Aaron's Worthless Words

Elements of Cisco Unified Wireless Network

• Client devices – Cisco compatible extensions on WLAN clients
• Mobility platform – allows configuration of LWAPs through WLCs
• Network unification – integration into the rest of the network with WLCs doing RF management, IPS, etc.
• World-class network management – centralized management through WCS
• Unified advanced services – supports advanced technologies and threat detection

WLAN Implementation

Autonomous and LWAP

Wireless LAN Services Engine (WLSE)

• Part of CiscoWorks
• Manages autonomous APs
• Centralized configuration, firmware, and radio management
• Autoconfig of new APs
• Misconfiguration and rogue AP alerts
• Proactive monitoring of APs, bridges, and 802.1x servers
• Supports SSH, HTTP, CDP, SNMP for up to 2500 APs
• WLSE Express supports 100 devices in either automatic or manual setups

Wireless Control System (WCS)

• Supports 50 WLCs and 1500 APs
• Three versions
  • Base – can determine with which APs a devices in associated
  • Location – Base plus RF fingerprinting
  • Location + 2700 Series Wireless Location Appliance – Tracks devices in real time and stores historical location data

• Traditional WLAN weaknesses
  • SSID for security
  • Vulnerable to rogue APs
  • MAC filtering for security
  • WEP
• WEP weaknesses
  • Disribution of static keys is not scalable
  • WEP keys can be cracked easily
  • Vulnerable to dictionary attacks
  • No protection against rogue APs
• Benefits of 802.1x
  • Centralized authentication through Radius via AAA
  • Mutual authentication between client and auth server
  • Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
  • Automatic dynamic WEP keys
  • Roaming
• Requirements of 802.1x
  • EAP-capable client (supplicant)
  • 802.1x-capable AP (authenticator)
  • EAP-capable auth server

• WPA
  • Features
    • Authenticated key management – auths prior to key management
    • Unicast and broadcast key management – keys are distributed and stored on the client and the AP
    • TKIP and MIC
      • Temporal Key Integrity Protocol (TKIP) – per-packet keying
      • Message Integrity Checking (MIC) – integrity checking
    • Initialization vector (IV) expansion – from 24 bits to 48 bits
  • Shortcomings
    • Relies on RC4
    • Firmware support required in NICs, APs
    • Susceptible to DoS attacks
    • Dictionary attacks can discover PSKs
• WPA2
  • Features
    • 802.1x authentication or PSK
    • Key distribution and renewal
    • Proactive Key Caching (PKC) – allows roaming
    • IDS for rogue APs and attacks
  • Shortcomings
    • Supplicant must have WPA2-compliance firmware
    • AAA server must support EAP
    • WPA2 uses more CPU, so a hardware upgrade may be required
    • Older devices may not be upgradeable and must be replaced

• Wireless LANs (WLANs)
  • Extensions to wired LANs
  • Carrier sense multiple access collision avoidance (CSMA/CA) as media access method
  • Uses distributed coordinated function (DCF) for collision avoidance
  • DCF is based on RF carrier sense, inter-frame spacing (IFS), and random wait timers
• Wifi QoS standards
  • 802.11e
    • IEEE standard
    • 0-7 priority levels
  • Wifi Multimedia (WMM)
    • Four access categories
      • Platinum (voice) – 6 or 7 802.11e
      • Gold (video) – 4 or 5 802.11e
      • Silver (BE) – 0 or 3 802.11e
      • Bronze (Background) – 1 or 2 802.11e
  • WMM and 802.11e replace DCF with EDCF
• Cisco Split-MAC
  • Splits functions between Lightweight access points (LWAPs) and WLAN controllers (WLCs)
  • LWAPs handle real-time functions
    • Beacon generation
    • Probe transmission and response
    • Power management
    • 802.11e/WMM scheduling and queuing
    • Packet buffering
    • Encryption/decryption
    • Control frame/message processing
  • WLCs handle non-real-time functions
    • Association/disassociation/reassociation
    • 802.11e/WMM resource reservation
    • 802.1x EAP
    • Key management
    • Authentication
    • Fragmentation
    • Ethernet-WLAN bridging
• End-to-end QoS
  • Step 1:  WLC copies DSCP from switch to outer DSCP and outer 802.1p and sends to LWAP over LWAPP tunnel
  • Step 2:  LWAP copies outer DSCP from WLC to 802.11e/WMM field and sent to client
  • Step 3:  LWAP copies 802.11e/WMM value from the client to outer DSCP and sends it to WLC
  • Step 4:  WLC copies outer DSCP from WLAP to 802.1p (CoS) fields and sends it to the switch
• Web interface (do you even need to know this?)
  • Controller>QoS Profiles
    • Per-User Bandwidth Contracts – set avg data rate, burst data rate, avg real-time rate, and burst real-time rate
    • Over the Air QoS
      • Maximum RF usage per AP (%)
      • Queue Depth – queue size before dropping packets
      • Wired QoS Protocol – 802.1p or None
  • Controller>WLANs>Edit
    • For each WLAN ID, set the QoS value:  plat, gold, silver, bronze
    • WMM Policy
      • Disabled – 802.11e/WMM QoS requests are ignored
      • Allowed – 802.11e/WMM QoS requests are sent
      • Required – 802.11e/WMM QoS requests are required