The Dangers of the “Guest” SSID

I have setup WiFi at schools, conferences and snooty shindigs where the goal was to make sure everyone had access to open, relatively fast, and secure Guest networks. And no, I did not use a Captive Portal. Firewall and VLANs yes, Captive Portal, no. The goal was to get the users on and out the the InterWebs.

One other thing I never, ever do is create a Guest SSID that is open. I always change the name in some way. Guest-Open, guest-open, Here-a-guest, there-a-guest… Why do I not use the SSIDs Guest, guest, or GUEST or any variation of that word? By the way, SSIDs are case sensitive so that’s why spelled the ‘same’ word different ways. I do not use that word because our devices usually remember SSIDs that we have successfully connected to at some point. “What’s the big deal? That makes it simple when I come back.” And yes it does make it simple. Simple for you, simple for your host, and also simple for the guy with a hotspot or a rogue AP named “guest.” The last thing you want is for Gropnorb to steal your identification and buy a ticket to Elbonia on your dime.

The best practice is to always have your device “forget” any network you use that is open. Even if the open network has some crazy SSID. You never know who is sitting beside you in the coffee shop.

How Did That Happen?

I had a customer call and say the PoE board on a switch was down and that 7 APs were impacted. So I make the 2 hour drive to the customer’s site. These are good friends of mine so I don’t mind at all.

Upon arrival I ask the usual questions…

Reboot the switch?
Area impacted by the outage?

No weather issues. Yes, they rebooted the switch. Half the APs in the area are flashing?

Half are flashing? First thought is the PoE is fine. Why are half the APs acting up?

So we go to the IDF and look at the switch. At first glance the activity lights look great. All AP cables look normal. Time to grab the serial adapter and check the switch.

Time check PoE, just in case. Sh inlinepower showed that it was delivering PoE just fine. I execute sh conf vlan. At first glance it looks ok. I was mostly looking to make sure the switch had a config. I then execute sh conf port ge5.12-33. Whoa! Half the ports have a different PVID. They run the APs on the MGMT VLAN. I get that fixed and then look closer at the VLAN config. The ports for two downstream switches weren’t tagged for the MGMT VLAN. I fix those as well.

Everything comes back up and teachers say they are now working. I make sure to save config, twice. I’m kind of untrusting that way. I capture a copy of the config.

No idea why the config did that. It’s like it reverted to a previous version but that can’t be since the set port vlan┬ácommand does them all at once, saying that you define all the ports.


Chromebook NICs

I had a school call and say they had a HP Windows laptop sitting next to a HP Chromebook. The Chromebook was working fine at another school and all WLAN settings were exactly alike. Yet, when they moved the Chromebooks to another school they could only get 1 Mbps compared to the Windows laptop cranking 125 Mbps.

A quick check of the wall revealed a major dB loss. Also, some research showed the Chromebook only has a 5 GHz NIC. The Windows laptop also had a 2.4 GHz NIC. Adding an AP in the room resolved all issues.

Real world proof that a 5 GHz signal attenuates quickly and cannot penetrate walls as well as 2.4 GHz.

Aerohive Commands

The 5 commands to move an AP to a new HM

You must SSH to the AP, then …

Capwap client server name (Where XXX is the server number)

Capwap client VHM-name Name_Of_VHM

Save config

No capwap client enable

Capwap client enable


MAC Filter in Aerohive

If you want to filter MAC addresses of clients that should not be on your network:
Click Configuration
Click Advanced Configuration
Click Security Policies
Click MAC Filters
Click New
Enter a Name
Enter a Description
Click the +
Enter MAC Object Name
Enter MAC Address in MAC Entry
Enter Description
Click Save
Highlight new entry
Click Deny click Apply
Click Save

Add a new entry
Click MAC list
Click Add
Click the +
Enter a MAC Object Name
Enter a MAC Address in MAC Entry
Enter a Description
Click Save
Highlight new entry
Click Deny click Apply
Click Save

Apply the new filter
Click Configuration
Click Network Policy
Click SSID
Click DoS Prevention and Filters
Highlight Available MAC Filters
Move to the right
Leave Default Action at Permit

Forcing an Extreme AP to the right controller

SSH and issue a
cset authip 1 x.x.x.x

Just wait for csave to give confirmation before reboot