It Depends!

This is the landing page for all the wireless related posts on my blog. Majority of the content is towards my study for wireless related certifications like CWNP. The name ‘It Depends!’ is given as  it is the majority of the answers or responses to the wireless queries

CWISA - Cellular Networks #CWSA #IoT #LTE #CWNP

Planning Wireless Solution cover 30% of the exam syllabus.

This blog focusses on Cellular Networks (Overview and Understanding) - chapter 6.

CWISA exam does not require one to know in and out of cellular wireless networking. It only aims at making one able to make decisions required to select appropriate cellular network when designing and maintaining wireless networks. So this chapter will focus on the same and relevant only to the CWISA exam requirements.

First Mobile Phone: Motorola DynaTAC 8000x - 1983, Huge and power intensive.

According to research in 2019 more than 5 billion people have mobile phone and over 65% of them own a smart phone. I think the trend will only go up and only come down after it is replaced by the next-gen technology.

4 Cell Phone Generations Compared 
SMS Switching Switching 
LTE Advanced, IEEE 802.16 (WiMax) 
Data Rates 
236.8 kbps 
384 kbps 

As discussed earlier, CWISA exam does not aim at intending us to help us deploy cell tower radios or configuring core cellular networks. Cell-based coverage plan is used by the cellular networks. Communications across the network function through base station transceivers communicating with local base station controller at the cell site. The base station controller connect back to a mobile switching center via wired/wireless connection

Each cell site can service multiple carriers. It can provide range of services ranging from Voice, SMS, Locationing (GPS based locationing) and Data (internet access).  The Data service plays a crucial role in enablement of IoT cellular deployments.

LTE / 4G

Long Term Evolution is a next step before 5G and also known as 4G. The original 4G was established in Release 10 from the 3GPP organisation. Between 4G and 5G are Release 11, 12, 13 and 14 which provide enhancement to 4G networks. Careful planning must be done in selection of devices based on their compatibility with the technology, usually mobile devices which use LTE (4G) have fallback capability to use 3G. In years to come when 3G is phased out, the fallback option will be gone too. Same is applicable in case of 5G enabled devices. Narrowband IoT (NB-IoT) is used in Release 13 for the 4G standards.

Frequency Bands - More than 50 different frequency bands (in MHz) are used in LTE/4G deployments. The exam does not require one to memorise all the bands but should know which bands are available in their regulatory domain.

Modulation Methods - ODFM is used in general LTE/4G technology. OFDMA is used in downlink communication, and single carrier FDMA (SC-FDMA) is used in uplink communication. Each subcarrier in LTE uses QPSK/16-QAM or 64-QAM.

QPSK - 2 bits per symbol, 28000 bits per/sec
16-QAM - 4 bits per symbol, 56000 bits per/sec
64-QAM - 6 bits per symbol, 84000 bits per/sec

Devices - Primary consideration for mobile devices, backup links for uplink devices like Routers/Firewall etc. Many WBAN (Wireless Body Area Network) connect via Bluetooth to gain access to the cellular network. 5G evolution which means not 5G yet but LTE-A (advanced) offer 1Gpbs/500Mbps uplink and download speeds respectively.


Still based on 4G/LTE model with OFDM as the primary modulation scheme. 5G can also support frequency bands above 6GHz, Ultra low latency at under 1 ms, Higher data rates are some of the enhancements.

Frequency bands - These vary by the regulatory domain one is in. -  Phase one of 5G rollouts focuses on the uses of existing bands of 4G/LTE. Phase two will begin to explore the mmWave bands.

Modulation methods - Similar to LTE/4G, however it adds support for BPSK and 256-QAM as well.

BPSK - 1 bit per symbol
256-QAM - 8 bits per symbol

The ultimate goal of 5G is a max downlink of 20 Gbps and uplink speed of 10 Gbps with 100Mbps/Downlink, 50Mbps uplink at the cell edges.

Cellular - Service Provider Network - General user case scenario where service provider network used. Some areas tend to have better cellular coverage than other.

Cellular - Private Network - A private LTE/5G cells can latch on to service provider network for backhaul or connect them to your own network. Private LTE uses unlicenced frequency bands (1.9GHz, 2.4GHz, 3.5GHz and 5GHz). The 2.4GHz and 5GHz are well known for their use in Wi-Fi networks. The 1.9GHz and 3.5GHz band are lesser known bands but may be used as well.

The CBRS Alliance is focused on promoting the use of LTE and 5G in the 3.5GHz Citizens Broadband Radio Service band. Band 48 is used by CBRS as defined by 3GPPP.

Read more link text

CWSP-206 Exam Feedback

I'd like to provide some tips and tricks to help one achieve the CWNP certification. The CWSP-206 Exam was revised in November 2019 from CWSP-205 with added topics on OWE/WPA3 and SAE and removing some older security concepts around pre-RSNA technologies like WEP.

The exam in itself is not as hard compared to CWAP. I'd still suggest guys to take CWAP exam before CWSP and CWDP. CWAP exam does provide a good base/foundation for the security concepts. Some concepts for 802.11 Discovery/ Secure Roaming are covered in CWAP. Some design concepts around security are covered in CWDP as well.

CWSP-206 tests on below area with %age allocation.

 Knowledge Domain  Percentage 
Security Policy  10% 
Vulnerabilities, Threats, and Attacks  30% 
WLAN Security Design and Architecture  45% 
Security Lifecycle Management  15% 

If one focusses on the bulk areas of WLAN Security Design and Vulnerabilities/Threats and Attacks it will be able to cover 75% of the exam topics and thereby easily covering the passing marks 70% required for the exam. The Security Policy and Lifecycle Management mostly rely on your work experience or experience dealing with security in the real world/office environments. If one is up to date with how new security attacks like social engineering etc. are carried out and extensive use of smartphone/email in hacking the way into the network it can help achieve few easy wins in this exam.

With regards to WLAN Security Design familiarise yourself with below concepts to make sure you understand them in depth.

  • 4 Way Handshake
  • 802.11 EAP types
  • Encryption types
  • 802.11r Fast BSS Transition.
  • Guest Access/Captive Portal/MDM
  • Concepts of containerisation and segmentations.
  • CVE/NVD concepts
  • WLAN attacks

If you read my previous post about Chunk of CWSP-206, I've focussed on the areas which you should be focussing on for 45% of the exam requirements and some concepts in depth which can help with the exam.

When it comes to exam resources, work experience in network security will really benefit. Apart from that CWNP practice exam will be of great help. I have real the CWSP-205 and Exam PW0-204 CWSP book. Both of these books are not the recent ones but still cover up to 80%+ topics of this exam. You can buy CWSP-206 exam guide from for more exam-specific help. There are some video courses offered by INE but I haven't really used them to provide any feedback but should be helpful. All the best with your certification.

Read more link text

A Chunk of CWSP! (Work in Progress)

Topics covered below are not in a great deal but should get the important aspects required. The below content cover 45% of the exam syllabus for CWSP-206 which means around 25-27 questions approx.

  1.  Select and implement appropriate authentication solutions

  •  WPA/WPA2-Personal (Pre-Shared Key) 

  • Introduced in 802.11-2012 after the vulnerabilities discovered for WEP.
  • WPA/WPA2 are pretty much the same except for WPA2 using better encryption.
  • WPA2 is the preferred authentication method as it uses CCMP/AES encryption mechanisms.
  • WPA/WPA2 have the presence of 4 unicast frames used in 4-way handshake.
  • Authentication occurs during the 4-way handshake process via the pre-shared key. If the key on AP and Client STA fail to match, the authentication fails.

  •  WPA/WPA2-Enterprise 

  • Three primary authentication components - Radius, IEEE 802.1X & EAP (Extensible Authentication Protocol).
  • Radius Server allows centralised authentication. Microsoft NPS, Cisco ISE are some of the forms of typical radius servers in use.
  • IEEE 802.1X standard defines port-based access control. The components are - The supplicant (Client STA), The Authentication Server (The Radius server) & Authenticator (AP STA).

  •  WPA3-SAE and 192-Bit enterprise security 

  • The intention of standardising the mesh networking of 802.11 WANs was part of 802.11-2012 (802.11s) standard but did not succeed for vendor competitive reasons. Also known as HWMP (Hybrid Wireless Mesh Protocol), the mesh portals and AP can dynamically determine best path selection for traffic flow through the meshed WLAN. Although SAE was not implemented for mesh networks, the Wi-Fi Alliance views as more secure replacement for PSK authentication.
  • SAE (Simultaneous Authentication of Equals), uses Dragonfly key exchange with Forward Secrecy feature. It is a patent-free technology in which the client/user has prove the knowledge of the password without having to reveal a password.
  • SAE does not send the passphrase between 802.11 stations during the key exchange. The process consists of commitment message exchange and confirmation message exchange.
  • The security modes supported by WPA3 Personal is 128-bit SAE, WPA3 Enterprise is 192 bit SAE.
  • WPA3 mandates the use of PMF (Protected Management Frames).

  •  802.1X/EAP 

  • EAP over LAN (EAPOL) packets are used across the medium between client STA & the AP controller, Encapsulated EAP over Radius is used between AP/WLAN controller and the Radius Server.
  • EAP is L2 protocol used by 802.3 & 802.11 networks.
  • Access to the network is managed via controlled & uncontrolled port.
  • The most secure methods of authentication use 'mutual authentication'. Most EAP protocols use server-side certificate for completing the user authentication.

  •  EAP methods

Developer IEEE RFC 5216 Juniper (Certicom & Funk Software) Cisco/Microsoft Cisco IETF RFC 4186 Cisco
Server Side Certificate Required Required Required Uses PACs n/a Uses Tokens
Client Side Certificate Required No No No No No
Wi-Fi Security Very High High High High High High
Deployment Level Difficult (Need of PKI) Moderate Easier Easier Mobile networks only Moderate

  1. Select and implement appropriate encryption solutions

  •  Encryption methods and concepts (CWSP exam no longer tests on frame overhead knowledge of WEP, TKIP and CCMP).

  •  TKIP/RC4 

  • Developed by Wi-Fi alliance to combat WEP dictionary attacks.
  • TKIP uses 128-bit temporal key, plus a 48-bit TKIP sequence counter, along with transmit address (TA).
  • Michael (MIC) is the name of the integrity algorithm used with TKIP that enhances the legacy ICV mechanism. MIC is meant to improve integrity protection while remaining backwards compatible.
  • TKIP is deprecated encryption method, and apart from security concerns, it can slow down the network to 54Mbps.

  •  CCMP/AES 

  • CCMP is based on CCM of the AES encryption algorithm.
  • WPA2 requires the use of CCMP/AES encryption, older legacy devices will not support this and have to be upgraded.
  • CCMP starts with 128 bit temporal key which can either be PTK or GTK used to encrypt the broadcast/multicast traffic.
  • The 48-bit packet number is much like TKIP sequence number.

  •  SAE and 192-bit security 

  • SAE is a variant of Dragonfly Key Exchange defined in RFC 7664 based on Diffie Hellman key change.
  • WPA3 capabilities include WPA-3 Personal & WPA3 Enterprise.
  • WPA3 Personal leverages SAE, a secure key establishment protocol between devices, to provide stronger protections for users against password guessing attempts by third parties.
  • WPA3 Enterprise offers 192-bit cryptographic strength, providing additional protections for network transmitting sensitive data.

  •  OWE (Opportunistic Wireless Encryption)

  • Improved security feature for open wireless network, OWE provides a way for devices to connect to open Wi-Fi networks with an encryption session.
  • Currently only Cisco & Aruba solutions support OWE on their latest firmware.
  • OWE performs and unauthenticated Diffie-Hellman at association time, it may not be fully secure but still between than shared/public hotspot/PSK in a public place like a coffee shop.

  1.  Select and implement wireless monitoring solutions

  • Wireless Intrusion Prevention System (WIPS) - overlay and integrated 
  • Rouge Detection, Classification, Mitigation/Containment.

  •  Laptop-based monitoring with protocol and spectrum analysers (Covered in CWAP blogs)

  1. Understand and explain 802.11 Authentication and Key Management (AKM) components and processes

  • Basic Terminology
    • RSN - Robust Security Network. RSN can be identified by the identification of RSN-IE element in the Beacon frames.
    • RSNA - Robust Security Network Association - used by a pair of STA which use 4-way handshake for auth/association.
    • Pre-RSNA - WEP, pre 802.11i
    • TSN - Transition Security Network - Transitioning network allows configuration of pre-RSNA+RSNA in the same environment.
    •  MSK - Master Session Key - 64 Octets in length, used between EAP client and authentication server.
    • PMK - Pairwise Master Key - The highest key order, derived from key generated by EAP method or may be obtained by PSK.
    • PTK - Pairwise Transient Key = PMK + AA (authenticator address) + SPA (supplicant  address) + Anonce + Snonce using a pseudo-random function (PRF). PTK is split up into as many as 5 keys - Temporal encryption key, two temporal message integrity code (MIC) keys, Eapol-key encryption key and Eapol-key confirmation key.
    • GMK - Group Master Key - Axillary key used to derive GTK.
    • GTK - Random value, assigned by the broadcast/multicast source, which is used to protect MPDUs from the source.

• Encryption keys and key hierarchies 

  • Key Hierarchies
    • The 802.11-2012 standard specifies RSN key hierarchy for authentication and dynamic encryption keys. The is often referred to as AKM (authentication key management). The process works from top down, starting with either a paraphrase, PSK or MSK.
    • Master 
IS derived from 802.1X/EAP 
authentication or is the 
equivalent Of the passphrase 
Authenticator uses 
separate derivation 
process to produce the 
Pairwise Master 
aster Key Key (PMK) 
Temporal Keys 
Highest order 802.11 key. Derived 
from MSK (802.1X) or PSK 
Derived from PMK. Composed 
Group Temporal 
Key (GTK) 
of encryption keys. 
Pairwise Transient 
Key (PTK) 
Encryption Keys 
Encryption and MIC keys 
Key Encryption Key (KEK) 
Key Confirmation Key (KCK) 
Figure 5-4: 
Temporal MIC Keys 
Temporal Encryption Key (TEK) 
802.11 AICM Key Hieramhy
    • PSK is 256bits in length or 64 characters when expressed in hex. The static key is configured on AP/WLAN controller. Remembering and entering a 64-bit PSK can be tedious at times. The way around it is to configure a short ASCII password or paraphrases, which is 8 to 63 character string entered into the client software utility (laptop/mobile device) and the AP. The passphrase must match at both the ends.
    • The whole point of the passphrase-PSK mapping formula is to simplify the configuration for the average end-user. Most people can remember the 8-character password as opposed to 256-bit PSK

  • Encryption Terminologies
    • Encryption Algorithm  - Mathematical procedures used to obscure information so it appears meaningless. AES, RC4, RC5, RC6 are some of the examples.
    • Hash Function/Algorithm - Procedure which takes an arbitrary block of data and returns a fixed size bit string.
    • Cipher Suite - Named combination of authentication, encryption and the message authentication code use to negotiate security settings for a network connection.
    • Stream cipher - Symmetric key cipher where plaintext bits are combined with a keystream typically by an xor operation.
      • 802.11 WAN uses RC4 stream cipher with WEP/TKIP.
    • Block cipher - Symmetric key cipher operating on fixed length group of bits called blocks.
      • Block cipher specify the size of the block to be encrypted and CCMP/AES uses 128-bit block.
    • Symmetric Key Encryption - Class of algorithms for cryptography that use trivially related, often identical cryptographic keys for decryption and encryption.
      • Static/Dynamic key implementations
      • The actual encryption keys are never transmitted over the Wi-Fi medium. Instead anonce/snonce and other required information is transmitted and then each participating device generates the keys. This adds additional layer of security.
    • Asymmetric Encryption - Class of algorithms using separate key pairs for encryption and decryption.
      • Also known as public key cryptography
      • The public key is distributed whereas the private key is kept by one entity alone.

  • 4-way handshake
    • Final process used to generate PTK for encryption of unicast transmissions and a GTK for broadcast/multicast transmissions.
    • Uses 4 EAPOL-key frame messages between authenticator and the supplicant for 6 major purposes.
      • Confirm the existence of PMK at the peer station.
      • Ensure that the PMK is current
      • Derive new PTK from PMK
      • Install PTK on the supplicant and the authenticator
      • Transfer the GTK from the authenticator to the supplicant and install GTK on the supplicant and authenticator if necessary.
      • Confirm the selection of the cipher suits.
    • AP ~ Authenticator, Client - Supplicant
    • M1 - AP >> sends EAPOL-Key frame containing "Anonce" for PTK. Client STA will use this to generate "Snonce" and derive PTK.
    • M2 - Client >> sends EAPOL-Key frame containing "Snonce + RSNE + MIC". The supplicant derives a PTK. The MIC will be set to bit 1 and will be confirmed by the AP. The RSN element will be visible in this message.
    • M3 - The AP >> sends the EAPOL-Key frame and derives the PTK. The MIC is verified and GTK is sent in M3.
    • M4 - The client >> sends the last EAPOL-Key frame to the AP. It notifies the AP if the temporal keys will be installed and the secure bit will be sent.

  • Group Key Handshake
    • 2 frame handshake used to distribute new GTK to client stations that have already obtained a PTK and GTK in a previous 4-Way Handshake exchange.

3.2 Implement or recommend appropriate wired security configurations to support the WLAN

3.2.1 Physical port security in Ethernet switches 

3.2.2 Network segmentation, VLANs, and layered security solutions 

3.2.3 Tunnelling protocols and connections 

3.2.4 Access Control Lists (ACLs) 

3.2.5 Firewalls 

  1.  Implement authentication and security services 

3.3.1 Role-Based Access Control (RBAC) 

3.3.2 Certificate Authorities (CAs) 

3.3.3 AAA Servers 

3.3.4 Client onboarding 

3.3.5 Network Access Control (NAC) 

3.3.6 BYOD and MDM 

3.4 Implement secure transitioning (roaming) solutions

3.4.1 802.11r Fast BSS Transition (FT) 

3.4.2 Opportunistic Key Caching (OKC) 

3.4.3 Pre-Shared Key (PSK) - standard and per-user 

3.5 Secure public access and/or open networks

3.5.1 Guest access 

3.5.2 Peer-to-peer connectivity 

3.5.3 Captive portals 

3.5.4 Hotspot 2.0/Passpoint 

3.6 Implement preventative measures required for common vulnerabilities associated with wireless infrastructure devices and avoid weak security solutions

3.6.1 Weak/default passwords 

3.6.2 Misconfiguration 

3.6.3 Firmware/software updates 

3.6.4 HTTP-based administration interface access 

3.6.5 Telnet-based administration interface access 

3.6.6 Older SNMP protocols such as SNMPv1 and SNMPv2 

Read more link text

Remote Frame Captures & Application Issues on Wi-Fi

After the deployment of new Extreme Aerohive Wireless solution at an Enterprise office, a number of user complaints were received for applications resetting and disconnecting while working on Wi-Fi. The users did not have this problem while working from other offices or their home.

Some of the applications like Teradata SQL Assistant & other applications which used SQL backend reset itself while executing queries. From the Wi-Fi standpoint, the client had no issues with the Signal/Noise/RSSI which was received.

Teradata SQL and other SQL application use TCP port 125. After engaging the TAC team requested for remote pcap aka frames for wireless for wired/wireless interfaces of the Extreme Access Points. Below are the steps required to run the remote captures.

  1. Enable remote capture on the Extreme Aerohive AP 650/510C with the cli command - exec capture remote-sniffer
  2. Logon to the machine with Wireshark installed and configure the remote interfaces. Enter the management IP of the Access Point (Host), leave the port field blank.

3. Install Wireshark on a remote machine and apply packet slicing as the pcap/frame capture will be huge. Make sure the system capturing has enough disk space for doing so.

4. Choose all the interfaces/required interfaces and start the capture.

After analysing the pcap it was found that there were some TCP retransmissions being caused on TCP port 1025 but the root cause/reason was not yet determined.

After a few days of captures and analysing the frames, it was discovered that the issues were primarily caused due to DoS prevention rule in place for the SSID as an optional setting. We had to disable this feature and the issue just vanished. The below option caused TCP to reset if the client IP session was idle.

Though it took a while to come to this it was interesting to learn on how to perform remote frame captures which is still helpful to understand and analyse on what is going on the wireless end.

As in most cases, this was not a radio/wireless issue all together but still resolved from the vendor side after disabling the feature.

Read more link text

CWDP Exam!, A pinch of common sense and a lot of experience!


CWDP is one of the professional level exams along with CWAP and CWSP to qualify towards CWNP qualification. It focusses on Wi-Fi Planning, Defining Requirements, Designing, WLAN validation (also known as Site Survey) and some troubleshooting.

Personal Experience

I'd like to share my experience with the recently certified CWDP-303 exam. The exam by itself is not difficult when compared to CWAP. If you have been doing wireless design/audit and troubleshooting for a while CWDP should test you on the experience. A lot of questions in the CWDP exam test your knowledge on the wireless design and deployment as a project on the whole. I've been exposed to wireless design and WLAN audit and validation for around 3 years. This has certainly boosted my knowledge and confidence required to clear this exam. The exam is very enjoyable and some questions tend to cheer you as they test common sense that is required in carrying out WLAN audit and design.

Tips for Preparation.

The key is to focus on and prioritise the Exam Objectives as detailed on the CWNP website. If you have been performing site surveys it will make a lot of sense in this exam. Many of the objectives will come easier to you during your preparation. Metrics such as SNR, signal strength, CCI, data rates, etc. "Design the WLAN" covers 45% of the exam syllabus that roughly covers 27 questions out of 60 so you should focus the chunk of preparation in this area along with "Define Specifications for the WLAN" which covers 25%~15 questions. Covering both of these topics should make one in a good position to certify this exam. Some helpful resources for the exam.

Read more link text

Leave a Reply

Your email address will not be published. Required fields are marked *