MY80211.com

Here is the official announcement from Cisco on the EOS / EOL of the Cisco 4400 controller

Title: End-of-Sale and End-of-Life Announcement for the Cisco 4400 Series Wireless LAN Controllers

Description: Cisco announces the end-of-sale and end-of life dates for the Cisco 4400 Series Wireless LAN Controllers.

The last day to order the affected product(s) is June 13, 2011. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement.

For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2010-12-13 09:00:00.0

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6366/end_of_life_notice_c51-634665.html

Cisco’s recommend WiSM configuration practice will make you vulnerable – by George Stefanick

I was asked, “The WiSM Config Practice has been out for years, how did you find this ?” The devil is in the details.... 

WiSM Configuration Practice

The initial steps in configuring a Cisco WiSM is what I like to call a “configure-and-forget” step. This is because once the WiSM is configured and married to the backplane of the Sup720 via the “service port” its rare one would need to revisit this procedure again.

There are a number of Cisco WiSM Configuration guides available at cisco.com explaining this process. We will get into these in a bit… 

What is the WiSM “service port”?

First lets understand what the service port interface is and the purpose of the service port. The WiSM service port is one of many ports on a Cisco WiSM. They include the management, ap manager, virtual, service and the operator dynamic interfaces.

•  Management interface (pre-defined and mandatory)
•  AP-Manager interface (pre-defined and mandatory)
•  Virtual interface (pre-defined and mandatory)
•  Service-port interface (pre-defined and mandatory)
•  Operator-defined interface (user-defined)

Cisco’s 4400 and 5500 model controller’s service port is used for out-of-bandwidth management. The service port is a physical port supported on these models, whereby allowing you physical access with a console / null modem cable.

Contrary to the service port on the 4400 and  5500’s models. The WiSM service port is NOT used for out-of-bandwidth management. Rather it is used to synchronize the supervisor engine (720) and the WiSM. 

How does the “service port” on the Cisco WiSM connect to the Sup720?

Once the WiSM is installed, you enter the Sup720 and create a local vlan for the purpose of communications between both the WiSM and the Sup720.  Cisco references vlan 192 in their WiSM config documents, but of course any vlan number can be used. 

Cisco’s WiSM Configuration documentation goes a step further and states to create an SVI interface. An SVI interface is a gateway to bridge traffic. (Here in lies the problem. I will cover in more detail in the next section.)

(See below reference and links to Cisco WiSM configuration Guides, note the SVI interface recommendations and the lack of an ACL) 

The Vulnerability

The Cisco WiSM Configuration Guides detail the creation of an SVI interface for the purpose of the service port interface. For example;

Sup720(config)# interface Vlan 192
Sup720(config-if)# ip address 192.168.10.1 255.255.255.0
Sup720(config-if)# no shutdown
Sup720(config-if)# exit

The Cisco WiSM Guides makes no reference to an ACL which would restrict traffic access to the service port SVI interface. By creating the SVI interface you have a “connected route” from users who terminate to the 6500 to reach the SVI interface. This would include wired and wireless users. Essentially, inside users have access to the WiSM service port. This would also include wireless guest!

Lets follow the packet:

1)     Wireless client pings 192.168.10.1

2)     The packet egresses the wireless client and 802.11 headers are applied

3)     The packet travels via RF

4)     Packet reaches Access Point

5)     Access points encapsulates the packet in a LWAPP/CAPWAP headers

6)     The packet is then sent to the Cisco WiSM / Controller

7)     The WiSM removes the LWAPP/CAPWAP encapsulation and adds 802.3 headers

8)     The WiSM places the packet on the wired

9)     The packet transverses the router to the connected 192.168.10.1 SVI interface

I’m positive this is an oversight by Cisco. Recent conversations with Cisco SE’s, Cisco TAC and other peers agree this is an issue on many levels.

Engineers and Admins who configure the WiSM for the first time or perhaps engineers who have little knowledge would follow the Cisco WiSM Configuration Guide step by step. Not understanding that an ACL needs to be applied to the SVI interface for the WiSM service port. 

Real World Examples:

Lets cover why this is an issue with some real world examples:

Example#1 –

Your inside networks are 10.x.x.x and 172.x.x.x. Your service port on the WiSM is configured for 192.168.10.x network. Users who terminated to the cat / Sup 720 that houses the WiSM has access to the SVI interface 192.168.10.x. Why, because it is a connected route. The traffic will bridge over from 10 / 172  to the 192 network.

Example#2 –

Suppose you don’t have a Cisco WLC to anchor guest traffic. Your wireless guest traffic terminates to the  cat / Sup720 that houses the WiSM. Let suppose you ACL your "GUEST" SVI interface denying your known inside networks. You think you are done and call it a day.

DENY 10.0.0.0 (inside network)

But did you remember to deny 192.168.10.x? If you didn’t your wireless guest now have access to your service port

How to Fix it:

If you configured an SVI interface. Simply ACL the SVI not to allow ANY network access to this SVI interface.  

Conclusion:

I admit this isn’t a five-alarm hole. You don’t have to drop everything you are doing.  But it is one that needs to be addressed if you followed Cisco WiSM Configuration Guides.

Cisco links to WiSM Config

http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/reference/appnote.html

! - Create a vlan in the Supervisor 720, this vlan is local to the chassis and is used for

communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit interface on

the Supervisor and service-port in the Cisco WiSM. 

Sup720(config)# vlan 192 

! -- Assign an appropriate IP address and subnet mask for VLAN 192 

Sup720(config)# interface Vlan 192

Sup720(config-if)# ip address 192.168.10.1 255.255.255.0

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a00808330a9.shtml

Create the WiSM Service Port Gateway and assign the IP address.

Create a VLAN in the Supervisor 720. This VLAN is local to the chassis and is used for communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit Interface on the Supervisor and a service port in the Cisco WiSM.

interface Vlan192 

Description WiSM Service Port Gateway or Management Interface on CAT6K

ip address 192.168.10.1 255.255.255.0 

Cisco released a WCS vulnerability last week

Vocera is reporting connectivity issues on 6.0.199.0. They went as far as to release a Technical Advisory to customers. Its not clear what the issue is at the moment. 

The Vocera Advisory states:

Vocera is aware of an issue that customers are experiencing after moving to Cisco WLC version 6.0.199 that manifests itself in a substantial increase in difficulty with badge communications to the Vocera Application Server over the network. Badges will display "Searching For Server" or "Searching For AP."

Vocera is working closely with Cisco and its mutual customers on the problem.

Please consult with Vocera Technical Support and Cisco TAC before upgrading to 6.0.199.

Cisco released a new rev in the 6.0 track, 6.0.199.0. Note: this has potential to be MD / AW tagged. Although, I will wait and see what fall out there is based on the previous releases in the 6.0. track.

Look at the resolved caveats. There are some BIG problems resolved with this reelase. 

Note:6.0 is a MD train and 6.0.199.0 is a potential MD / AW release. 6.0.199.0 release will be marked with MD / AW Tag after few weeks of customer adaptation and completion of AW release certification

Cisco has released a new Engineer Special for the 6.x WLC code; 6.0.196.159

You will have to request this code from Cisco TAC as you will not find this on CCO. Cisco TAC stated 6.x release is tagged as software advisory. They are not recommending this code and if you have it installed you should apply the latest Engineer Special release until the 6.x maintenance release is released. The 6.x maintenance release is expected end of July / early August.

If you have 6.x running today Cisco TAC has advised the following path:

1)      Down grade to 5.2.193.0 (ED)

2)      Upgrade to 7.0.98.0 (ED)

3)      Upgrade to 6.0.196.159 (ES) 

AS_4200_6_0_196_159 is a build from 6.0.196.0, and it is an engineering special that resolves the following additional caveats:

CSCta13941 - AP rejecting association request with status code 13

CSCtb02136 - AP with AP Groups and HREAP will not broadcast SSID

CSCtb20125 - CCMP errors on key rotation

CSCtc73503 - Radios are showing Tx power level 0

CSCtd28542 - WLC crash on emWeb due to AP config change

CSCtd97011 - Radio core dump: Neighbor Discovery frames stuck

CSCte19262 - Client Deauthenticated – “Unable to locate AP 00:00:00:00:00:00”

CSCte55219 - radio core dump due to large # of uplink frames in inprog queue

CSCte55458 - Web-Auth: Web page takes a long time to display under heavy load

CSCte62815 - 5508 not passing OSPF Multicast traffic

CSCte78472 - Invalid PHY rate returned on ADDTS response

CSCte81420 - Crash in process: "Dot11 driver "

CSCte89891 - AP doesn't transmit beacons

CSCte92365 - Auto Immune - AP side

CSCte93549 - The dot11a radio not able to pass traffic, tx queue getting filled.

CSCte96140 - Ethernet bridging breaks when the Ethernet interface of AP 1242 flapped

CSCtf23682 - 5508 - AP cannot join with Multicast MAC as gateway (checkpoint)

CSCtf34858 - Clients unable to pass broadcast traffic

CSCtf69598 - Memory leak in AP on CCKM Failure

CSCtc57611 - Delay in Music on Hold on 7925 with HREAP AP CSCtg45014 - CT5508 - CAPWAP Control traffic has incorrect DSCP marking.

CSCtg71658 - Ap power level reset to 0 when upgrading from 5.0 to 6.0.196.158

CSCtd43906 - J: RAP not transmitting after coming up; when shut due to radar

*ENGINEERING SPECIAL USE DISCLAIMER*

The Engineering Special fix supplied herewith is a Temporary Software Module which has undergone limited testing. This temporary software module is provided “AS-IS” without warranty under the terms of the END USER LICENSE FOR THIS PRODUCT. Please use this software at your own risk. The intention for this code fix is for you to use in your production environment until a released version is available.

Catastrophic isn't my words, but Cisco's.  Engineer's beware ...

Client can't transmit traffic if it reassociates to an AP within 20 sec

Cisco released a new rev for the controllers, 4.2.209.0. I'm not really surprised Cisco is still supporting 4.2. There are a number of large healthcare systems still on the 4.2 rev. 

Another special TAC release (1.3.4.0.2) this time for the Cisco 7921G and 7925G IP Phones. I'm told this release is a 'quick fix' for the battery issue discovered in release 1.3.4. 

Sources at TAC mentioned 1.3.5 could be out as early as end of May. Comments were also made that

 1.3.4.0.2, "has been through only basic testing to verify the power consumption issues"

Not often you see 'special' releases on the Cisco WLC. I think Cisco tagged 6.0.196.0 as assurewave to soon! If you are having issues, TAC may recommend this TAC only release

Date entered: 4-May-2010 

Summary: fixes for several important WLC bugs are in the 6.0.196.158 build, available through TAC. This build will not be posted to CCO; the fixes will be incorporated into the next 6.0 release targeted for summer 2010. For more information, see the 6.0.196.158 release notes.

Addendum Release Notes for Cisco Wireless LAN

Controllers and Lightweight Access Points for
Special Build 6_0_196_158
___________________________________________
Base Code: 6.0.196.0
Special Build: 6_0_196_158

ENGINEERING SPECIAL BUILD

6_0_196_158 is a build from 6.0.196.0, and it is an engineering special that resolves the following
additional caveats:

CSCta13941 - AP rejecting association request with status code 13
CSCtb02136 - AP with AP Groups and HREAP will not broadcast SSID
CSCtb20125 - CCMP errors on key rotation
CSCtb92872 - WiSM: System crash - Task "cids-cl Task" taking too much cpu:
CSCtc23789 - AP radio down - interface stuck in reset
CSCtc57611 - Delay in Music on Hold on 7925 with HREAP AP
CSCtc73503 - Radios are showing Tx power level 0
CSCtd28542 - WLC crash on emWeb due to AP config change
CSCtd97011 - Radio core dump: Neighbor Discovery frames stuck
CSCte19262 - Client Deauthenticated – “Unable to locate AP 00:00:00:00:00:00”
CSCte55219 - radio core dump due to large # of uplink frames in inprog queue
CSCte55458 - Web-Auth: Web page takes a long time to display under heavy load
CSCte62815 - 5508 not passing OSPF Multicast traffic
CSCte78472 - Invalid PHY rate returned on ADDTS response
CSCte81420 - Crash in process: "Dot11 driver "
CSCte89891 - AP doesn't transmit beacons
CSCte92365 - Auto Immune - AP side
CSCte93549 - The dot11a radio not able to pass traffic, tx queue getting filled.
CSCte96140 - Ethernet bridging breaks when the Ethernet interface of AP 1242 flapped
CSCtf23682 - 5508 - AP cannot join with Multicast MAC as gateway (checkpoint)
CSCtf27580 - Ethernet interface input queue wedge from broadcast/uniGRE traffic
CSCtf34858 - Clients unable to pass broadcast traffic
CSCtf63030 - Radio may get stuck in RESET or DOWN state
CSCtf69598 - Memory leak in AP on CCKM Failure
CSCtf94589 - AP mac address discrepency in aggressive load balancing packets.

*ENGINEERING SPECIAL USE DISCLAIMER*

The Engineering Special fix supplied herewith is a Temporary Software Module which has undergone
limited testing. This temporary software module is provided “AS-IS” without warranty under the terms
of the END USER LICENCSE FOR THIS PRODUCT. Please use this software at your own risk. The
intention for this code fix is for you to use in your production environment until a released version is

available. 

Americas Headquarters
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2010 Cisco Systems, Inc. All rights reserved. 95134-1706 USA

Its been what, a year and a half since the WLC had an AssureWave Version? Below is the test results.

AssureWave Solution Testing Results

There are three types of AssureWave Certification:

• Passed: No major defects identified in tested areas
• Pass with Exception: Some defects that could affect certain deployments
• Failed: One or more major defects identified in core area

Tested Versions

4.2.207.0 - Test Results  (PDF - 1.66 MB)

• AIR-WLC2100-K9-4-2-207-0.aes (Passed)
• AIR-WLC4400-K9-4-2-207-0.aes (Passed)
• SWISMK9-4-2-207-0.aes (Passed)
• SWLC3750K9-4-2-207-0.aes (Passed)
• AIR-WLCM-K9-4-2-207-0.aes (Passed)

6.0.196.0 - Test Results  (PDF - 2 MB)

• AIR-WLC2100-K9-6-0-196-0.aes (Pass with Exception)
• AIR-WLC4400-K9-6-0-196-0.aes (Pass with Exception)
• AIR-CT5500-K9-6-0-196-0.aes (Pass with Exception)
• SWISMK9-6-0-196-0.aes (Pass with Exception)
• SWLC3750K9-6-0-196-0.aes (Pass with Exception)
• AIR-WLCM-K9-6-0-196-0.aes (Pass with Exception)

I wanted to share a recent bug I just encountered with WCS. I’m running WLC code 6.0.188.0 and WCS 6.0.170.0. In WCS if you drill down to the access point and look under CDP neighbor tab the duplex is reported as half-duplex.  I double checked the switch and the access point and it was set to FULL.

 Reportedly this is fixed in the next version of WCS, not yet released. 6.0.178 .0 and 7.0.87.0.

 CSCtd66943 Bug Details

So I wasn’t losing my mind after all. In between projects I attempted to update the bootloader on my personal controller and the new WiSMs I just deployed. Both running 6.0.188.0. I tried over 10 times, each time I got a successful TFTP transfer and did a reload. But the new bootload wouldn’t take. I searched the release notes and docs. In fact I learned more about the WLC bootloader chasing this issue down.

So I gave in and called TAC.  Here is what I was told:

There are two know bugs that fit the issue you are having 1) CSCsy99596    Need to bundle bootload into ER image and 2) CSCtd46886    WLC with version 6.0.188.0 shows incorrect boot loader version.  Both are new bugs and have not been resolved as yet.

I understand CSCtd46886 is dated 11/25/09. 

Just wanted to share incase you come across this issue…

Cisco announced the end of life and end of sale for the Cisco 526 Wireless Express Mobility Controller. You probably didn't even know Cisco had a controller 526 and 500 series APs, did you? This product line was an attempt to market to small price point customers who wanted a controller based  product with enterprise features. The 526 / 500 line had no compatibility between the 2100 / 4400 / 5500 / WiSM product line. So you couldn't take a 500 series AP and have it join a 4400 series controller. I mentioned when Cisco released this, it was doomed from the start. I didn't see this product taking hold in the market.

Title: End-of-Sale and End-of-Life Announcement for the Cisco 526 Wireless Express Mobility Controller  [Cisco 500 Series Wireless Express Mobility Controllers]
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7320/ps7339/end_of_life_c51-568040.html
Description: Cisco announces the end-of-sale and end-of life dates for the Cisco 526 Wireless Express Mobility Controller. The last day to order the affected product(s) is June 1, 2010. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2009-12-01 07:11:34.0

Title: End-of-Sale and End-of-Life Announcement for the Cisco 500 Series Wireless Express Access Points  [Cisco 500 Series Wireless Express Mobility Controllers]
Url: http://www.cisco.com/en/US/partner/prod/collateral/wireless/ps7306/ps7320/end_of_life_c51-568039.html
Description: Cisco announces the end-of-sale and end-of life dates for the Cisco 500 Series Wireless Express Access Points. The last day to order the affected product(s) is June 1, 2010. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2009-12-01 07:11:32.0

Url: http://www.cisco.com/en/US/partner/ts/fn/632/fn63258.html
Description: Cisco has observed that certain identified serial numbers of WLC 4400 series controllers may fail to boot on a subsequent power cycle. Few 4400 series controllers that are built between November 2008 and March 2009 have experienced lower test during power cycles due to a bad part.
Date: 2009-10-06 10:00:00.0

 

Summary

Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities:

• Malformed HTTP or HTTPS authentication response denial of service vulnerability
• SSH connections denial of service vulnerability
• Crafted HTTP or HTTPS request denial of service vulnerability
• Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml

Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility.

These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP).

Click to read more ...

Message Type : End-of-sales/ End-of-life announcement

Cisco Systems announces the end-of-sale and end-of-life dates for the Cisco Power Supply for Cisco Aironet 1130, 1140, 1240 and 1300 Series Access Point. The last day to order the affected product is November 20, 2009. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as listed in Table 1 in the EoL announcement.

Click to read more ...

Updated on Wednesday, February 4, 2009 at 9:59PM by George

Message Type : Security Advisory
Title: Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
URLs:
http://www.cisco.com/en/US/customer/products/products_security_advisory09186a0080a6c1dd.shtml
(available to registered users)
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a6c1dd.shtml
(available to non-registered users)

Click to read more ...

Updated on Tuesday, February 3, 2009 at 9:10PM by George

Title: Cisco Field Notice: FN # 63177 - Cisco Aironet 1250 Access Point Buzzing, Vibrating and making Noise
URL: http://www.cisco.com/en/US/ts/fn/631/fn_63177.html
CDC http://www.cisco.com/en/US/customer/ts/fn/631/fn_63177.html
(available to registered users)

Click to read more ...