• Category : Cognitive WiFi

 
 

Arista products not affected by CVE-2019-15126 (Kr00k vulnerability)

Arista products are not affected by CVE-2019-15126 (Kr00k vulnerability) Kr00k – also known as CVE-2019-15126 – is a vulnerability in certain Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Arista Networks Wifi products AP and management systems are not exploitable by the above mentioned CVEs. The vulnerability affects all unpatched devices with Broadcom and Cypress FullMac Wi-Fi chips. Devices using Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink and Mediatek do not exhibit this vulnerability. Arista networks APs do not use the Wi-Fi chips that are affected.  The vulnerability exploits a bug in the WiFi chipset that...
Continue reading →

How to Upgrade Access Points to a Specific Build (On-Premises)

Introduction This article describes how to update the firmware on Arista Access Points via the On-Premises Wireless Manager server. On the Arista Cognitive WiFi Cloud, the AP firmware update bundle will be available via the cloud. CloudVision WiFi or the Wireless Manager UI will indicate if new firmware is available for any APs and you can initiate the firmware update for these devices from the UI. If you are using an on-premises Wireless Manager server with Internet connectivity, that is configured to sync with the cloud firmware repository, the update bundle will be available on Wireless Manager itself, after it...
Continue reading →

Packets FAQs

Packets is a cloud based network analysis and visual troubleshooting tool. Here are a few frequently asked questions and useful tips.   What file formats are supported? Captures with the formats – .pcap, .cap, .wcap, .pkt and .pcapng – are supported. Both wireless and wire-side captures are supported.   How do I capture the packets on my network? You can use tools like Wireshark to capture packets on your network. If you are on Mac, you can install AirTool or use Wireless Diagnostics.   What other tools can be integrated with Packets? AirTool users can upload traces from AirTool directly...
Continue reading →

Getting Started With Packets

  Packets is a cloud based network analysis and visual troubleshooting tool. The workflow is pretty simple and straightforward. Here is a quick guide to get you started with the tool.       Uploading A Tracefile On login you will be presented with the Home page as shown below. The Home Page allows you upload new traces or to manage already uploaded traces.   To upload a new trace, simply drag and drop it in the section marked as ‘Drag Your Traces Here’ or you can also click on the ‘Select Files’ text to browse and select a file...
Continue reading →

Troubleshooting an AP in "Non-Recoverable" State after Firmware Update Failure

Introduction This article will assist you in troubleshooting when an AP goes into a “non-recoverable” state. This may happen if the device suddenly loses loses power or connectivity with the cloud/on-prem WiFi management server during the firmware update process. On CloudVision WiFi, the Update column shows that “Firmware Update Failed” for the AP in question. On Wireless Manager you will see the icon beside the AP listing, indicating that the device is in a “non-recoverable” state. Prerequisites Access to the CloudVision WiFi (CVW) or Wireless Manager (WM) UI. config CLI access to the Arista AP or a crossover cable and...
Continue reading →

How to Work with Groups on CloudVision WiFi

Introduction Groups provide a network administrator the flexibility to apply custom configurations to APs across locations in CloudVision WiFi, regardless of the default templates configured at those individual locations. In this article we will walk through some common operations using Groups. Prerequisites Superuser or Administrator access to CloudVision WiFi (CVW). CloudVision WiFi version 2.4 or higher. Wireless Manager (WM) version 8.7 or higher. Solution Creating Groups A Group can be created in any of the following ways in CVW: Navigate to System > Navigator > Folder > Right click on a folder > Add Group Note: Groups cannot be created...
Continue reading →

Interpreting EoGRE Traffic Using Wireshark

Introduction The Ethernet over GRE (EoGRE) is an unencrypted, stateless, Layer 2 tunneling technology. EoGRE encapsulates Ethernet packets and provides the ability to set up one or more tunnels from an AP to an aggregation device such as a Router. There is no connection setup or tear-down procedure. As such, the tunnel interface always remains ON and ready to send/receive on the AP side. This article describes how to interpret EOGRE traffic using Wireshark. Solution The GRE header has the following fields: Checksum – 1 bit. This field is assumed to be zero in this version. If set to 1,...
Continue reading →

How Frequently is Data Updated on CloudVision WiFi?

Introduction The article lists the different modules and frequency at which CloudVision WiFi updates its UI by fetching data from Wireless Manager. Solution The Wireless Manager collects all data and stores it in its database. CloudVision WiFi polls this data from the Wireless Manager database periodically and presents it using an internal webserver. There are different counters and charts across different modules on CloudVision WiFi which have their own polling intervals, default duration filter and granularity for which data is being shown. Modules Counters or Charts Default Filter Duration Granularity Polling Interval All Pages AP counters Current 2 minutes Clients...
Continue reading →

Can I Use LDAP to Authenticate Wireless Users?

Introduction As the number of users in an organization increases, so does the need for a centralized database for user management. Arista APs can be used to authenticate users who sign in to WiFi, using their credentials stored in a centralized or distributed database. Lightweight Directory Access Protocol (LDAP) cannot be directly implemented as an authentication mechanism by an Arista AP, primarily because the Arista APs do not support this protocol for authentication. Another reason is that LDAP is not really an authentication protocol but a directory lookup/access protocol, for querying and modifying items in directory service providers like Active...
Continue reading →

CloudVision WiFi and APIs

Introduction The article describes a few examples of how CloudVision WiFi uses APIs to interface with Wireless Manager. Prerequisites Administrator or higher access to the Wireless Manager and API Keys Solution CloudVision WiFi (CVW) does not store any WiFi data or configuration. Instead, the Wireless Manager (WM) server collects all the data and stores it in its database. CVW polls the WM database periodically and represents it on its own UI using an internal web server. So, how does CVW fetch this data from the WM database? API  Samples Below are few  examples of the APIs that CVW uses to...
Continue reading →

CDE Networks and Their Relevance to PCI Standards

Introduction In this article we will discuss CDE networks in the context of PCI DSS reports on CloudVision WiFi. First let’s understand what these acronyms mean. PCI DSS: The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Therefore, wirelesses being an important part of the network, will also have to follow the set of security standards defined under PCI DSS. CDE: Over the years, PCI DSS has come up with enhancements in the defined standards, PCI DSS...
Continue reading →

AP Classification with Arista WIPS

Introduction This article explains the classification of Access Points on Wireless Manager, based on tests performed to get their wired identity and their activity in your network. Solution AP Categories Authorized Access Point Access Points (APs) that are wired to the corporate network and are compliant with the Authorized Wireless LAN (WLAN) configuration defined by the Administrator on Wireless Manager (WM) are classified as Authorized APs. Typically, these will be Arista APs, but the administrator can configure the Authorized WLAN policies for any AP vendors. Arista APs/Sensors monitor the corporate VLANs and perform various connectivity tests over the wired network...
Continue reading →

Essential Guide to Client Classification with Arista WIPS

Introduction Client classification policies define the how the wireless clients are going to be classified based on their initial discovery or the AP association. It is vital feature that is used to leverage the WIPS functionality appropriately. Prerequisites Administrative access to Wireless Manager. Solution Correct classification of wireless clients is necessary for effective Intrusion Prevention. Client Auto-classification settings are present on Wireless Manager at Configuration >WIPS > Client Auto-classification. Initial Client Classification Enabling this feature will ensure that new clients seen by the Arista AP/Sensor are automatically assigned to one particular category which may be External/Authorized/Guest, according to the administrator’s...
Continue reading →

Troubleshooting On-premises CloudVision WiFi

Introduction CloudVision WiFi service was originally available only as a service on the Arista Cognitive WiFi Cloud. From Wireless Manager version 8.5.1, an administrator can now install CloudVision WiFi for an on-premise Wireless Manager server. This document lists the steps to troubleshoot issues with the CloudVision WiFi plugin. Use Case This article is useful to troubleshoot scenarios where the hyperlink to launch CloudVision WiFi from Wireless Manager is not displayed. Prerequisites Wireless Manager (WM) must be running software version 8.5.1 or higher The administrator will have to download and install the CloudVision WiFi (CVW) plugin. Solution Setup Follow the steps...
Continue reading →

Working of a Hidden SSID

Introduction In conventional WLANs, APs advertise their presence by sending out beacon frames that include their Service Set Identifier (SSID) and Basic Service Set Identifier (BSSID). Prior to association, clients gather information about the APs by scanning the channels one by one and listening for beacons on each channel. This is called “Passive scanning”. Clients also perform “Active scanning”, whereby they send out Probe Request frames on each channel. These are requests for APs to send out information about themselves. APs respond to Probe Requests with Probe Response frames, the contents of which are similar to beacon frames. Once the...
Continue reading →

How to Check EOGRE Tunnel Status on CloudVision WiFi

Introduction This article explains how to verify the status of the GRE/IPSec tunnel on CloudVision WiFi. Prerequisites CloudVision WiFi version 2.4 or higher. 802.11ac capable Arista APs. Solution In order to view the status of the tunnel formed by the AP(s) with remote endpoints, navigate to Monitor > WiFi > Tunnels. The green dot indicates that the status of the tunnel is up/active, and the red dot indicates that the tunnel is down/disconnected. The AP will check for the increase in Receiving Packet count (Rx) in order to determine the status of the tunnel. In case there is no increase...
Continue reading →

Troubleshooting WiFi Throughput Issues with iPerf3 on Arista APs

Introduction When we observe low throughput in the network it is important to understand whether the issue lies on the WiFi or the wired side of the network. The method to achieve this is to perform an iPerf test and compare results. This utility is present on the Arista AP which acts as an iPerf server, eliminating the need for a second client connected to the WiFi network. Online speed tests are good for quick results; however, they are not ideal for troubleshooting as these speed tests are also dependent on factors outside the LAN/WLAN. Prerequisites config shell CLI access...
Continue reading →

Introduction to Stream Marker Packets

Introduction This document describes the Stream Marker enhancement that avoids any potential impact of Marker packets on AP performance. Marker packets are injected by Arista APs and sensors to detect Rogue APs. In some cases, the Marker packets themselves may adversely impact the performance of other APs, as these are broadcast packets forwarded at basic rates on the wireless side. Prerequisites Administrator privileges on Wireless Manager and CloudVision WiFi. Solution The number of Marker packets seen on the wireless side is multiplied by the number of VLANs and the number of APs on the same channel in the vicinity. With...
Continue reading →

How to Assign a Static IP to an Arista AP via CloudVision WiFi

Introduction This article explains how to setup Static IP address on Arista APs via CloudVision WiFi. Prerequisites Administrator access to CloudVision WiFi (CVW) / Wireless Manager (WM). The AP must show Active status on CVW. Solution Static IP address can be assigned to any Arista AP using the “Additional VLAN Monitoring” option. To enable this, navigate to Monitoring > WiFi > Access Points Right-click the AP to which you want to assign Static IP address and select Customize > Additional VLAN Monitoring. In the right hand side panel, select Add VLANs to Monitor, enter the VLAN ID and click Add....
Continue reading →

How to enable BLE (Bluetooth Low Energy) on CloudVision WiFi

Introduction Bluetooth beacon advertising is a wireless personal area network technology that is used in healthcare, fitness, security based applications, etc. Bluetooth beacons use Bluetooth Low Energy (BLE) proximity sensing to transmit universally unique identifier picked up by a compatible app or operating system. This identifier, along with several bytes sent with it, can be used to determine a device’s (e.g. Smartphones) physical location, track customers, or trigger location based actions on device such as check-in on social media. Another use is distributing messages at a specific point of interest, e.g. a shopping mall or bus stop to advertise products...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: