Reference: https://www.cisco.com/c/en/us/td/docs/wireless/access_point/technical-reference/cw9172-dg.html The Cisco Catalyst 9172I Access Point supports FOM (Fast Offline Migration), a Cisco mechanism designed for the new […]
The Cisco CW9172 Day-0 onboarding process is significantly more complex than traditional CAPWAP AP discovery. The boot logs reveal that […]
Cisco ISE Config Authorization Profiles Policy Set Test client connectivity Verify client session and auth on the Aruba WLC Verify […]
On an Aruba Networks controller, IP flow export (IPFIX/NetFlow) is a telemetry feature that sends summarized traffic records to an […]
Domain 1.0 – Security and Risk Management ICS2 code of professional ethics – https://www.isc2.org/ethics Code of Ethics Preamble Code Of […]
In network engineering and technology, we often measure value in throughput, latency, uptime, certifications, and architectures. We debate vendors, protocols, […]
Internal WLCs /md/01_EKRALAC DMZ Controllers /md/02-DMZ
Troubleshooting ISE Enrollment: When Cellular Data Gets in the Way If you’ve ever run into the dreaded “Unable to detect […]
Leadership doesn’t always mean standing at the front of the room or having a title on your email signature. Some […]
In the world of network engineering, ideas are cheap—but execution is everything. Whether you’re designing a network architecture, writing embedded […]
If you’ve ever felt your heart race as a deadline approaches, you’re not alone. Workplace pressure is a reality for […]
“If you want to go fast, go alone. If you want to go far, go together.” This proverb sums up […]
1. Filter for all TLS handshake packets tls.handshake Shows all handshake records including Certificate, Client Hello, Server Hello, etc. 2. […]
The preamble is the initial portion of a Wi-Fi frame transmission. Its main purpose is to: Why is it important? […]
Understanding Mandatory Data Rates In any 802.11 WLAN, the mandatory (basic) data rate is the minimum rate a client must […]
In 802.11 WLANs, arbitration is the process by which devices decide who gets to use the wireless medium (RF channel) […]
Why Labs Aren’t Production Labs are controlled environments. They’re clean, predictable, and often built without the constraints of legacy systems, […]
If there’s one thing I wish someone told me early in my career, it’s that disagreements aren’t something to fear […]
If there’s one aspect of network engineering that often gets overlooked or dismissed, it’s documentation. For many engineers, it’s seen […]
I wish someone had told me what to really expect before moving from the private sector into the public sector […]
One of the most misguided assumptions in technology is that if someone cannot recall every command syntax, protocol timer, or […]
Security is critical – no network engineer disputes that. Protecting data, devices, and users is part of our daily responsibility. […]
When deploying secure wireless networks with guest access, Central Web Authentication (CWA) is a common approach used to redirect unauthenticated […]
20 Non-Vendor Specific Wireless Engineer Interview Questions 2. 10 Aruba Specific Wireless Interview Questions 3. 10 Cisco Specific Wireless Interview […]
In 2025, I firmly believe that technical interviews should include a small lab component. Whether conducted virtually or with physical […]
In the world of wireless design, terminology matters – especially when it affects cost, project timelines, and client expectations. A […]
The STAR (Situation, Task, Action, Result) method has become the gold standard for interviewing. You hear it everywhere – from […]
In the fast-paced world of networking, engineers often find themselves buried in vendor documentation, CLI commands, and troubleshooting guides. But […]
Technology is evolving at a pace we’ve never seen before. From AI to quantum computing, Wi-Fi 7 to Wi-Fi 8, […]
Too often, network engineers define their careers by the vendor logos on their resumes. While it’s tempting to be known […]
In the tech industry, we’ve all met them: the engineer with decades of experience, the architect who can quote RFCs […]
In the world of network engineering and technology, knowledge is power. But how we wield that power determines whether we […]
In fast-paced technical environments, we often focus on deadlines, designs, and deliverables. But there’s another layer that quietly fuels success: […]
Using public-facing certificates for BYOD onboarding is important because they ensure: In short, public certificates simplify BYOD onboarding, enhance trust, […]
Cisco ISE Guest and BYOD Captive Portal Configuration One of the security requirements is to use two interfaces on the […]
Disclaimer This blog is for educational purposes only and promotes ethical cybersecurity practices. Unauthorized hacking is illegal and violates laws […]
Verify that the DMZ-9800 does not have an organizational certificate. Enroll the DMZ-9800 without the firewall rule(s) in place. Note: […]
The Cisco Catalyst 9800 wireless controller can be upgraded using a variety of methods, including: 0. Clean up the “inactive” […]
Nexus-Core-1 Nexus-Core-2 Verify the configuration Verify the WLC config 9800CL-1# 9800CL-2# Test IP connectivity between the WLCs and VRRP IP […]
Part one can be found here The next section will focus on the following: Obtain and Import the internal root […]
Proof of Concept Topology: Objective: Demonstrate that BYOD and guest can be successfully implemented and segmented. Network security is a […]
Purpose This policy establishes the requirements and guidelines for using the 802.1X EAP-TLS authentication protocol to secure network access (wired […]
Objective The purpose of this policy is to ensure that the lab environment, which includes Cisco Identity Services Engine (ISE), […]
Testing the configuration by revoking a certificate What is the status of the certificate on the client? The certutil tool […]
Log into the certificate authority (CA) Publish the template Configure the AIA settings on the CA In this example, a […]
OCSP (Online Certificate Status Protocol) is a protocol used in Public Key Infrastructure (PKI) systems to check the validity of […]
What happens on the client side when the certificate is revoked? On the CA side, the certificate is revoked. The […]
A Certificate Revocation List (CRL) is a critical component of Public Key Infrastructure (PKI) that helps maintain the integrity and […]
Theory EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is an 802.1X authentication method widely used in enterprise wireless and wired networks […]
Wireshark is a powerful tool for understanding or troubleshooting TLS/SSL connections, as it allows you to capture, filter, and analyze […]
In the context of Public Key Infrastructure (PKI), a certificate is a digital document that binds a public key to […]
1. Extract Certificates from PEM and PKCS12 Files Extract a certificate from a PEM file (e.g., .crt, .cer, .pem): Extract […]
Create the root CA private key View Contents of the private key openssl rsa -in LABROOTCA-Private.key Generate the CSR Viewing […]
In PKI, the main certificate file formats are: Each format supports different PKI use cases depending on system compatibility and […]
OpenSSL x509 options Save the certificate in text format Copy and paste the cert contents to the file OpenSSL can […]
Switch6 C9800L-Internal ASAv-Internal SW100 WLAN_DMZ_SWITCH 9800DMZ ASAv-External Test ICMP and SSH connectivity between the internal and DMZ WLCs Allow ICMP […]
Using the Network Device Enrollment Service (NDES) to issue certificates to Cisco devices involves configuring NDES and the router to […]
NDES (Network Device Enrollment Service) is a Microsoft service that facilitates automatically distributing certificates to network devices using the Simple […]
Onboarding iOS Apple devices with BYOD via Cisco ISE involves setting up a process where users can self-register their devices. […]
Onboarding Android devices in a Cisco ISE BYOD environment involves allowing users to securely enroll their personal Android devices onto […]
BYOD Overview When BYOD (Bring Your Own Device) users are corporate users who will use their personal devices on the […]
Configure the native supplicant profile. Enable client provisioning to allow users to download client provisioning resources and configure agent profiles. […]
Part 1 can be found here. Create a redirect ACL on the Cisco 9800 Configure the Guest Portal The guest […]
Part 2 can be found here. BYOD (Bring Your Own Device) is a business policy that allows employees to use […]
Import the root and intermediate certificates into the ISE trust store. Generate a certificate signing request (CSR) on Cisco ISE. […]
Open the CA Right-click on “certificate template.” Copy the default “Computer” template. Copy the default “User” template. Note: The newly […]
Part two can be found here The lab simulates a two-tier PKI where the root CA will be “offline.” The […]
Part one can be found here. Add the role Configure Active Directory/Certificate Authority Navigate to the C:\ drive and locate […]
Part 1 can be found here. Foreign WLC Configuration: Create a REDIRECT ACL Define the Cisco ISE RADIUS Server Note: […]
Open the following ports on the firewall to allow communication between the Foreign (internal) and anchor (DMZ) controllers: For optional […]
Version 17.12.02 makes it easier to provision APs with primary, secondary, and tertiary controllers.
Before you begin 1. Clean up the old installation files 2. Copy the respective software to a remote file server […]
Testing and verification are based on the following basic configuration found here. Verification of VLANs & VLAN IDs Verification of […]
Basic Connectivity Configuration. The configuration workflow is as follows Create a PSK WLAN to test basic connectivity Create the Policy […]
Cisco 9800 VPC on Nexus Cisco 9800 HA on 17.X Cisco 9800-CL HA Configuring a highly available wireless network requires […]
Security Requirements: All Cisco access points must be authorized locally to join the Cisco 9800 WLC. Background Information To authorize […]
Note: When HTTP authentication is configured using TACACS+/RADIUS, the banner message does not display on the Web UI. The login […]
Problem Resolution Retrieve the CA in base64 format Right click on the .cer file and open with a text editor […]
Add DNS entries for the Cisco 9800 Controllers Add the Cisco 9800 Controllers to Cisco ISE Configure the ISE TACACS+ […]
West Coast LA Local See the steps on configuring HA here Verify that the WLC pair is in HA By […]
Goal: Configure the core WLAN infrastructure (West and East Coast) Verify IP reachability between West and East WLCs
Goal: Configure the core WLAN infrastructure (West and East Coast) West Coast Data Center 1 Note: The East Coast Dater […]
Part 1 Testing the Failback After the failover server fails over and becomes the primary, test the failback functionality. These […]
Part 2 About the Failover Server The failover server communicates with the watched AirWave servers using SSH, SNMP, and AMON […]
“On box” Create the CSR Create a folder with the name of the device Create the OpenSSL .cnf file Update […]
“Off box” ssh into the WLC Retrieve the CA in base64 format Right-click on the .cer file and open it […]
R1, R4 and CORE-SWITCH ISE Config System > Deployment > Edit the ISE node 2. Add the network devices 3. […]
TCP Startup Connection Process Step #1 Step # 2 Step # 3 Computer_X acknowledges receipt of WebServer_X’s sequence number and […]
ARP stands for Address Resolution Protocol. It is a communication protocol used in computer networks to map an IP address […]
High-Level Groups and Profiles AP Groups An Example AP group and the associated profiles. WLAN Profile > Virtual AP AP […]
Part 1 Destination Alias Example Destination Aliases A quick note about positioning. Example: Look at the original rule and start […]
Part 2 Aruba’s configuration can be a bit confusing at times. The focus of the Aruba Campus Access Fundamentals, Implementing […]
High-Level Operations Summary Wireshark Verification All 4 (Spoke) routers sent an NHRP Registration Request to R5 (Hub), who responded with […]
Configuration and Behavior Between R5 and R1 R1 (Spoke) sends an NHRP Request to R5 (Hub) R5 (Hub) Responds with […]
DMVPN Phase 2 with static mapping restrictions: R5 Hub R1 R2 R3 R4 Verification of mappings R1, R2, R3 and […]
Dynamic mappings allow for a much more scalable configuration. How does this work? R5 HUB R1 Spoke R2 Spoke R3 […]
Network Type DB/BDR Hello TypeUnicast/Multicast Hello/Dead/WaitIntervals Point-to-Point NO Multicast 10/40/40 Point-to-Multipoint NO Multicast 30/120/120 Point-to-Multipoint Non-broadcast NO Unicast 30/120/120 Broadcast […]
Building OSPF Adjacencies Down This is the first OSPF neighbor state. It means that no information (hellos) has been received […]
Part 1 Link State Advertisements (LSAs) OSPF Header The major fields of the OSPF packet header are as follows: Identifying […]
Part 2 Forming OSPF Adjacencies Must match items: Must be unique items: OSPF Network Types Broadcast DR/BDR Election There is […]
EVE-NG topology DMVPN combines mGRE, the Next-Hop Resolution Protocol (NHRP), and optional IPSec. DMVPN can be implemented as Phase 1, […]
VLSM table Major Network = 10.15.0.0/22 11111111.11111111.11111100.00000000 Number of networks = 2^ 6 = 64 Network Address Usable Host Range […]
The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system or network […]
DHCP stands for Dynamic Host Configuration Protocol. It’s a network protocol used to automatically assign IP addresses and other network […]
Traceroute from PC1 (192.168.13.2) to PC2 (192.168.62.2) Note to self: The process repeats for each router in the path. Even […]
VTP Modes You can configure a switch to operate in any one of these VTP modes: VTP Version 1 VTP […]
Example Exponent Number of Hosts * -2 Notation Bits Subnet Mask 2^1 2 /31 11111111.11111111.11111111.11111110 255.255.255.254 2^2 4 /30 11111111.11111111.11111111.11111100 […]
Wireless remote packet capture refers to the process of capturing network traffic on a remote device or network using a […]
Disclaimer for Wireless Penetration Testing Educational Purposes: The wireless penetration testing educational service provided here is solely for the purpose […]
Trigger Frame The trigger frame is a control frame of the MAC header, which contains the association IDs (AIDs) of […]
The article that covers the details of the attack can be found here and here. Launch the rogue AP Start […]
Part 1 Part 2 hostapd-wpe Download the files Creating certs Copy and edit the hostapd-wpe config file Execute the script […]
Part 1 Part 3 Disclaimer for Wireless Penetration Testing Educational Purposes: The wireless penetration testing educational service provided here is […]
Part 2 Part 3 Reference and credit: https://w1f1.net/ Tools: screen Linux screen is a command-line utility that allows you to […]
References: EVP_RSA_gen() generates a new RSA key pair with modulus size bits. Create a certificate signing request. Create the hostapd.eap_user […]
Wireless Penetration Test and Training Purposes Disclaimer: The training material and exercises provided are for educational and training purposes only. […]
AWUS036AXML is the WiFi 6/6E (802.11ax) 2×2 6 GHz and Bluetooth 5.2 high-performance USB adapter. It comes with a 2-in-1 USB-C […]
By default, Kali is set to global regulatory domain (00). To change or set the regulatory domain, run iw reg […]
Part 1 Create the wireless monitor interface(s). 2. Recon and gather info using any of the monitor mode interfaces. Take […]
Part 2 Check the status of the adapter/driver The recon data will be saved in .csv format. This is useful […]
This is a high-level document where I try to understand how different devices will transfer data and at what data […]
Passive Scanning – With 1200 MHz to cover and 59 channels to scan, a station with a dwell time of […]
Reference: https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-delivers-wi-fi-6e-certification-program An overview of WPA 3 can be found here wlan virtual-ap “WIFI6E”aaa-profile “WIFI6E_AAA_PROFILE”vlan 12ssid-profile “WIFI6E_SSID_PROFILE”allowed-band noneallowed-band-6ghz Security Wi-Fi […]
Channels Image Reference: www.juniper.net show arm-channels show ap bss-table show ap arm neighbors Basic Packet Capture from the IAP pcap […]
Whitelist the IAP on the Mobility Conductor Obtain the Ethernet MAC address of the IAP from the GUI/sticker on the […]
Reference: https://www.arubanetworks.com/support-services/end-of-life/arubaos-software-release/
What is clustering? A cluster combines multiple managed devices to provide high availability for all clients. Benefits include seamless roaming […]
Steps 1,2 and 3 – Establish layer one and two The wireless client associates with the AP and seSupplicantional EAPOL […]
Model AP Client Type Firewall Capacity POE Ports 7005 16 1,024 Physical 2 Gbps N/A 7008 16 1,024 Physical 2 […]
In cryptography, PKCS #12 defines an archive file format for storing many cryptographic objects as a single file. It is […]
WLAN configured for WPA3 SAE with backward compatibility Confirmation via airodump-ng Confirmation via Wireshark The client connected after going through […]
PEAP MSCHAPV2 network={ssid=”LAB-PEAP“scan_ssid=1key_mgmt=WPA-EAPeap=PEAPidentity=”jack”password=”black”phase1=”peaplabel=0″phase2=”auth=MSCHAPV2″} TTLS-PAP network={ssid=”LAB-PAP-TTLS“scan_ssid=1key_mgmt=WPA-EAPeap=TTLSidentity=”jack”anonymous_identity=”anon”password=”black”phase2=”auth=PAP”} TTLS-CHAP network={ssid=”LAB-CHAP-TTLS“scan_ssid=1key_mgmt=WPA-EAPeap=TTLSidentity=”jack”anonymous_identity=”anon”password=”black”phase2=”auth=CHAP”} TTLS-MSCHAPv2 network={ssid=”LAB-TTLS-MSCHAPv2″scan_ssid=1key_mgmt=WPA-EAPeap=TTLSidentity=”jack”anonymous_identity=”anon”password=”black”phase2=”auth=MSCHAPV2″}
network={ssid=”TEST”scan_ssid=1key_mgmt=WPA-PSKpsk=”password12345″} wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant.conf
interface=wlan1driver=nl80211ssid=BLACKhw_mode=gchannel=11macaddr_acl=0ignore_broadcast_ssid=0auth_algs=1wpa=2wpa_passphrase=LETMEINwpa_key_mgmt=WPA-PSKwpa_pairwise=TKIPwpa_group_rekey=86400ieee80211n=1wme_enabled=1 bss=wlan1_0driver=nl80211ssid=WHITEhw_mode=gchannel=11macaddr_acl=0ignore_broadcast_ssid=0auth_algs=1wpa=2wpa_passphrase=LETMEINwpa_key_mgmt=WPA-PSKwpa_pairwise=TKIPwpa_group_rekey=86400ieee80211n=1wme_enabled=1
Use hostapd to create multiple SSIDs on a single wireless adapter interface=wlan1hw_mode=gchannel=6driver=nl80211ssid=APPLEauth_algs=1wep_default_key=0wep_key0=”10101″ bss=wlan0_1 hw_mode=g channel=6 driver=nl80211 ssid=PEAR auth_algs=1 wep_default_key=0 wep_key0=”10101″
Ventev colocation mounts with Aruba AP-534 Ventev Antenna Option # 1 For Open Warehouse Areas – part # – 220125 […]
Wireless designs come with a plethora of nuances, specifically around requirements and past experiences. You can look at a floor […]
Use auxiliary for smb service Set options to target host Scan target Use ms17_010_eternalblue module exploit Victim desktop Change directory […]
Reference: 802.11-2016 – Section – 12.7.6 4-way handshake Key 1- sent from the authenticator to the supplicant Key 2- sent […]
Define the AAA server and server group. I normally define the Radius server on both Anchor and Foreign controllers just […]
Add AAA server to WLC Add the WLC to the AAA server Create a radius server group Create an AAA […]
This lab will demonstrate how to configure a simple web passthrough on the IOS XE 9800 Controller AireOS web passthrough […]
Verify the ARP table of each device PC1 R4 R6 PC2 The primary function of a network is to provide […]
First and foremost read this …. https://tools.ietf.org/id/draft-ietf-tsvwg-ieee-802-11-05.html. Then this … https://tools.ietf.org/html/rfc4594 wireless packet capture with omnipeek /wireshark / SSID open […]
First and foremost read this …. https://tools.ietf.org/id/draft-ietf-tsvwg-ieee-802-11-05.html. Then this … https://tools.ietf.org/html/rfc4594 wireless packet capture with omnipeek /wireshark / SSID open […]
Nexus Config – 9K1 vlan 1,10,20vlan 10name NETWORK_MGMTvlan 20name WLAN_MGMT spanning-tree vlan 1-3967 priority 24576vrf context managementvpc domain 1peer-keepalive destination […]
Information About High Availability High Availability (HA) allows you to reduce the downtime of wireless networks that occurs due to […]
Eve-ng Physical Topology
Because STP is involved in loop detection, many people refer to the catastrophic loops as “Spanning Tree loops.” This is […]
Spanning-tree from the view point of DL-1 and DL2 The interface associated to lowest path cost is more preferred. The […]
In part one we looked at the simplest spanning tree decision that a switch can make when it has a […]
Locating Root Ports After the switches have identified the root bridge, they must determine their root port (RP). The root […]
Define class maps Class Map match-any DROP-NETFLIX1_AVC_UI_CLASS (id 39) Description: DROP-NETFLIX1_AVC_UI_CLASS UI_policy_DO_NOT_CHANGE Match protocol netflix Class Map match-any DROP-NETFLIX2_AVC_UI_CLASS (id […]
Management frame protection (MFP) provides security for the otherwise unprotected and unencrypted 802.11 management messages passed between access points and […]
4.5.4.3 Deauthentication reference – 802.11-2016 – page 223 The deauthentication service is invoked when an existing Open System, Shared Key, […]
reference 802.11-2016 – page STA = station RSNA – Robust Security Network Association A STA prepared to establish RSNAs shall […]
WPA3-Personal WPA3-Personal brings better protections to individual users by providing more robust password-based authentication, even when users choose passwords that […]
Be sure to complete the following prerequisites before upgrading the Cisco IOS XE version of the controller software image: Compatibility […]
video upload test Enhanced open using Ubuntu and wpa_supplicant lab@Crazy4840afkee:/etc/wpa_supplicant$ more owe_script.conf network={ ssid=”OWE13″ key_mgmt=OWE pairwise=CCMP scan_ssid=1 ieee80211w=2 } use […]
New Wi-Fi Enhanced Open™ technology infuses no-hassle advanced cryptography for open networks We’ve all come to expect fast, reliable, and […]
Define the TACACS+ source interface. The source interface is usually the management interface. ip tacacs source-interface VlanX 2. Enable aaa […]
1. Download recovery code from Cisco.com 2. Copy file from server to autonomous AP AP will reboot and join the […]
How RF Groups are formed When the WLC initializes as new, it creates a unique Group ID using the IP […]
The C9800 Product line is designed as a direct replacement for Current Hardware Wireless Lan Controller platforms. C9800 is compatible […]
Blessings, love , righteousness, tolerance, acceptance and forgiveness. For the LORD is good; his mercy is everlasting; and his truth […]
Configure sever parameters – server IP, protocol, file location , file name. Select the cluster of devices to be upgraded. […]
Download the desired version from Aruba’s website. Once the code is downloaded verify the checksum using the Linux md5sum command […]
Clustering is a new feature introduced in AOS 8.x MM – Mobility Master MC – Mobility Controller VMC – Virtual […]
Note: CCIE Enterprise Wireless (v1.0) – 3.9 Controller Mobility – 3.9.e Mobility anchoring On any firewall between the guest anchor […]
Restrictions Prior to enabling HA between two 9800 WLCs ensure these you perform these validations: Both devices must be of […]
The Aruba mobility master structure is configured via folder hierarchy starting at the “managed device” level The two options are […]
TOPOLOGY Boot and configure basic settings: ports, up link VLAN, username and password Configure VRRP on the primary and secondary […]
Download the recommended controller version from Cisco.com – as of 12/18/2019 the recommended version is listed below as Gibraltar-16.12.1s ED […]
Disable the wireless network to configure the country code: C9800(config)#ap dot11 5ghz shutdown Disabling the 802.11a network may strand mesh […]
Carrier Sense/Clear Channel Assessment (CS/CCA) If the station is not currently transmitting or receiving, it listens and senses the channel […]
Management Frames 802.11 management frames make up a majority of the frame types in a WLAN. Management frames are used […]
There is no excerpt because this is a protected post.