All about Cisco FastLocation
The further I dive into the topic of Wi-Fi positioning, the more obvious the fact that the main task is not to achieve the necessary accuracy, but to obtain the required number of measurements! Why do I think so?
The requirements for the density of access points are increasing every year, which has a positive effect on positioning accuracy, but the frequency of measurements on the Probe Request does not become higher, rather the opposite.
In this regard, many manufacturers have developed their own tools to increase the frequency of measurements. Traditionally, one of the innovators in this area is Cisco, which launched a tool called Cisco FastLocation.
Let's try to understand all the nuances of this tool.
For a start, what is meant by the marketing words of Cisco FastLocate? In short, this is the signal level measurement (RSSI) not by the management of the Probe Request packages, but by the data packages (data). This metering mode is called “Data RSSI” (in addition to “Probe RSSI”). Later in the article, I will use both terms depending on the context.
')
Cisco FastLocation technology appeared in 2014, when Cisco's positioning system began to evolve strongly.
At that time, it had a rather limited functionality, it was supported only on specially installed monitoring modules WSM (Wireless Security Module), which were installed in modular, that is, top-end office access points. This was the so-called FastLocate MSE Release 8.0 .
We will not consider this technology, as a new, completely revised version of FastLocate CMX Release 10.2 is now relevant.
We will be testing it using the Cisco WLC 2504 controller with software version 8.1.131.20 and Cisco Aironet 3602 series points.
The first question that came to my mind was: is it possible to do Data RSSI without using additional modules? In the arsenal of Cisco, it is already possible to transfer the access point to the monitoring (scanning) mode of all channels, there is a hybrid mode of operation, when the point serves both users and scans adjacent channels. Can we use these modes for Data RSSI?
If this was not possible in the 8th version of CMX, then by the 10th version of CMX this option appeared. Cisco access points have a special Enhanced Local Mode (ELM) mode, in which, in addition to customer service, the access point performs the so-called Off-Channel Scanning, that is, it scans adjacent channels. This is not happening without loss of performance, which is about 15%.
Off-Channel Scanning occurs in a very unhurried manner and was originally designed to detect foreign access points on adjacent channels. How it works you can see here and here .
For example, the default in the 2.4 GHz band is configured to scan all channels and a full scan interval of 180s. In this mode, the access point every 180/13 = 14 seconds is interrupted by 50ms for scanning the adjacent channel (10ms is also spent on switching to each side). The picture looks like this:
The operation of this algorithm can be checked directly on the access point using the command debug dot11 do0 trace print channel
From this conclusion, you can see that the scan frequency is about 13 seconds, which converges with the documentation. The use of Data RSSI in this mode would not be very effective (looking ahead to say that it is not used).
If FastLocate is enabled on the wireless controller, Off-Channel Scanning starts to work a little differently.
The time intervals are reduced to three seconds. I did not find technical documentation on how Off-Channel Scanning works with activated FastLocate, but based on the above output, we can conclude that the scanning time is also about 50 ms (967-887 = 80 ms, it is 50-60 ms scan + 10 ms to switch between channels).
Obviously, a decrease in time intervals was made to improve the operation of the FastLocation mechanism.
The access point can work with local or centralized wIPS (intrusion detection and prevention system), which is regulated by the setting on the access point. Testing Off-Channel Scanning in different wIPS operation modes, I didn’t see any differences.
Even before the advent of FastLocate technology, access points were able to work in Monitor mode AP. This mode was used for centralized intrusion detection system. When switching to this mode, both radio modules no longer serve clients and sequentially scan channels with a duration of 1.2 seconds.
This algorithm is confirmed by the output from the access point:
In the case of Monitor mode AP, the operation algorithm did not change when FastLocate was turned on / off.
When using the Monitor mode, there is a nuance: FastLocate works only for clients connected to the infrastructure, and when the access point is switched to Monitor mode, the point ceases to serve the clients. That is, it is assumed that the infrastructure will include other access points serving clients.
Access points in the Monitor mode are proposed to be placed in a ratio of 1: 5 to the usual access points.
This is the main mode of operation for FastLocate, which provides for installing 2: 5 aspect ratio modules into WSM access points (that is, at least 2: 5 access points must be modular, that is, the top ones).
WSM has its own work algorithm. The WSM module, unlike the radio in the monitoring mode, scans the channel not for 1.2 seconds, but for 250 ms. But he does not do this consistently, but in accordance with certain rules:
It can be said that high priority is given to infrastructure channels (on which their access points operate), which is understandable, because FastLocation only works for connected clients and scanning adjacent channels is not so important.
What this algorithm looks like when outputting to an access point:
The scan interval is not as smooth as in other modes, and is within 50-250ms.
And indeed, non-infrastructure channels (in my case, these are channels 36, 40) were rarely managed, with a frequency of more than 3 seconds, which can also be seen in the logs.
When activating the FastLocation mode, the frequency of measurements directly depended on the client's activity. If the client (smartphone, phone, laptop) was in sleep mode, that is, the Wi-Fi adapter was not used actively, the frequency of measurements was comparable to the Probe RSSI method. If the device is actively used Wi-Fi adapter, the frequency of measurements has increased dramatically.
I did not test all possible Cisco FastLocation operation schemes, since there are so many factors that affect the frequency of measurements, both from the infrastructure and from the client, so the tests were conducted only in WSM mode.
Three types of devices were used: a smartphone, a tablet and a laptop. For all tested devices, the interval between measurements was comparable and was about 2-6 seconds with active use of the Wi-Fi adapter.
1. FastLocate (Data RSSI) compared to Probe RSSI in general for personal devices allows to significantly increase the frequency of measurements, especially when using a Wi-Fi module.
2. But if the client device is in sleep mode and does not use a Wi-Fi adapter, the measurement frequency drops to the standard with Probe RSSI.
3. It is very difficult to talk about a specific value of the frequency of measurements in the case of using Wi-Fi positioning for personal devices. There are many factors, from both the infrastructure and the client, affecting this characteristic. To obtain specific values, I believe, it is necessary to act by analogy with the radio survey, that is, to carry out field tests of the entire system and with the required client devices.
The requirements for the density of access points are increasing every year, which has a positive effect on positioning accuracy, but the frequency of measurements on the Probe Request does not become higher, rather the opposite.
In this regard, many manufacturers have developed their own tools to increase the frequency of measurements. Traditionally, one of the innovators in this area is Cisco, which launched a tool called Cisco FastLocation.
Let's try to understand all the nuances of this tool.
FastLocate = Data RSSI
For a start, what is meant by the marketing words of Cisco FastLocate? In short, this is the signal level measurement (RSSI) not by the management of the Probe Request packages, but by the data packages (data). This metering mode is called “Data RSSI” (in addition to “Probe RSSI”). Later in the article, I will use both terms depending on the context.
')
FastLocate Release 8.0 vs FastLocate Release 10.2
Cisco FastLocation technology appeared in 2014, when Cisco's positioning system began to evolve strongly.
At that time, it had a rather limited functionality, it was supported only on specially installed monitoring modules WSM (Wireless Security Module), which were installed in modular, that is, top-end office access points. This was the so-called FastLocate MSE Release 8.0 .
We will not consider this technology, as a new, completely revised version of FastLocate CMX Release 10.2 is now relevant.
We will be testing it using the Cisco WLC 2504 controller with software version 8.1.131.20 and Cisco Aironet 3602 series points.
FastLocate without additional modules
The first question that came to my mind was: is it possible to do Data RSSI without using additional modules? In the arsenal of Cisco, it is already possible to transfer the access point to the monitoring (scanning) mode of all channels, there is a hybrid mode of operation, when the point serves both users and scans adjacent channels. Can we use these modes for Data RSSI?
FastLocate in ELM hybrid mode
If this was not possible in the 8th version of CMX, then by the 10th version of CMX this option appeared. Cisco access points have a special Enhanced Local Mode (ELM) mode, in which, in addition to customer service, the access point performs the so-called Off-Channel Scanning, that is, it scans adjacent channels. This is not happening without loss of performance, which is about 15%.
Off-Channel Scanning with FastLocate turned off
Off-Channel Scanning occurs in a very unhurried manner and was originally designed to detect foreign access points on adjacent channels. How it works you can see here and here .
For example, the default in the 2.4 GHz band is configured to scan all channels and a full scan interval of 180s. In this mode, the access point every 180/13 = 14 seconds is interrupted by 50ms for scanning the adjacent channel (10ms is also spent on switching to each side). The picture looks like this:
The operation of this algorithm can be checked directly on the access point using the command debug dot11 do0 trace print channel
Hyperlocation_2#debug dot11 do0 trace print channel Oct 4 10:09:37.909: CC0CDA4C-0 Channel 8 (2447) promiscuous 20MHz Oct 4 10:09:37.957: CC0D772F-0 Channel 11 (2462) 20MHz Oct 4 10:09:50.753: CCD0DEF8-0 Channel 9 (2452) promiscuous 20MHz Oct 4 10:09:50.801: CCD17BD3-0 Channel 11 (2462) 20MHz Oct 4 10:09:53.955: CD948399-0 Channel 10 (2457) promiscuous 20MHz Oct 4 10:09:53.999: CD951CFD-0 Channel 11 (2462) 20MHz Oct 4 10:10:06.763: CE57FEC4-0 Channel 11 (2462) promiscuous 20MHz Oct 4 10:10:06.811: CE589BA7-0 Channel 11 (2462) 20MHz From this conclusion, you can see that the scan frequency is about 13 seconds, which converges with the documentation. The use of Data RSSI in this mode would not be very effective (looking ahead to say that it is not used).
Off-Channel Scanning with FastLocate Enabled
If FastLocate is enabled on the wireless controller, Off-Channel Scanning starts to work a little differently.
Hyperlocation_2#debug dot11 do0 trace print channel Oct 4 10:05:40.887: BDEC139E-0 Channel 12 (2467) promiscuous 20MHz Oct 4 10:05:40.967: BDED365C-0 Channel 11 (2462) 20MHz Oct 4 10:05:43.691: BE16D8E7-0 Channel 13 (2472) promiscuous 20MHz Oct 4 10:05:43.771: BE17FBC2-0 Channel 11 (2462) 20MHz Oct 4 10:05:46.775: BE45D2A0-0 Channel 11 (2462) 20MHz Oct 4 10:05:46.983: BE4919C1-0 Channel 14 (2484) promiscuous listen_only 20MHz Oct 4 10:05:47.063: BE4A3D27-0 Channel 11 (2462) 20MHz Oct 4 10:05:49.795: BE7407C6-0 Channel 1 (2412) promiscuous 20MHz Oct 4 10:05:49.879: BE75291D-0 Channel 11 (2462) 20MHz The time intervals are reduced to three seconds. I did not find technical documentation on how Off-Channel Scanning works with activated FastLocate, but based on the above output, we can conclude that the scanning time is also about 50 ms (967-887 = 80 ms, it is 50-60 ms scan + 10 ms to switch between channels).
Obviously, a decrease in time intervals was made to improve the operation of the FastLocation mechanism.
Off-Channel Scanning dependence on wIPS operation mode
The access point can work with local or centralized wIPS (intrusion detection and prevention system), which is regulated by the setting on the access point. Testing Off-Channel Scanning in different wIPS operation modes, I didn’t see any differences.
FastLocate in Monitor Mode
Even before the advent of FastLocate technology, access points were able to work in Monitor mode AP. This mode was used for centralized intrusion detection system. When switching to this mode, both radio modules no longer serve clients and sequentially scan channels with a duration of 1.2 seconds.
This algorithm is confirmed by the output from the access point:
pod1-1140#debug dot11 do0 trace print channel *Oct 4 10:51:22.031: 1FB01CC6-0 Channel 12 (2467) promiscuous 20MHz *Oct 4 10:51:23.246: 1FC2A970-0 Channel 13 (2472) promiscuous 20MHz *Oct 4 10:51:24.458: 1FD5283F-0 Channel 14 (2484) promiscuous listen_only 20MHz *Oct 4 10:51:25.670: 1FE7A716-0 Channel 1 (2412) promiscuous 20MHz In the case of Monitor mode AP, the operation algorithm did not change when FastLocate was turned on / off.
FastLocate works only for connected clients.
When using the Monitor mode, there is a nuance: FastLocate works only for clients connected to the infrastructure, and when the access point is switched to Monitor mode, the point ceases to serve the clients. That is, it is assumed that the infrastructure will include other access points serving clients.
Access points in the Monitor mode are proposed to be placed in a ratio of 1: 5 to the usual access points.
FastLocate using the WSM add-on
This is the main mode of operation for FastLocate, which provides for installing 2: 5 aspect ratio modules into WSM access points (that is, at least 2: 5 access points must be modular, that is, the top ones).
WSM has its own work algorithm. The WSM module, unlike the radio in the monitoring mode, scans the channel not for 1.2 seconds, but for 250 ms. But he does not do this consistently, but in accordance with certain rules:
<L1, L1, L1, L1, L1, CA, L2> It will scan 5 slots of L1(serving channel of the APs) followed by a cleanAir slot (if enabled), followed by one slot of L2 (channels in the country/DCA list). If there are less than 5 channels in the L1 list, the same channels will be scanned repeatedly till the 5 L1 slots are filled up. It can be said that high priority is given to infrastructure channels (on which their access points operate), which is understandable, because FastLocation only works for connected clients and scanning adjacent channels is not so important.
What this algorithm looks like when outputting to an access point:
Sep 20 16:24:17.824: 2EC10B2D-2 Channel 1 (2412) promiscuous 20MHz Sep 20 16:24:17.903: 2EC24019-2 Channel 48 (5240) promiscuous 20MHz Sep 20 16:24:18.151: 2EC60A5D-2 Channel 6 (2437) promiscuous 20MHz Sep 20 16:24:18.383: 2EC99BD3-2 Channel 11 (2462) promiscuous 20MHz Sep 20 16:24:18.627: 2ECD54AC-2 Channel 1 (2412) promiscuous 20MHz Sep 20 16:24:18.895: 2ED16A1E-2 Channel 161 (5805) promiscuous 20MHz Sep 20 16:24:19.435: 2ED99B31-2 Channel 6 (2437) promiscuous 20MHz Sep 20 16:24:19.555: 2EDB7010-2 Channel 60 (5300) promiscuous 20MHz Sep 20 16:24:19.807: 2EDF53C5-2 Channel 48 (5240) promiscuous 20MHz Sep 20 16:24:20.046: 2EE2EF52-2 Channel 6 (2437) promiscuous 20MHz Sep 20 16:24:20.282: 2EE695CB-2 Channel 11 (2462) promiscuous 20MHz Sep 20 16:24:20.514: 2EEA16E6-2 Channel 1 (2412) promiscuous 20MHz Sep 20 16:24:21.010: 2EF1B48A-2 Channel 11 (2462) promiscuous 20MHz Sep 20 16:24:21.166: 2EF40C9B-2 Channel 161 (5805) promiscuous 20MHz Sep 20 16:24:21.454: 2EF86DA9-2 Channel 60 (5300) promiscuous 20MHz Sep 20 16:24:21.710: 2EFC5A8F-2 Channel 48 (5240) promiscuous 20MHz Sep 20 16:24:21.929: 2EFFBC42-2 Channel 6 (2437) promiscuous 20MHz Sep 20 16:24:22.161: 2F033F09-2 Channel 11 (2462) promiscuous 20MHz Sep 20 16:24:22.645: 2F0AA07D-2 Channel 36 (5180) promiscuous 20MHz Sep 20 16:24:22.785: 2F0CCDC0-2 Channel 1 (2412) promiscuous 20MHz Sep 20 16:24:23.061: 2F10F3CB-2 Channel 161 (5805) promiscuous 20MHz Sep 20 16:24:23.337: 2F1539E8-2 Channel 60 (5300) promiscuous 20MHz Sep 20 16:24:23.593: 2F192133-2 Channel 48 (5240) promiscuous 20MHz Sep 20 16:24:23.813: 2F1C798A-2 Channel 6 (2437) promiscuous 20MHz Sep 20 16:24:24.297: 2F23E056-2 Channel 48 (5240) promiscuous 20MHz Sep 20 16:24:24.433: 2F25EE6C-2 Channel 11 (2462) promiscuous 20MHz Sep 20 16:24:24.673: 2F299DFA-2 Channel 1 (2412) promiscuous 20MHz Sep 20 16:24:24.937: 2F2D9ABB-2 Channel 161 (5805) promiscuous 20MHz Sep 20 16:24:25.221: 2F31F49A-2 Channel 60 (5300) promiscuous 20MHz Sep 20 16:24:25.473: 2F35CF9A-2 Channel 48 (5240) promiscuous 20MHz Sep 20 16:24:25.977: 2F3D7AA1-2 Channel 40 (5200) promiscuous 20MHz Sep 20 16:24:26.097: 2F3F532D-2 Channel 6 (2437) promiscuous 20MHz Sep 20 16:24:26.329: 2F42D521-2 Channel 11 (2462) promiscuous 20MHz The scan interval is not as smooth as in other modes, and is within 50-250ms.
And indeed, non-infrastructure channels (in my case, these are channels 36, 40) were rarely managed, with a frequency of more than 3 seconds, which can also be seen in the logs.
Evaluation frequency measurement
When activating the FastLocation mode, the frequency of measurements directly depended on the client's activity. If the client (smartphone, phone, laptop) was in sleep mode, that is, the Wi-Fi adapter was not used actively, the frequency of measurements was comparable to the Probe RSSI method. If the device is actively used Wi-Fi adapter, the frequency of measurements has increased dramatically.
I did not test all possible Cisco FastLocation operation schemes, since there are so many factors that affect the frequency of measurements, both from the infrastructure and from the client, so the tests were conducted only in WSM mode.
Three types of devices were used: a smartphone, a tablet and a laptop. For all tested devices, the interval between measurements was comparable and was about 2-6 seconds with active use of the Wi-Fi adapter.
General conclusions
1. FastLocate (Data RSSI) compared to Probe RSSI in general for personal devices allows to significantly increase the frequency of measurements, especially when using a Wi-Fi module.
2. But if the client device is in sleep mode and does not use a Wi-Fi adapter, the measurement frequency drops to the standard with Probe RSSI.
3. It is very difficult to talk about a specific value of the frequency of measurements in the case of using Wi-Fi positioning for personal devices. There are many factors, from both the infrastructure and the client, affecting this characteristic. To obtain specific values, I believe, it is necessary to act by analogy with the radio survey, that is, to carry out field tests of the entire system and with the required client devices.
Source: https://habr.com/ru/post/311722/
All Articles