Posts

Showing posts from April, 2013

Meraki Multi-factor Authentication

Image
In a recent post, I was voicing my concerns around the existing default security method employed by cloud-wireless solutions to 'protect' administrative access to their service. In summary, I proposed that some type of multi-factor authentication should be the default method of access for administrators (both customer and vendor) of cloud wireless services. The current default of a "username and password" is too weak when considering the damage that can be inflicted on an organization by unauthorized access to any cloud-managed network.

I heard from one of the guys at Meraki, letting me know that they already have multi-factor authentication. 
I already knew that they have an SMS OTP method, but I didn't really think that it was a particularly good solution. For instance, what about if you're out of cell-phone range or suffer one of those annoying delays in receipt of an SMS message? However, after taking another look, they also now show support for authent…

How Do I "Get Into" WiFi?

I've been thinking about writing this article for a while and today I came across some articles and Tweets which finally spurred me in to action (see references at the end of this article). In this article I discuss the CWNP program, with particular emphasis on the CWTS certification, for those wishing to learn about WiFi networking.
I meet a lot of people in my line of work (IT professionals in the main) who would like to improve theirknowledge of WiFi networking, or would perhaps even like to shift their area of expertise to become focused in this area. However, the question often arises: "how do I get into WiFi networking". 
If you're an IT professional who already has one or two areas of expertise (maybe you're already a security, routing or perhaps voice specialist?) perhaps you would like to understand WiFi networking, as it will doubtless touch your core area of focus during your day-to-day networking life. Or, perhaps you'd just like to be able to unde…

Cloud Based Wireless Services - Some Thoughts About Security...

In this article, I present some of my thoughts around security of cloud-managed wireless solutions (which I am a massive fan of!). Hopefully the views here will be construed as constructive ideas that may prompt vendors to perhaps look more closely at their current implementations to perhaps feed in to product improvements.
I've been taking a close look at a some cloud-managed wireless solutions recently and they appear to be a very exciting area, providing a very compelling proposition for many organisations.
Remote access to manage your network from anywhere that you have an Internet connection is an incredibly powerful (and empowering) feature. As a consultant working for a vendor-neutral re-seller  the possibilities around remote support and managed services for my customers provide a whole new avenue of exciting opportunities.
However, after the initial buzz and excitement of playing with these solutions, I started to think long and hard about their security. Many of the conce…

Aerohive AP DHCP Option 226 in Cisco IOS

Just a quick note to myself (as well as sharing for anyone interested)...

Aerohive APs can be told where to find Hive Manager using DHCP option 225 (for the HM name) or option 226 (for the HM IP address). - (see here for a much better explanation)

I tried to set up the DHCP option 226 for an Aerohive AP today to tell it where to find Hive Manager in my lab. The DHCP server I am using is a Cisco IOS switch. I couldn't get the AP to accept the option for some reason.

After lots of playing about, I finally figured out what my issue was: I was using the 'ascii' keyword for the option type, when it should have been the 'ip' type (...yes, it's always obvious in retrospect).

Here is the correct configuration for a DHCP scope in case you find yourself in the same position:


! *** only assign addresses above .150 ***
!
ip dhcp excluded-address 192.168.50.1 192.168.50.150
ip dhcp excluded-address 192.168.50.254
!
ip dhcp pool AP-VLAN
   network 192.168.50.0 255.255.255.0
   defau…