Behind the Scenes – Teaching “Secure Wi-Fi Design Special Edition” at WLPC Phoenix

At this year’s WLPC conference in Phoenix, I had the opportunity to host my first Deep Dive. The WLPC Deep Dives are hands-on workshops delivered in two three-hour sessions across two days, and are part of the main conference content. I mention this to differentiate the Deep Dives from multi-day training Bootcamps that are held prior to the conference.

The interesting thing about the WLPC conferences are — well there are several. First, all presentations and Deep Dives are selected by the community and attendees. Second, speakers pay to attend the conference just like all attendees. Those teaching Deep Dives or training Bootcamps do get a free conference pass and a small fee which is nice. The policies are a stark contrast to most conferences I’ve spoken at, and can come as a bit of a shock to those of us accustomed to being paid for speaking.

However, the WLPC ecosystem creates a very close community and lends to the third interesting fact which is that WLPC operates without any vendor or sponsor funding. Vendors are there, and they’re allowed to speak, but their topics follow the same process of voting and selection by the community. Vendors can also host Deep Dives, Bootcamp training, and evening receptions. What you won’t see are vendor tables or booths and portions of content or breaks with a “Sponsored by” sign. I have mixed feelings about the absence of vendors in the traditional sense, but it seems to work.

So, all of that to say, the WLPC conference is a unique animal in a sea of tech conferences. This year’s content was exceptionally impactful.

Back to the Deep Dive…

I had just created training content based on my recent book published with Wiley “Wireless Security Architecture.” The original course, “Secure Wi-Fi Design”, was six hours of content created for remote delivery, and debuted in late 2022 with IANS Research (where I serve as faculty). The class focuses on planning and design for secure Wi-Fi, walking students through a series of instructional materials and worksheets that takes them step-by-step through the process. This original course simulates a consulting engagement. In the book and class I share my own worksheets and processes that I’ve used successfully with hundreds of clients.

But remember — WLPC is different.

Keith Parsons and the WLPC team strongly recommended a hands-on component to the Deep Dives, so I had to go back to the drawing board and come up with labs that would fit the event.

Ultimately, I partnered with Juniper Networks to create a vendor-neutral hands-on experience using their Mist AI platform and cloud-managed APs. While I reused a volume of my original instructional material, the hands-on activities had to be created from scratch. The beautiful thing about using Juniper’s Mist AI platform is that the UI is extremely intuitive which meant we could get students with zero product experience up and running in minutes. It was important to me that the labs be applicable to all students and to all environments, and not rely on Juniper-specific features. It was a delicate balancing act, but I think (hope) I pulled it off. In fact, there were about five engineers from other manufacturers in the class. My secret goal for myself was to ensure these five people felt they had an equally amazing experience.

The “Secure Wi-Fi Design” class for WLPC Phoenix taught the same foundational security elements as my original course, but instead of planning worksheets, the hands-on labs allowed students to execute a secure migration from WPA2 to WPA3 on both Personal/passphrase and Enterprise/802.1X networks.

This turned out to be a perfect and timely mix. Almost all organizations are running on legacy WPA2 security and the lab helped Wi-Fi and network professionals experience a best practices migration first-hand, while navigating the myriad challenges they’d hit in the real world.

A labor of love.

Do y’all have any idea how long it takes to not only build labs and lab environments, but to also create a 53-page lab guide with about the same number of screenshots? Holy moly. That’s a lot of work. Oh, and then let’s not forget I had to re-do the the entire guide because of a major UI update. Yep. I had to recreate the entire lab in a development environment so the screenshots and instructions would match the UI update to be released right before WLPC. All joking aside, I’m eternally grateful to Wes Purvis and the support from Juniper during the process.

I always say about my book — you don’t make the big bucks writing technical books. Let’s keep it real — Wireless Security Architecture isn’t going to be on the New Your Times Best Sellers list. It’s the same with this type of training. It’s something I’m passionate about, and creating and delivering this content is a labor of love.

Be sure to ask me about the missing APs also.

Major take-aways from our WPA3 migration lab.

After our two half-days together, I accompanied James Garringer (Sr. Consulting Engineer currently at Apple) onstage in the main room for us to share some of the findings. We learned a lot during the labs. Prior to WLPC, I had asked the students to bring whatever random IoT and smart home devices they could comfortably pack for testing. James hauled a pile of Apple devices in, I think some of which dated back to Mediaeval times. Our friend Jason Panks brought in another pile of miscellany including an Echo Show, and we had a great test bed.

Here are the major take-aways, which you’ll see reiterated throughout my WPA3 migration best practice docs and posts.

1. OBSERVATION: Endpoints Won’t Connect to WPA3 WLAN. Of course, some endpoints won’t connect to a WPA3-only secured network. Most often, simply updating the Wi-Fi drivers will get you past this hurdle. The challenge may be for headless and IoT-type devices that aren’t being updated regularly, or at all. These endpoints will need to remain on a WPA2 network, and/or some may support a WPA3-Transition Mode. See the next bullet for why some WPA2 endpoints can’t connect to a WPA3-Transition Mode network.
2. OBSERVATION: Endpoints Failing WPA3-Transition Mode. Some endpoints fail when they see unknown AKMs advertised by the AP. Similar to the issues we saw when 802.11r/FT first came out, some endpoints don’t handle unknown AKMs (authentication and key management suites). Endpoints should ignore unknown AKMs, but some will just seize up and stop attempting association when they see an unknown AKM, which happens when the WLAN is broadcasting both WPA2 suites and WPA3 suites. Unfortunately, there’s no way to know which endpoints may fail without testing. Note this is a different issue than an endpoint that doesn’t support WPA3. This appears to be prevalent with devices that don’t support WPA-Enterprise/802.1X. Meaning, you will see this behavior much more often in WPA-Personal networks than WPA-Enterprise/802.1X although it is possible on both.
3. OBSERVATION: Some Endpoints Require More Manual Intervention. One interesting outcome of testing was the breadth of endpoint behavior if an existing SSID had its WLAN parameters changed. Meaning, if we take an SSID configured for WPA2-Enterprise, and we leave the name the same but change it to WPA3-Enterprise Transition Mode and/or if we take a WPA2-Personal SSID and change it to WPA3-Personal or Transition Mode, some endpoints would re-connect automagically since the SSID name being broadcast did not change. However, other endpoints would require manual intervention, and selecting to re-connect to the SSID. Some even prompted to re-enter the passphrase, even when it had not changed.
4. RECOMMENDATION: WPA-Personal (Passphrase networks). It’s recommended to create a new, second SSID for WPA3-Personal (only) and to methodically move endpoints from the WPA2 network to WPA3. Not all endpoints will support WPA3, but (as you’ll see below) not all endpoints will support WPA3 Transition Mode (which allows WPA3 and WPA2 on the same WLAN).
5. RECOMMENDATION: WPA-Enterprise (802.1X networks). Most 802.1X-capable endpoints are user-based and receive firmware updates regularly, meaning most endpoints connecting to these Enterprise networks will be able to connect to WPA3-Only networks without intervention. It is possible some endpoints haven’t received updates, and of course this is very likely in high BYOD environments such as colleges and universities. In these instances (and in favor of caution), it’s recommended to convert your existing WPA2-Enterprise network to a WPA3-Enterprise Transition Mode and monitor, then address/update endpoints connecting on WPA2. Once endpoints are all connecting with WPA3, it is then safe to migrate/upgrade that WLAN to WPA3-Enterprise Only.

Here’s the agenda from the WLPC Secure Wi-Fi Design Special Edition Deep Dive.

I let the students know ahead of time — we were not going to make it through all the content. We worked our way through the content most relevant for the labs, I offered tips on where to find more information in the book (each student received a copy), and let the class guide the discuss where appropriate.

• MODULE 1: Basic Concepts and Architecture
• MODULE 2: Wi-Fi Security Suites
• MODULE 3: Authentication and Authorization
• MODULE 4: Roaming and Design Impacts on Security
• MODULE 5: Hardening, Testing, and Monitoring the Wi-Fi Infrastructure

The “Secure Wi-Fi Design” course is based on my book Wireless Security Architecture, published with Wiley. You can find it on Amazon and in most e-book subscription platforms!

The hands-on labs included:

• Lab: Configure a Passphrase WLAN, test, then convert to WPA3-Transition Mode, document tests and which endpoints failed and why
• Lab: Configure an 802.1X WLAN, test, start with WPA3 Transition Mode and document endpoint behavior and security suites
• Lab: Create and Enforce Access Policies
• Lab: Isolation and Peer Blocking
• Lab: Hardening, Logging, Alerting, and WIPS
• Lab: Add a Guest Portal WLAN (optional)

The first, the last, or both?

Is this the first hands-on training, the last, or both? I’m figuring that out now. In full disclosure, I don’t teach or host training often. You see, for as much as everyone sees me as an outgoing bubbly extrovert, the reality is I’m just as much an introvert and I find myself quite exhausted after a few hours of speaking — or even listening!

My approach to teaching is also a bit different. I see myself as a facilitator, not a lecturer. In most environments, and certainly in a room full of professionals at a place like the WLPC conference, sometimes the best learning we can get is from each other. I certainly don’t know everything, and there’s tremendous value in sharing with, and hearing from, one’s peers. It was with that approach I entered the room, and I wasn’t sure how the students would respond but the feedback after class was amazing. For those two days, we were a kick-ass team!

I’d also like to take this opportunity to thank JD, who helped me wrangle equipment, people, and more. He jumped in to answer questions, and during the lab portions to help guide the students and give us all a bit of a break from listening to me. :)

What’s Next?

I feel honored by the opportunity to participate in this way at WLPC, and grateful to the students who not only showed up — but who all participated fully and brought such a tremendous value to the class. Looking into the rest of 2023, I’ll be delivering more courses with IANS including a Secure Wi-Fi Design course, as well as a new Planning for BYOD class. The next WLPC? Who knows! I have enough content for a full 3-day training but — sheesh that’s a lotta’ talking y’all.

In these next few weeks, I’ll be thinking about WLPC Prague and what I/we might submit that can bring value to our European friends!

In the meantime, stay curious and stay kind! <3

# # #