Upload
dangdien
View
223
Download
4
Embed Size (px)
Citation preview
WLAN Troubleshooting It ‘s not rocket science
WLAN Professionals Conference February/2016
© Aerohive Networks, Proprietary & Confidential
© Aerohive Networks, Proprietary & Confidential
Overview
2
• Introduction
• Five Tenets of WLAN Troubleshooting
• Layer 1
• Layer 2
• Higher Layers
David Coleman Senior Mobility Leader - Aerohive Networks
CWNE #4
@mistermultipath
Who am I?
Sybex CWNA Study Guide
4th Edition
ISBN: 978-1119067764
Who am I?
Co-author of:
Coming Soon: Sybex CWSP Study Guide
2nd Edition
ISBN: 978-1119211082
Amazon preorder:
http://amzn.com/1119211085
Who am I?
Five Tenets of WLAN Troubleshooting
© Aerohive Networks, Proprietary & Confidential 6
• Follow troubleshooting best practices
• Move up the OSI model
• Most Wi-Fi problems are client issues
• Wi-Fi performance problems can usually
be avoided with proper WLAN design
• WLAN always gets the blame
Troubleshooting Best Practices
© Aerohive Networks, Proprietary & Confidential 7
Identify the issue by asking questions:
•When is the problem happening?
•Where is the problem happening?
•Does the problem affect one client or numerous
clients?
•Does the problem reoccur or did it just happen
once?
•Did you make any changes recently?
Troubleshooting Best Practices
8
• Identifying the issue (ask questions)
•Recreate problem (ask questions)
•Locate and isolate the cause (ask questions)
•Formulate a plan of solving the problem
• Implement the plan
•Test to very the problem is resolved (don’t get side-tracked)
•Document the problem and the solution
•Provide feedback to the user ]\
OSI Model
© Aerohive Networks, Proprietary & Confidential 9
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
•Trouble the WLAN just like you
would troubleshoot a wired
network
•Move up the OSI model
•802.11 technology only operates
at Layer 1 and 2
• If the problem does not exist in
the first two layers, it is not a Wi-Fi
problem
OSI Model
© Aerohive Networks, Proprietary & Confidential 10
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
IP address, routing, ports firewalls
Wi-Fi: RF and configuration, drivers,
WLAN security sessions, WLAN
design, VLANs, etc.
RADIUS, Active Directory, DNS,
DHCP, NTP and user applications
The client is usually the culprit
© Aerohive Networks, Proprietary & Confidential 11
• Is the radio on?
•Disable the WLAN NIC
•Enable the WLAN NIC
The client is usually the culprit
© Aerohive Networks, Proprietary & Confidential 12
•Bad drivers
•Compatibility issues
• Improperly configured
supplicant
Upgrade your clients first
© Aerohive Networks, Proprietary & Confidential 13
“Where we are going, we don’t need 802.11b”
•Customer is willing to pay $$$ for WLAN infrastructure
upgrades but not for client upgrades?
•Sadly… client-side technology updates are slow
But… it’s backward compatible!
© Aerohive Networks, Proprietary & Confidential 14
• Legacy client
devices often cannot
connect when new
802.11 technology is
introduced
•Client drivers do not
know how to handle
new Information
Elements in Beacons
•Example: Fast BSS
Transition IE
Upgrade your clients first
© Aerohive Networks, Proprietary & Confidential 15
clients.mikealbano.com
Clients are not happy on 2.4 GHz
© Aerohive Networks, Proprietary & Confidential 16
• 2.4 GHz is a disaster zone
• Only three usable channels
• Impossible to prevent CCI
• High SNR
• Oversaturation of 802.11 devices
• Non-802.11 transmitter interference
5 GHz is the answer
© Aerohive Networks, Proprietary & Confidential 17
Dynamic Frequency Selection
U-NII-2A
38 46 54 62
U-NII-1 U-NII-2C U-NII-3 U-NII-4
102 110 118 126 134 142 151 159
42 58 106 122 138 155
50 114
70 78 86 94
74 90
82
U-NII-2B
36
40
44
48
52
56
60
64
10
0
10
4
10
8
11
2
11
6
12
0
12
4
12
8
13
2
13
6
14
0
14
4
14
9
15
3
15
7
16
1
16
5
17
3
17
7
18
1
16
9
68
72
76
80
84
88
92
96
5.15 5.25 5.35 5.47 5.725 5.925 5.825
5.85
167 175
171
163
Take the Pledge
© Aerohive Networks, Proprietary & Confidential 18
• Do not deploy 802.11
clients that transmit
exclusively on 2.4 GHz.
• This pledge should be for
all 802.11 devices.
• Ensure that the 5 GHz
radios support DFS
channels.
• Ensure that they support
the latest and greatest
802.11ac technology
#takethepledge
Proper design reduces support calls
© Aerohive Networks, Proprietary & Confidential 19
•Airtime Consumption
•Reduce CCI
•Reduce L2 overhead
•Data Rate Pruning (Disable
Lower rates)
•20 MHz Channels
•40 MHz – DFS
•Static channel and power
settings
Low Power is Good High Power is BAD
© Aerohive Networks, Proprietary & Confidential 20
•Capacity Problems
• Increase CCI
•Hidden Node
•Mismatch power
•Roaming – Sticky
problems
Blame
© Aerohive Networks, Proprietary & Confidential 21
Your Wi-Fi sucks!
Layer 1
© Aerohive Networks, Proprietary & Confidential 22
70 % of problems are at Layer 1
•RF Interference
•Client radio and driver problems
•Misconfigured client (supplicant)
security settings
•Power Over Ethernet (Poe)
•Firmware issues on Access Points
(Bugs)
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
23
•Spectrum analysis will find
RF inference
•Learn basic Wi-Fi shapes:
(HR)-DSSS, OFDM
•Learn to recognize
narrow band and wide
band interferers.
•Bring a hammer with you.
Layer 1: RF Interference
Layer 1: PoE Power Budget
24
•Careful PoE budget planning is a must
•Access points will randomly reboot if a power budget has
been exceeded and the APs cannot draw their necessary
required power
• PoE problems will grow with the
introduction of 4x4:4 MIMO APs that
require more than 15.4 Watts.
• 802.3at (PoE+)
Layer 1: Bugs
© Aerohive Networks, Proprietary & Confidential 25
•Often occurs after AP
firmware updates
•Supply the WLAN vendor
with packet captures and
tech data logs
Layer 2
© Aerohive Networks, Proprietary & Confidential 26
Time to move up the OSI model
•Roaming problems
•Layer 2 retries
•Authentication and association
problems
1 Physical
2 Data Link
Layer 2: 802.11 protocol analysis
© Aerohive Networks, Proprietary & Confidential 27
•Roaming
•Layer 2 retries affects
performance
•Authentication and
Association mechanisms
Layer 2: Roaming Problems
© Aerohive Networks, Proprietary & Confidential 28
•Drivers (client problem)
•Sticky Problems (bad
design)
• Layer 3 roaming
AP #1 AP #2
Roaming client station
BSSID
#1
BSSID
#2
Layer 2: Fast Secure Roaming
© Aerohive Networks, Proprietary & Confidential 29
Roam
RADIUS Server
•Do clients support
Opportunistic Key Caching
(OKC)?
•Do clients support 802.11r
and 802.11k mechanisms?
Layer 2 Retransmissions
30
Transmitting radio sends a unicast frame
CRC passes
Receiver radio sends L2 ACK frame
Layer 2 Retransmissions
31
Transmitting radio sends a unicast frame
CRC fails No ACK frame sent by receiver
Transmitting radio sends L2 retransmission
Layer 2 Retransmissions - Cause
© Aerohive Networks, Proprietary & Confidential 32
•RF interference (Layer 1)
• Low SNR (Layer 1) (bad design)
•Adjacent cell interference (bad design)
•Hidden Node (bad design)
CRC fails
Layer 2 Retransmissions - Effect
33
• Throughput goes down
•Latency goes up
Layer 2: PSK Authentication Troubleshooting
© Aerohive Networks, Proprietary & Confidential 34
•Passphrase mismatch
•PMKs never properly created
•4-Way Handshake fails
LDAP
EAP EAP
RADIUS CLIENT AP
Root CA cert Server cert
Layer 2: 802.1X/EAP
• Extensible Authentication
Protocol (EAP)
• Server certificate and Root
CA certificate
• Tunneled authentication using
SSL/TLS
• 802.1X: Port based access control
• Authorization Framework
• Supplicant
• Authenticator
• Authentication Server
• Integrates with LDAP
Layer 2: 802.1X/EAP Troubleshooting
© Aerohive Networks, Proprietary & Confidential 36
Unable to reach RADIUS server
Layer 2: 802.1X/EAP Troubleshooting
© Aerohive Networks, Proprietary & Confidential 37
Unable to reach RADIUS server. Possible causes: • Shared secret mismatch
• Incorrect IP settings on AP or RADIUS server
• Authentication port mismatch
• LDAP communications error
Layer 2: 802.1X/EAP Troubleshooting
© Aerohive Networks, Proprietary & Confidential 38
LDAP RADIUS AP
•Shared secret mismatch
• Incorrect IP settings on AP or RADIUS server
•Authentication port mismatch (default is 1812)
•LDAP communications error
shared secret
Port: 1812
192.168.100.10
shared secret
Port: 1645
10.5.1.10
Layer 2: 802.1X/EAP Troubleshooting
© Aerohive Networks, Proprietary & Confidential 39
SSL tunnel is not successful
Layer 2: 802.1X/EAP Troubleshooting
© Aerohive Networks, Proprietary & Confidential 40
•SSL tunnel fails = certificate problem
•Expired certificate
•Root certificate installed in wrong store
• Incorrect clock settings
•Mismatched EAP types
LDAP
EAP EAP
RADIUS CLIENT AP
Root CA cert Server cert
Layer 2: 802.1X/EAP Troubleshooting
© Aerohive Networks, Proprietary & Confidential 41
External RADIUS server could not accept the access
request from the client. Possible causes: • Expired password or user account
• Wrong password
• User does not exist in LDAP
• User authentication or machine authentication
Layer 2: 802.1X Troubleshooting
© Aerohive Networks, Proprietary & Confidential 42
Blog URL: Troubleshooting-EAP
LDAP
EAP EAP
RADIUS CLIENT AP
Root CA cert Server cert
Layers 3-7
© Aerohive Networks, Proprietary & Confidential 43
Not a Wi-Fi problem
•Networking problem
•Firewall problem
•Application problem
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
Client cannot get an IP address
© Aerohive Networks, Proprietary & Confidential 44
DHCP
server 10.5.1.10
Router IP Helper
10.5.1.10
Switch VLANS 2, 8, 10
CLIENT
VLAN 2 - Scope 192.168.20.0/24
VLAN 5 - Scope 192.168.30.0/24
VLAN 8 - Scope 192.168.30.0/24
SSID: Teacher – VLAN 5
SSID: Student – VLAN 8
169.255.255.202
802.1Q
DHCP Probe
© Aerohive Networks, Proprietary & Confidential 45
DHCP
server 10.5.1.10
Router IP Helper
10.5.1.10
Switch VLANS 2, 8, 10
CLIENT
SSID: Teacher – VLAN 5
SSID: Student – VLAN 8
DHCP request
Lease offer
NAK
802.1Q
Points of failure
© Aerohive Networks, Proprietary & Confidential 46
DHCP
server 10.5.1.10
Router IP Helper
10.5.1.10
Switch VLANS 2, 8, 10
CLIENT
SSID: Teacher – VLAN 5
SSID: Student – VLAN 8
802.1Q
© Aerohive Networks, Proprietary & Confidential
Questions
47
Thank you
© Aerohive Networks, Proprietary & Confidential