Preparing your network for reliable WiFi during the high density holiday season doesn’t have to lead to hair-pulling or long hours.
During the holidays, stores often see a vast increase in customers who are embracing great deals or trying to find that perfect gift. This increase in foot traffic inevitably leads to a spike in WiFi traffic. Customers are using mobile devices to connect with friends and family, browse online inventory, look up product reviews, and even stream videos.
When attempting to prepare their networks for the rise in usage, retailers can face numerous types of challenges. These can include setting network rules to optimize bandwidth in a BYOD environment, trying to gain visibility into in-store traffic, predicting how traffic will differ between store locations, or updating settings across multiple locations.
Luckily, creating a user friendly network environment that can stand up to the daily spikes of traffic is easier than it may seem, only requires a few minutes to configure, and can be changed remotely, at a moment’s notice.
Design your network environment
While it may be difficult to predict how many clients will connect to networks at any given time during the holidays, preparing an infrastructure can still be simple. By appropriately naming and placing APs on the dashboard map, admins can use built-in diagnostic tools in dashboard to quickly assess network utilization and performance as traffic increases.
Because Cisco Meraki APs automatically scan the RF environment, continually monitoring their surroundings to maximize WiFi performance, manual adjustments are not needed. However, paired with channel planning visualization, admins can manually tweak their networks, if needed, and instantly verify their updates for optimal wireless performance.
Create customized WiFi configurations
Once users access the network, the question arises of how to ensure that bandwidth is shared equally and used appropriately. On the Monitor > Clients page in dashboard, admins have quick visibility into device types, applications, and bandwidth usage. Enforcing per-device bandwidth limits prevents just a few clients from hogging network usage. Even with limited restrictions, like 100-200 kbps per device, user experience and bandwidth consumption are both reasonable.
Further control of guest WiFi is feasible by segmenting access on its own SSID, then shaping traffic and enforcing time-based policies. Throttling or blocking specific applications gives retailers the control to prevent devices from needlessly consuming large amounts of bandwidth or accessing unapproved content. Customizing these restrictions at different stores and setting time-based policies — like during the lunch hour when traffic peaks — is a breeze in the Cisco Meraki dashboard.
Monitor traffic and adjust as needed
When implementing new rules for guest or employee networks, it’s always best to initially err on the side of caution and be a bit more conservative. It’s always easy to become more lenient with rules later, even across numerous distributed locations.
Admins can easily monitor website activity, shopping trends, and other retail analytics using the built-in features in dashboard. With this data-rich reporting, it becomes simple to discover when peak usage occurs, which applications are most used, which subset of store visitors are repeat customers, and more. Based on the information, immediate network changes, like opening or throttling certain traffic, can be easily applied. Admins can also view summaries of tagged networks. Gaining insight into which APs supported the most users, how much bandwidth was used for certain applications, or the top devices on the network are helpful in determining how to further augment the network.
This holiday season, the Cisco Meraki dashboard is putting the tools needed to reliably support highly dense environments at the fingertips of network admins. Even more information on creating a tailored network and managing high density environments is covered in this 3 part series.
There are many of methods for associating clients to a wireless network. Methods that require a password, methods that require a username AND password, and methods that require nothing at all. The level of security attained is generally proportional to the complexity of the method. But, the Cisco Meraki team has added a new association method, that uses WPA2-enterprise for authentication, yet doesn’t require setting up a standalone server or managing pages and pages of usernames and passwords. This super slick method takes advantage of Systems Manager to streamline the association process.
When users enroll in Systems Manager, a unique SCEP certificate is created for each device, and a record of that certificate is shared with the Meraki cloud hosted authentication server.
When users log into a wireless network the access point can use the same certificate to authenticate them using EAP/TLS. The cloud hosted authentication server verifies the certificate and allows the user to join the network. Users don’t have to enter a password for authentication and admins don’t have to create them. The certificate does it all.
Getting set up
1. In the Wireless network, choose an SSID and select WPA2 with Meraki Authentication as the association method.
2. Specify a list of Systems Manager tags for which you’d like to grant network access. These are automatically imported from your Systems Manager network.
3. In Systems Manager, link some devices to that tag.
4. That’s it. Your devices should be able to get on the network, no username/password needed. You can see this iPhone now has a “Meraki Wifi” Profile
If you ever need to revoke access from a user, simply remove the tag, or quarantine the device in Systems Manager. This method will work with iOS, OS X. and Android devices that are enrolled in Systems Manager. For those scenarios where devices logging onto the network might not be enrolled in Systems Manager, check out Systems Manager Sentry for an easy way to get users set up.
As part of our exciting switch launch, we’re rolling out functionality that has been requested in several Meraki wishes: port management roles. This new feature grants configuration privileges to specific Cisco Meraki MS switch ports based on custom tags. Dashboard administrators who receive these port privileges have read-only dashboard access otherwise, ensuring that they are only able to edit the specific ports in question — and nothing else. Port management roles let central IT administrators securely delegate port management to junior staff or contractors where appropriate.
This feature is a natural extension of the Meraki dashboard’s role-based access. For example, it’s already possible to grant varying levels of access (full dashboard privileges or read-only) to Organizational Admins for all of the networks contained within an organization. Going one level deeper, Network-wide Administrators can, likewise, have full privileges or read-only access to their respective networks. Finally Guest Ambassador accounts are available to provide guest access to networks.
How to configure port management roles
Creating granular port configuration privileges is easy: simply navigate to Configure > Alerts and administration, and select the “Add custom admin role” link in the Port management roles section. You are now able to specify the role type, which ports that role has access to, and whether they are allowed to take packet captures from within dashboard.
Here, we’ve specified 3 different roles for ports tagged as “Dorms,” “Labs,” and “VoIP” on our switches.
You identify the ports you’d like a role to have access to by specifying port tags. Tags are custom identifiers you can assign to specific ports in the Configure > switch ports page.
Once roles have been created, you can specify which network admins should receive which role:
If we assign the “Student IT” role to the “Student” account, that account will be able to manage ports tagged as “Dorms.”
We’ve just made this feature live for all MS switches, so existing switch customers can get started today with configuring port management roles.
With the ever-accelerating pace of change in the device and application environment, keeping track of how the network is being used is vital to ensure an excellent experience for all. A modern network benefits from regular oversight and tweaking, and Cisco Meraki networks excel in this area with simple, accessible controls for networks. To assist with oversight, the dashboard provides an excellent summary reporting tool, which can be triggered manually or scheduled for delivery to the network owner via email, daily, weekly or monthly. Here’s a snippet of a typical emailed report:
Armed with the information in reports like these, the IT admin can log onto the dashboard and make tweaks to network configuration, perhaps shaping some types of traffic, blocking some others, or applying a group policy to a particular type of user or device.
This approach works fine in a relatively small network where all network activity is performed in the same location and on a known set of client devices. But until now summary reporting has been network-wide, and in some cases those organizations may be very large, containing 10,000 or more network devices. Cisco Meraki networks are the perfect fit for organizations operating across multiple geographic locations, and consequently there are many businesses for whom a single network-wide summary will be simply too broad, making them difficult to decipher.
Another wish has been granted, and Meraki customers can now customize their summary reports by reporting against specific tags. Tagging is used extensively across the Meraki dashboard to help make sense of a networking environment which could contain an overwhelming number of network or client devices across many locations. These tags can be searched against, so searching for ‘AP’ would filter and show all APs regardless of location. Tags are simply friendly names and could be applied, for example, to all the APs on a specific site, or all the switch ports to which APs are connected.
Now a summary report can be created around a tag, depicting location, building, floor, all switches, certain applications or users – whatever can be logically grouped together. A hospitality business may wish to look at all its restaurants or hotels on the east coast, a provider of office space across many states may like to look at VoIP ports across all locations, or perhaps an IT admin wants to zone-in on buildings 10, 11 and 12 on the HQ campus. Here’s a sample view of the tag selection the admin would use. They can also be created for a custom time range covering up to 2 months.
Summary reports are a super-useful tool for concisely depicting how valuable network resources are being used, especially for those who don’t have the time to pay daily visits to the dashboard. They are also easily digestible, making them ideal for emailing to an IT manager or managed customer. With the addition of tagging, these reports can now be tailored to more accurately reflect real-world network deployments, logically grouped in a way which makes sense.
Just a few short months ago, our team in London premiered their highly successful webinar, Mission: Impossible – One Hour WiFi. During that live presentation, we created an enterprise-grade wireless network in under hour, configured the access points with varying levels of security and access, and used an Android phone to connect to each SSID — all in about 30 minutes with plenty of time left for Q&A.
Due to its wild success and by popular demand, they’ve done it again with Mission: Impossible 2 – BYOD Protocol. It may seem simple to create a wireless network for company-owned and personal devices, but is it really possible to completely configure a wireless network to support the growing demands of mobile devices in less than an hour?
Not to be outdone by their first performance, our London operatives added even more restrictions to their already demanding list of requirements. They’ve been tasked with implementing the mission’s guidelines of different types of network behavior depending on the type of device, but they can only use one SSID and a single Cisco Meraki access point.
But what are the required guidelines for company-owned and personal devices? They must be fairly simple if there’s only one hour, one SSID, and one device at their disposal…right? Not exactly.
For company-owned devices assigned to employees:
Log on to the corporate WiFi using Active Directory credentials
With staff Active Directory credentials, deny access to social media apps and restrict bandwidth to 5 Mbps
Enroll a new employee’s MacBook into the corporate mobile device management program
For shared, company-owned devices:
Authenticate to the corporate WiFi using Active Directory credentials
Enroll into the corporate mobile device management program
Require a passcode to access the device and deny camera use
Install the application Angry Birds or Salesforce onto the iPad
For employee-owned personal devices:
Restrict authentication to the corporate WiFi until the device has been authorized by IT
Log on to the corporate WiFi using Active Directory credentials
Deny access to social media applications
Deny access to video and music applications
Enforce a per device bandwidth limit of 1 Mbps
In just over 30 minutes, our operative accomplished each element of his mission and even connected a mobile device to the SSID to verify a successful completion.
If you missed this riveting performance, be sure to catch the next screening coming soon or check out the recording.
So what’s next for our daredevil operatives? Time will only tell, so stay tuned and keep your eyes out for the next installation on the Cisco Meraki webinar page.
Group policies already provide network admins with many powerful and granular controls for selected groups of users. For example, social networking can be restricted to use by the marketing team, peer-to-peer apps can be blocked for all, or bandwidth for guest users limited to 5 Mbps, all configured in a matter of moments. It’s a topic we’ve covered extensively in the past here on the blog.
One thing has been missing, until now. These policies have applied around the clock with no regard for changing requirements through the day, and we’ve received many requests to add a scheduling capability. So with the latest wireless release, this super-useful tool is now available in the dashboard.
A couple of examples help illustrate how time based group policies could be used to enhance network security, provide limited access to applications, and give IT admins more precise control over their networks. It may be desirable to restrict access to certain applications or IP addresses outside business hours, or perhaps a specific server, or lab environment where highly sensitive work is being undertaken. Many businesses choose to block social networking, but may like to allow access to Facebook during the lunch period, with traffic levels shaped so as not to impact more business critical applications. Bandwidth for BYOD devices could be restricted for the same reason during business hours, with software downloads – sometimes running into hundreds of Megabytes – blocked.
The design is exactly the same as you’ll find for other scheduling capabilities, like SSID availability for wireless, and port schedules for the switches. Pre-configured time schedule templates can be selected, or timings manually selected to suit the requirements of the organization. If multiple instances of a policy are required, perhaps to fit around school class times, multiple policies can be created to reflect this, each with their own fine-grained controls.
Here’s how it looks.
One more thing: Time based policies can be configured in a wireless-only environment and also for wired networks which sit behind a Cisco Meraki security appliance.
We’re certain this new functionality will be well received by our customers and look forward to seeing the creative ways in which it’s put to use in different kinds of organization.
We are excited to ring in the holiday season with a major software release for the Cisco Meraki Wireless product line. Building on top of the industry’s most advanced cloud managed wireless solution, this software release introduces tools to make wireless network management easier than ever, and features that help large scale networks. Cisco Meraki takes continuing development on the entire product line seriously, so the best part is that these features will be available on all Cisco Meraki MR APs of any model. Here are just a few of the new features.
Scheduling for group policies
Group policies are a powerful way to create a differentiated class of service for a particular user (or group of users) — e.g., block Facebook and YouTube for students, and prioritize video and VoIP for students. You can now add a time-based element — e.g., block Netflix during school hours, which enables schools and enterprises to create and apply time-based rules.
Appropriate channel planning can make or break an environment, so the Cisco Meraki Cloud takes some of the guess work out of it. Admins can now visualize the RF management by adjusting radio channel and power level right on the floor plan. This feature, coupled with Cisco Meraki Auto RF(radio resource management) helps ensure peak wireless performance site-wide.
Reporting by tag
For distributed networks, the assignment of a ‘network tag’ to one or more locations allows administrators to create logical groupings within an organization. This lets admins rapidly filter through hundreds of locations and find a group of sites they are interested in. Now, with reporting by tag, we’ve taken this functionality further — allowing for a report of the top applications, users, and much more on a per-tag basis.
For common use cases along with how to take advantage of these tools in your own network check out the deep dive blog posts starting with RF channel planning, and then reporting by tag and group policy scheduling later this week. All of these features will be automatically rolled out in the dashboard over the next week so take a look.
Good channel planning can limit channel overlap between access points and reduce interference, making for a better overall wireless experience for users. Cisco Meraki APs have built in functionality to automatically optimize the radio settings, and now also provide easier visibility of RF configuration to optimize settings for high desnsity environments.
In an ideal world our radio settings for 2.4 GHz would look something like this. Nearby APs operate on different channels, and channel overlap is minimized. But most network deployments aren’t this simple. Invisible interference sources skew the map, as well as thick walls or barriers that limit the distance wireless signals can reach. Thankfully, Auto RF does most of the work for us. APs scan the RF environment and choose the best channel and power level taking into account channel spreading, interference, and several other factors.
In addition to Auto RF, dashboard now makes it easier to visualize channel assignments and make manual adjustments to fine tune RF settings giving admins full control in tricky environments. Right from the Monitor > Maps page, admins can view 2.4 and 5 GHz channel assignments and their associated power settings.
Maps are also now incorporated into the radio settings page. Instead of blindly making adjustments to channel or power level settings, admins can verify changes right on the map.
Using a combination of Auto RF and channel planning visualization, admins can easily ensure optimal wireless performance site-wide. For more information on channel planning and a great example of deploying wireless in a high density environment, check out this 3 part guide.
Organizations that operate in security-conscious environments rely on us to deliver a solution that fits their stringent requirements. As it has been for the past several years, the Cisco Meraki solution is PCI DSS (Payment Card Industry Data Security Standard, a security standard required for retailers and others who handle financial transactions) Level 1 certified, including our hardware, software, and cloud infrastructure. This is just one key aspect of the Meraki team’s ongoing commitment to security, along with the cloud architecture and built-in, easy-to-use security tools.
Even though the Meraki data centers are out-of-band and thus generally out-of-scope for a PCI audit, those who need to meet the requirements of a PCI audit have the additional reassurance that the Meraki architecture also meets those requirements. While the focus of PCI compliance is often on wireless, the entire Cisco Meraki cloud managed networking solution – including wireless, switching, and security appliances – is PCI compliant.
Security and management
Certifications and compliance are but one aspect of security. The Meraki solution has the features needed to meet security standards and makes it simple for administrators to meet and verify compliance. For example, the organization-wide change log lets administrators easily find changes in wireless, switching, and security network configurations. The screenshot below shows recent changes to the Meraki team’s corporate wireless network in San Francisco:
Enable alerts to be notified when settings are changed on any network:
Turn on robust account security tools with just a few clicks in the dashboard:
Providing infrastructure and tools that meet the same PCI DSS requirements that many organizations must adhere to are just a few aspects of security built into the Meraki solution. To find out more about the architecture, data centers, and security tools, see the Trust section of our website.
The mobile operating systems – like iOS and Android – typically get all the attention, so it would be easy to overlook some of the cool tools available for managing an estate of Macs and PCs in Systems Manager. These tools make life easier for the IT admin responsible for auditing, monitoring and troubleshooting both mobile and desktop environments.
Beginning with the Overview screen presented after login, a simple device count shows the number of devices of each type enrolled into the MDM account, covering iOS and Android plus Mac, PC and even Chromebooks. This helps ensure that all devices in inventory are accounted for and available for management.
The simple enrolment process uses a package install file on the PC which may be deployed as part of a Group Policy from Active Directory, or installed on individual computers. For the Mac, enrolment is as easy as providing the network ID and downloading a profile, as covered in a previous blog post.
Once enrolled, some extremely useful tools become available. A simple remote desktop tool is incorporated into the dashboard, enabling the IT admin to quickly jump onto a PC or Mac to assist the owner with troubleshooting and fixing issues. As with all elements of Cisco Meraki’s cloud managed portfolio, the power of such a tool really comes into its own when managing devices at remote locations, like branch offices or teleworkers’ home offices.
A number of alerting functions are included in Systems Manager. To take a couple of examples, having enrolled devices into MDM, the admin should be alerted if management is removed for any reason. Even more useful, there will be servers or other online devices which are considered mission critical in any organization. An alert can be built around tagged devices such as servers, so that the admin is notified should any go offline.
Another deceptively simple tool facilitates a rapid inventory of installed software across all managed platforms, with the ability to install and remove copies of applications which should not be installed. This may be because they are not approved for use on company-owned devices, or perhaps because their presence takes the organization above their licensing limit for that app. An alert can be set, triggered by the installation of a certain application.
When it comes to setting restrictions, some of the capabilities available for iOS and Android are also available for the desktop operating systems. Geofencing, one of the most popular recently added features, can be used on both Macs and PCs to ensure valuable assets remain within a defined location. Beyond this, the Mac benefits from the ability to set password restrictions, deploy pre-configured WiFi or VPN credentials and trust certificates for secure client association to a verified network.
Last but not least, Systems Manager provides a convenient way to audit and report on the security status of managed devices, testing for numerous components like passcode, antivirus and firewall. A periodic report can also be scheduled and emailed to the network owner.
The report generated with these simple few options can greatly assist the IT team with maintaining security and compliance standards applicable to their install base of Macs and PCs.
As with all things Meraki, the best way to establish Systems Manager’s suitability for any organization is by trying it out, so to get started just click here.