Archive for the ‘lwap’ tag
ONT Notes – WLAN Management
Elements of Cisco Unified Wireless Network
- Client devices – Cisco compatible extensions on WLAN clients
- Mobility platform – allows configuration of LWAPs through WLCs
- Network unification – integration into the rest of the network with WLCs doing RF management, IPS, etc.
- World-class network management – centralized management through WCS
- Unified advanced services – supports advanced technologies and threat detection
WLAN Implementation
Autonomous and LWAP
| Category | Autonomous | LWAP |
|---|---|---|
| Access Point | Autonomous APs | LWAPs |
| Control | Individual configurations | Configuration through WLCs |
| Dependency | Independent operations | Dependent on WLC |
| Management | CiscoWorks WLSE and WDS | WCS |
| Redundancy | Through APs | Through WLCs |
Wireless LAN Services Engine (WLSE)
- Part of CiscoWorks
- Manages autonomous APs
- Centralized configuration, firmware, and radio management
- Autoconfig of new APs
- Misconfiguration and rogue AP alerts
- Proactive monitoring of APs, bridges, and 802.1x servers
- Supports SSH, HTTP, CDP, SNMP for up to 2500 APs
- WLSE Express supports 100 devices in either automatic or manual setups
Wireless Control System (WCS)
- Supports 50 WLCs and 1500 APs
- Three versions
- Base – can determine with which APs a devices in associated
- Location – Base plus RF fingerprinting
- Location + 2700 Series Wireless Location Appliance – Tracks devices in real time and stores historical location data
ONT Notes – 802.1x and Encryption on LWAPs
- Traditional WLAN weaknesses
- SSID for security
- Vulnerable to rogue APs
- MAC filtering for security
- WEP
- WEP weaknesses
- Disribution of static keys is not scalable
- WEP keys can be cracked easily
- Vulnerable to dictionary attacks
- No protection against rogue APs
- Benefits of 802.1x
- Centralized authentication through Radius via AAA
- Mutual authentication between client and auth server
- Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
- Automatic dynamic WEP keys
- Roaming
- Requirements of 802.1x
- EAP-capable client (supplicant)
- 802.1x-capable AP (authenticator)
- EAP-capable auth server
| Feature | Cisco LEAP | EAP-FAST | EAP-TLS | PEAP-GTC | PEAP-MSCHAPv2 |
|---|---|---|---|---|---|
| User authentication DB | AD | AD, LDAP | OTP, LDAP, NDS, AD | OTP, LDAP, NDS, AD | AD |
| Requires server certs | No | No | Yes | Yes | Yes |
| Requires client certs | No | No | Yes | No | No |
| Single sign-on | Yes | Yes | Yes | No | Yes |
| Roaming | Yes | Yes | No | No | No |
| Works with WPA/WPA2 | Yes | Yes | Yes | Yes | Yes |
- WPA
- Features
- Authenticated key management – auths prior to key management
- Unicast and broadcast key management – keys are distributed and stored on the client and the AP
- TKIP and MIC
- Temporal Key Integrity Protocol (TKIP) – per-packet keying
- Message Integrity Checking (MIC) – integrity checking
- Initialization vector (IV) expansion – from 24 bits to 48 bits
- Shortcomings
- Relies on RC4
- Firmware support required in NICs, APs
- Susceptible to DoS attacks
- Dictionary attacks can discover PSKs
- Features
- WPA2
- Features
- 802.1x authentication or PSK
- Key distribution and renewal
- Proactive Key Caching (PKC) – allows roaming
- IDS for rogue APs and attacks
- Shortcomings
- Supplicant must have WPA2-compliance firmware
- AAA server must support EAP
- WPA2 uses more CPU, so a hardware upgrade may be required
- Older devices may not be upgradeable and must be replaced
- Features
| Mode | WPA | WPA2 |
|---|---|---|
| Enterprise | Auth: 802.1x/EAP Encryption: TKIP/MIC |
Auth: 802.1x/EAP Encryption: AES-CCMP |
| Personal |
Auth: PSK Encryption: TKIP/MIC |
Auth: PSK Encryption: AES-CCMP |
ONT Notes – QoS On Wireless Networks
- Wireless LANs (WLANs)
- Extensions to wired LANs
- Carrier sense multiple access collision avoidance (CSMA/CA) as media access method
- Uses distributed coordinated function (DCF) for collision avoidance
- DCF is based on RF carrier sense, inter-frame spacing (IFS), and random wait timers
- Wifi QoS standards
- 802.11e
- IEEE standard
- 0-7 priority levels
- Wifi Multimedia (WMM)
- Four access categories
- Platinum (voice) – 6 or 7 802.11e
- Gold (video) – 4 or 5 802.11e
- Silver (BE) – 0 or 3 802.11e
- Bronze (Background) – 1 or 2 802.11e
- Four access categories
- WMM and 802.11e replace DCF with EDCF
- 802.11e
- Cisco Split-MAC
- Splits functions between Lightweight access points (LWAPs) and WLAN controllers (WLCs)
- LWAPs handle real-time functions
- Beacon generation
- Probe transmission and response
- Power management
- 802.11e/WMM scheduling and queuing
- Packet buffering
- Encryption/decryption
- Control frame/message processing
- WLCs handle non-real-time functions
- Association/disassociation/reassociation
- 802.11e/WMM resource reservation
- 802.1x EAP
- Key management
- Authentication
- Fragmentation
- Ethernet-WLAN bridging
- End-to-end QoS
- Step 1: WLC copies DSCP from switch to outer DSCP and outer 802.1p and sends to LWAP over LWAPP tunnel
- Step 2: LWAP copies outer DSCP from WLC to 802.11e/WMM field and sent to client
- Step 3: LWAP copies 802.11e/WMM value from the client to outer DSCP and sends it to WLC
- Step 4: WLC copies outer DSCP from WLAP to 802.1p (CoS) fields and sends it to the switch
- Web interface (do you even need to know this?)
- Controller>QoS Profiles
- Per-User Bandwidth Contracts – set avg data rate, burst data rate, avg real-time rate, and burst real-time rate
- Over the Air QoS
- Maximum RF usage per AP (%)
- Queue Depth – queue size before dropping packets
- Wired QoS Protocol – 802.1p or None
- Controller>WLANs>Edit
- For each WLAN ID, set the QoS value: plat, gold, silver, bronze
- WMM Policy
- Disabled – 802.11e/WMM QoS requests are ignored
- Allowed – 802.11e/WMM QoS requests are sent
- Required – 802.11e/WMM QoS requests are required
- Controller>QoS Profiles