Wednesday, February 24, 2010

Cisco Wireless Network Components

This section is mainly concerned with Cisco products and is quite marketing oriented. Cisco supported two types of wireless solutions: one using autonomous access points, and one using lightweight (or “dumb”) access points in combination with WLAN controllers. The wired network infrastructure is the same for both types: switches and routers.


Cisco Unified Wireless Network

The Cisco Unified Wireless Network concept has five components that work together to create a complete network, from client devices to network infrastructure, to network applications. Cisco has equipment appropriate to each component. Table 6-1 lists components and equipment.


Cisco has a wireless NIC that can be installed on Windows 2000 and Windows XP systems. It comes with some utilities: Aironet Desktop Utility (ADU), Aironet Client Monitor (ACM), and Aironet Client Administration Utility (ACAU). Cisco recommends using the ADU and ACM utilities to control your wireless card, rather than the built-in Windows controls to get the increased functionality Cisco provides. The Cisco ACAU allows loading and configuration of the Cisco client software over the network, using encrypted files. There is also an Aironet Site Survey Utility to scan for APs and get information about them.

Cisco wireless IP phones have the same features as Cisco wired IP phones and can use LEAP for authentication.

The Cisco Compatible Extensions Program tests other vendors’ devices for compatibility with Cisco wireless products. Using products certified by this program ensures full functionality of Cisco enhancements and proprietary extensions. A list of these products can be found at www.cisco.com/go/ciscocompatible/wireless.


Autonomous APs

Autonomous APs run Cisco IOS, are programmed individually, and act independently. They can be centrally managed with the CiscoWorks Wireless LAN Solution Engine (WLSE) and can use Cisco Secure Access Control Server (ACS) for RADIUS and TACAS+ authentication. Redundancy consists of multiple APs.


Lightweight Access Points

Lightweight APs divide the 802.11 processing between the AP and a Cisco Wireless LAN Controller (WLC). This is sometimes called “split MAC,” because they split the functions of the MAC layer—Layer 2. Their management components also include the Wireless Control
System (WCS) and a location-tracking appliance. Redundancy consists of multiple WLCs. The AP handles real-time processes, and the WLC handles processes such as:
  • Authentication
  • Client association/mobility management
  • Security management
  • QoS policies
  • VLAN tagging
  • Forwarding of user traffic

The Lightweight Access Point Protocol (LWAP) supports the split MAC function in traffic between a lightweight AP and its controller. LWAP uses AES-encrypted control messages and encapsulates, but does not encrypt, data traffic. LWAP operates at Layer 2, and also at
Layer 3 over UDP. (However, Layer 2 operation has been deprecated by Cisco.) The controller can be either in the same broadcast domain and IP subnet or in a different broadcast domain and IP subnets for Layer 3 operation. The AP follows this process to discover its controller:

Step 1. The AP requests a DHCP address. The DHCP response includes the management IP address of one or more WLCs.

Step 2. The AP sends an LWAPP Discovery Request message to each WLC.

Step 3. The WLCs respond with an LWAPP Discovery Response that includes the number of APs currently associated to it.

Step 4. The AP sends a Join Request to the WLC with the fewest APs associated to it.

Step 5. The WLC responds with a Join Response message, the AP and the controller mutually authenticate each other and derive encryption keys to be used with future control messages. The WLC then configures the AP with settings, such as SSIDs, channels, security settings, and 802.11 parameters.

The Cisco Aironet 2000 series WLC can handle up to six APs; thus, it is sized for small- to medium-sized operations.

The Cisco Aironet 4400 series WLC supports medium to large facilities with the 4402 handling up to 50 APs, and the 4404 handling up to 100 APs.

Tuesday, February 9, 2010

WLAN Standards

WLANs use three unlicensed frequency bands: 900 MHz, 2.4 GHz, and 5 GHz. These bands are all in the Industrial, Scientific, and Medical (ISM) frequency range. Higher frequency bands allow greater bandwidth, but have smaller transmission ranges. Within all bands, the data rate decreases as the client moves away from the AP.


802.11b Standard

802.11b is a widely adopted standard that operates in the 2.4 GHz range and uses Direct Sequence Spread Spectrum (DSSS). It has four data rates: 1, 2, 5.5, and 11 Mbps. 802.11b provides from 11–14 channels, depending on country standards, but only three channels have nonoverlapping frequencies: 1, 6, and 11. Cisco recommends a maximum of 25 users per cell; expect an actual peak throughput of about 6.8 Mbps.


802.11a Standard

802.11a operates in the 5 GHz range and uses Orthogonal Frequency- Division Multiplexing (OFDM). It has eight data rates: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. 802.11a provides from 12–23 nonoverlapping channels, depending on country regulations. Portions of the 5 GHz range are allocated to radar, so 802.11a uses Dynamic Frequency Selection (DFS) to check for radar signals and choose a different channel if it detects them. It also uses Transmit Power Control (TMC) to adjust client power, so that they use only enough to stay in contact with the AP. DFS and TMC are part of the 802.11h specification. Cisco recommends a maximum of 15 users per cell; expect an actual peak throughput of about 32 Mbps.


802.11g Standard

802.11g operates in the same 2.4 GHz range as 802.11b and uses the same three nonoverlapping channels: 1, 6, and 11. It can provide higher data rates; however. 802.11g uses DSSS to provide 1, 2, 5.5, and 11 Mbps throughput, which makes it backward compatible with 802.11b. It uses OFDM to provide 6, 9, 12, 18, 24, 36, 48, and 54 Mbps throughput, as does 802.11a.

802.11b/g access points can register both 802.11b and 802.11g clients. Because 802.11b clients do not understand OFDM messages, when 802.11b clients register, the AP implements an RTS/CTS protection mechanism against collisions. When a client wants to talk, it sends an RTS message. The AP must answer with a CTS message before the client is allowed to transmit. This creates overhead for the AP and causes a drop in overall throughput for all clients. Cisco recommends a maximum of 20 users per cell; expect an actual peak throughput of about 32 Mbps.


Wireless Security

Wireless security methods, listed from weakest to strongest, include:
  • Wired Equivalent Privacy (WEP)—It uses static keys, weak authentication, and is not scalable. n 802.1x Extensible Authentication Protocol (EAP)—Uses RADIUS for authentication, dynamic keys, and stronger encryption. Cisco supports it via Lightweight EAP (LEAP) and Protected EAP (PEAP).
  • Wi-Fi Protected Access (WPA)—This is a Wi-Fi Alliance standard. Uses Temporal Key Integrity Protocol (TKIP) for encryption, dynamic keys, and 802.1x user authentication. Cisco supports it via Lightweight EAP (LEAP), Protected EAP (PEAP), and Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST).
  • WPA2—The Wi-Fi Alliance’s implementation of the 802.11i standard, which specifies the use of Advanced Encryption Standard (AES) for data encryption and uses 802.1x authentication methods. Can also use TKIP encryption.

WPA/WPA2 Authentication

When a host wanting WLAN access needs to be authenticated in a network using WPA or WPA2, the following steps occur:

Step 1. An 802.1x/EAP supplicant on the host contacts the AP (or WLAN controller, if it is a lightweight AP) using 802.1x.

Step 2. The AP or WLAN controller uses RADIUS to contact the AAA server, and attempts to authentication the user.

Step 3. If the authentication succeeds, all traffic from the client to the AP is encrypted.