Thursday, December 10, 2009

Meraki and Aerohive - Meraki bad whitepaper

I had an assignment to design a wireless network for a mid-sized hotel.
The specification was for Cisco, but IMHO Cisco Controllers are bloatware for this kind of situation
  • Small amount of in-house IT at client site +
  • Big cost of Cisco controllers (+ possible ongoing configuration and maintenance needs)
  • = bad choice
I have been out of the 802.11 game for a year or two doing other things, so thought I'd read up. Hotels are an interesting application - especially in a business hotel - you have a potential for very high spiky usage at conferences. Security might be deemed unimportant, however to conserve precious bandwidth you need to restrict access. Plus here are the ineresting questions of what is the easiest way to distribute and manage logins, and if you can protect guests from each other that might not be a bad idea. So some kind of built-in easy radius server would be good.

I looked into meraki and aerohive  -
The "fat AP is out"  right? Thin is in.. OOps - not anymore. These APs  look like they do a fair amount of processing, but are in some way "collaborative" and "self-managing" (WRT sharing the airspace and routing traffic at least). So I  would call them "fat and sassy" APs-  But the preferred term by vendors seems to be "Smart".

 I am still reading up and playing with Aerohives nice online demo tool.  Meraki looks like they have really geared their product to exploit Cisco's pricing  in this area - in terms of ease of manageability and price - they even have a Meraki vs Cisco calculator.  -Which admittedly has list prices for Cisco stuff that you will never pay.

Even so, their "cloud controller" option makes sense for hotels and other public access networks.

HOWEVER. Reading Meraki's product literature, (a network security whitepaper) I was bothered by evil half-factiods, which made me wonder if they are sloppy or sleazy in other ways.

Quoth Meraki"
WPA2-Enterprise, also known as 802.1x,
WPA2-Enterprise is not known as 802.1x - Maybe you mean 802.11i  ?
is considered by many to be  the “gold standard” of wireless security. In this architecture, each client(known as a supplicant) uses a unique username and password to authenticate on the wireless network.
Um, WPA2- Enterprise - using 802.1x/EAP can do  a number of different types of authentication, including certificates.

The client’s username and password are checked against any Active Directory or LDAP server that supports the RADIUS protocol (and most do).
You really don't need to mention Active Directory here, because that has nothing to do with it.
Also Radius is not really necessary, though almost always used. I would reword this as:
"The most common form of WPA2-Enterprise uses 802.1x authentication to  to allow the access point to check user and password information for each client against an authentication server. This authentication server is almost always a RADIUS server  "
Meraki supplies an integrated RADIUS server that companies can use instead of a stand-
alone server if they wish.  The primary advantages of WPA2-Enterprise are that it is highly secure and scales well. IT administrators can re-use their existing authentication
infrastructure, so as employees come and go they are automatically added and removed from the wireless network. There is also no need to VPN.   Since 802.1x is a relatively new standard,
Whoa! 802.1x has been around before wireless lans. It is not so new.
client support is still evolving.  As of 2009, support is common on most laptop and PC operating systems. However, support for PDAs, scanners, and other devices still
varies. In addition, client configuration can sometimes be complex.
While implementation of 802.1x has often been highly complex, Meraki
has simplified the process significantly. 802.1x takes just a few clicks to
deploy, and is no more difficult than implementing WPA2-PSK.
I am not sure on the preceeding because there is some legitimacy to what they are saying here.
But I think it should be worded "implementation of 802.1x authentication in WPA2" to clarify.

Am I just being picky? or maybe my understanding of the issues is rusty?

Tuesday, December 8, 2009


I just wasted about 3 hours reading through 250 xkcd  comix  and classifying onese I like into categories. no time to make links now, (maybe that task is best
Forthwith: done with vi, not blogger)

Good but unclassified as of yet href=> OMFG - build it and they will come...
LOL funny " however on review of your qualifications, we've decided to sentence you to death... read the mouseover text last!


I resemble that remark. things i think about  or / what a good idea, i cant believe I didnt think of it/do it statistically significant other - I wish I had thought of that. - this is something I (occasionally) agonize over :) ! (or is it !:)  (personally I like to insert a space-- ;) ) - This is me. I suffer from terminal tab sprawl - I thought about this when I read Enders Game recently. What a book.

what is a roomba dueling harness?

;) - how I really felt at pep rallies growing up

ones I put up at work


Good web sites:
There are 56,929 articles on the Simple English Wikipedia today