On the Cisco ISE, we can use Downloadable ACLs (DACLs) as an enforcement method to control what our endpoints are allowed to do in the network. These DACLs can be used with Catalyst switches and also with the Catalyst 9800 WLC starting with version 17.10.1 Compared to named ACLs, the
IEEE 802.1X plays an essential role in network security. This blog post gives a basic introduction to the elements used in 802.1X. This content is mainly taken from my WLAN security workshop to introduce 802.1X before moving to more complex authentication scenarios. If you want to learn WLAN security or
Part 1 of my “Roaming with WPA3-SAE” blog showed the roaming process in a centralized environment without any Fast Roaming mechanisms enabled. In this second part I’ll look into the roaming process with “Fast BSS Transition (802.11r)” enabled in a centralized environment. TLDR: From the moment the client and the
How does roaming with WPA3-SAE (WPA3-Personal) work? We have the SAE exchange that is done at the beginning of our wireless session to compute the PMK. But do we need this extra exchange when roaming, or is there some kind of a “shortcut”? When starting this blog-post I thought that
Recently I had to implement Central Web Authentication (CWA) on a network that uses the Cisco Embedded Wireless Controller (EWC) on Catalyst 9100 APs. Configuration is not that hard, but there is some misleading information in the documentation. Although this blog post is about EWC, it is nearly the same
The Problem: When looking at the configuration of a Meraki SSID (this is software version 27.5.1), there is no obvious way to configure MAC-based access-control and PSK simultaneously as it is possible with the traditional Cisco WLAN: We can configure either PSK or MAC-based access control, but the later without
Some thoughts on advancing your knowledge by moving on from the vendor-specific CCNP Wireless to the vendor neutral CWNP. I obtained my CCNP Wireless before Cisco changed the whole certification-system in February 2020,. This text is most relevant if you as a reader also finished this track before that date.
Yesterday I got an e-mail from the Meraki Dashboard that one of my wireless networks will be upgraded to the new version 27.1 next week. But as there are so many exciting new features, I upgraded my office WLAN straightaway. This post is about the “Identity PSK without RADIUS” that
When implementing security on a wireless LAN, 802.1X/EAP is the way to go for maximum security. But as this is not always possible, we often need to make sure that WLANs with Preshared-Keys are implemented as secure as possible. The PSK has to be very strong, that is common knowledge.