraki, Aruba Networks, Ruckus Wireless and HP (not necessarily in that order). 

The delegates present were as follows (source: http://techfieldday.com/2012/wfd2/):

Wireless field day as an event is something special. Its not just the unique format but the fact that the whole event is live streamed to the internet and recorded. Based on the recordings available I will make a series of blog articles. I will not focus on recapping the presentations (you can watch the recordings yourselves) but I will comment on the topics of the presentations and end with my personal take on it.
Till then, 

November 29, 2011
WPA2-PPSK; very undersold security feature

WiFi is the most secure and the least secure network technology there is. Or is it that WiFi is the easiest to implement and the hardest to implement? Or perhaps that WiFi is the most user-friendly and the least user-friendly network technology?

In my opinion, all of the statements above are true. If implemented correctly, WiFi is the most secure network technology there is (well, let us compare it to common WWAN networks such as cellular, WiMAX, etc and 802.3 wired networks). A discussion on this topic could fill up a book, so we will just take it for granted ☺.

However, there is a price to pay for security. The most secure, 802.11 WPA2-Enterprise (802.1X port based security) offers the highest level of security. It requires managing and easy access to both infrastructure as well as end client devices to work, though. It requires appropriate network infrastructure. And it requires time and qualified personnel for implementation and maintenance.

On the other hand, there is an option of an open (in the full sense of the word) network with WiFi. An end user just clicks on the available open network and gets connected. Even “better”, most operating systems will kindly offer the option to remember the network, so when the end user connects again (turns the PC back on) he will be connected to the network automagicaly.

There is also an option of using WPA2-PSK (I will not cover WEP and WPA security protocol in this blog entry) with TKIP and AES encryption. While AES encryption is preferable and “more” secure, 128 bit TKIP (RC4 based) has not yet been broken. From the encryption standpoint WPA2-PSK can only be broken by dictionary attacks (short, simple passphrases). When using strong passphrase, WPA2-PSK is unbreakable to date. The problem with WPA2-PSK is that anybody that wants to connect to the network has to have the passphrase. This is okay for SOHO networks, but presents a big challenge to enterprise networks (has to be changed regularly, difficult to prevent passphrase leaking, etc.). Once potential attackers get hold of the passphrase, all they have to do is to capture the 4 way handshake and they can begin decrypting data in real time).

If we apply this to the verticals we can see that the WPA2-PSK is good for SOHO verticals, WPA2-enterprise for big government, enterprise networks and open and unprotected access is good for nothing (this authors humble opinion). Do not confuse captive portal in combination with open access a security feature because it is not. Note that with 802.1X another problem occurs. The ability to maintain connectivity when roaming gets compromised, especially maintaining real time applications such as VoIP. While with normal WPA2-PSK a client roams within 50ms the roaming with 802.1X is much longer.

So what about schools, hotels (the whole hospitality sector), smaller hot-spot operators, restaurants, bars, and even small to middle sized business? Implementing 802.1X to these verticals is both pricy and impractical. Providing WPA2-PSK is not enough. What about secure fast roaming?

Enter the WPA2-PPSK.

PPSK stands for Personal Pre-Shared Key or Private Pre-Shared Key. This technology is implemented by two vendors, Ruckus Wireless (as Dynamic-PSK™) and Aerohive Networks (Private Pre-Shared Key™).

So what it does is combine the security of 802.1X (not quite but close enough) and the simplicity and performance of WPA2-PSK. If WPA2-PSK had to be shared among everybody in the network and thus creating a single point of attack, the PPSK allows for a unique passphrase of every end client (device and/or user) in the network. Therefore, if the passphrase is compromised, attackers have to locate the end user/client (first difficulty) and capture correct 4-way handshake to be able to decrypt the data payload. But they do so only for this unique client.

PPSK, while based on the standard, is a proprietary (different) implementation of two companies, Aerohive Networks and Ruckus Wireless and have some similarities and differences. A little birdy told me that because the PPSK (in generic term) has been patented that there could be some legal battle between the two concerning PPSK. If it turns out to be true, this would be a shame.

Ruckus Wireless implements its Dynamic PSK in combination with their Zero IT technology. First time users connect to a wired port and authenticates via captive portal with their unique login credentials. The credentials are checked against ZoneDirector (controller) or AAA server. Once authenticated, the user downloads the temporary applet to their PC, Mac, iPhone, etc. Dynamic PSK creates a 63 byte encryption key (unique for each user) while Zero IT application configures the client device for the WLAN network. Once finished, the end client device is tied with this unique key and ZoneDirector (Dynamic PSK authenticates user machine and not the user. If user authentication is mandatory, there is a second step available, the Web Authentication). The beauty of ZeroIT method is that the end user is unaware of the passphrase and cannot compromise it by conventional methods.

If the end device is not supported by the ZeroIT (Linux, terminal devices, etc), the dynamic keys can be created in batches and stored to a spreadsheet for manual configuration. Dynamic keys have a configurable life time. When they expire, the whole process must be repeated.

In my experience, ZeroIT is more suitable for enterprise and education as initial configuration still has to be performed. With batch key creating, the key can be given to the end customer on receipt (bars, restaurants…) or on a coupon (hospitality sector).

Aerohive implementation of PPSK is similar. While they do not have the automatic provisioning available they do have few features unavailable with Ruckus Wireless: manual setting of expiration of individual PSK, automatic mailing of generated keys to single user or bulk users, role based PSK (dynamic VLAN, Firewall, Tunneling and QoS policies).

Which is better? I do not know. Each has its advantages but both are unique in WLAN world and are a great option for authentication when 802.1X and WPA2-PSK just don’t cut. Here is the comparison chart of WPA2-PPSK for convenience:

source: http://www.theruckusroom.net/2009/06/the-greatest-form-of-flattery.html

Liked posts on Tumblr: More liked posts »