Sunday, July 29, 2018

Cisco + Apple Partnership - Phase 2: iOS Wi-Fi Analytics

Cisco introduced "Phase 2" of its partnership with Apple starting with release 8.5 of wireless controller code. Phase 2 brings a feature called Wi-Fi Analytics. This feature allows certain iOS devices to communicate useful information to the controller during association and disassociation.

According to Cisco and Apple Wi-Fi analytics require iOS 11, and this functionality is limited to certain devices. According to this Cisco document, Wi-Fi analytics only works on iPhone 7 or higher and iPad Pro and higher.

So how does an iOS device know it is connected to a Cisco wireless network running 8.5 code? Similar to what was seen with Fastlane and Adaptive 11r, beacons and probe responses from Cisco APs include a vendor-specific Apple information element. The difference is that this IE will appear even if Fastlane and Adaptive 11r are not enabled.

One feature of Phase 2 is beacon reports. Beacon reports are defined in 802.11k, and they allow a client to report to the infrastructure how it sees the wireless environment. This is an important metric; it's easy to learn how an AP hears a client, but that is just half the picture. Knowing how clients hear the AP's signal can be a valuable troubleshooting tool, and it allows the the controller to optimize 802.11k neighbor reports for future clients.

The neighbor reports appear in the Cisco controller dashboard under client details. Below is a report from an iPad for the one AP that it heard broadcasting the SSID it was connected to.

Client Scan Report
This information is sent via an unsolicited 802.11k beacon report, Wireshark capture shown below.

802.11k Beacon Report
The Received Channel Power Indicator (RCPI) is defined as a number between 0 and 255, and is used to indicate a receive power in dBm between -120 and 0. The conversion formula is supposed to be RCPI / 2 - 120 = dBm, but that does not appear to give a feasible value in this case, as 0xbe would equal -25 dBm. There may be some proprietary characteristics in play. Another indication of this is the Operating Class value of 241, which appears invalid.

Running a 'debug 11k all' on the controller while the neighbor report is sent generates the following output.

Received a 11k Action frame with code 1 from mobile station E4:E0:A6:xx:xx:xx
payloadLen = 31, subIe ID 39 len 29
Measurement report:
Token ID: 96, Mode late: 0, Mode incapable: 0, Mode refused: 0, Type: 5
Found 802.11k beacon report element ID
Regulatory class: 241, Channel number: 165, Measure duration: 46012, Condensed Phy Type: 0, Reported Frame Phy Type: 0, RCPI: 190, RSNI: 27, BSSID: 58ac.78xx.xxxx, Antenn
payloadLen before sub= 31
payloadLen after sub = 0

That's all for this blog. In the future I hope to cover some of the other features included in Phase 2.