1 © 2000, Cisco Systems, Inc. Wireless LAN Roadmap: Performance and Hardware Features 1
Cisco Aironet 340 Series Wireless LAN Solution PC Card/PCI Client Adapters Access Points Line-of-Sight Bridge Products Antennas & Accessories The Cisco Aironet 340 Series of b compliant high speed wireless solutions offers the best performance, manageability, scalability and security for both in-building and building to building wireless applications Editors’ Choice: Wireless LANs (PC Magazine, March 20000) ”Cisco Aironet Beats Rivals--With Ease” (Network Computing, Editors’ Choice July 2000)
WLAN Vision: Client Options Workgroup Bridges –Plug and play wireless for single or multiple clients USB –Easy to install NIC alternative Multi-function and embedded client devices –In partnership with Xircom Client Drivers/Services –Macintosh/Linux drivers –Automated country radio localization –Improved diagnostics tools
WLAN Vision: Performance IEEE a/b Ratified Radio Network Speed Mbps Superset 5 GHz 6-54 Mbps.11a Std 22 Mbps.11b Ext. 900 MHz 11Mbps 2.4 GHz b Standard Small, Medium and Large Enterprises High power and performance Telecommuter Cost and Manageability 2002
WLAN Vision: Infrastructure Options W/C Cisco Access Point 925 In-line pwr capable switch Office applications –Simplify and reduce installations costs In-line power Warehouse (extreme applications) –Extended temperature
Telecommuter Base Station compliant Fully managed Simplified configuration Embedded Modem and Ethernet Designed for the WLAN Telecommuter
7 © 2000, Cisco Systems, Inc. Wireless LANs Services Directions 7
Cisco’s Services Vision Security –Centralized device authentication –Future flexible user authentication services Management –Enhanced auto-configuration and enforcement for client/infrastructure Policy –Enhanced PCF services for enterprise quality QoS Mobility –Scale L2/L3 roaming services Cisco Access Point 925
Security Services Current capabilities –No Encryption –40-Bit Encryption –128-Bit Encryption –Hardware based encryption Negligible performance impact (<3%) –Mac-based exclusion filtering Encryption Choices (defined at Access Point) –No Encryption –Allow client to specify (optional) –Forced (Required)
Security Directions Summary Utilize HW-based encryption –Best price/performance –Minimizes impact on client and network 1st phase (Committed): Device authentication –Cell phone security analogy –Supports all client device types 2nd phase: User authentication (in development) –Universal user authentication through 802.1x Extensible Authentication Protocols (EAP)
Security Directions Summary (cont.) Centralized Authentication –Phase1: Enhanced RADIUS servers CiscoSecure Authentication Server Directory services integration through LDAP/X.500 –Phase 2: EAP support Kerberos & PKI support Dynamic Key Generation/Distribution –Unique 128 bit key per user per session –Roaming Pre-authentication
Centralized User-Based Authentication Authenticator (e.g. Access Point, Catalyst Switch) Supplicant Semi-Public Network / Enterprise Edge Authentication Server such as ACS2000 v2.6 RADIUSRADIUS EAP Over Wireless/LAN (EAPOW/EAPOL) EAP Over RADIUS Extended Enterprise (Branch Office, Home, etc.) Enterprise Intranet
Dynamic WEP Key Management EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (credential) Radius-Access-Request EAP-Success Access blocked Radius-Access-Accept RADIUS EAPOW Associate Access allowed EAPW-Key (WEP) Laptop computer RADIUSRADIUS Fast Ethernet
Services in Development Rogue AP detection requirement –Only IT installed/configured devices deliver infrastructure access –Authenticated clients learn trusted APs in area –Untrusted APs are detected, reported and, if possible, isolated and shut down Investigating best way to control non-Cisco APs AP Authentication
Wireless QoS Vision SpectraLink Voice Prioritization (SVP) –Prioritizes IP voice traffic in AP queue –User configurable beacon period helps determine voice quality Committed Services
Wireless QoS Vision (cont.) Extend existing QoS services –Utilize and enhance Point Coordination Function (PCF) Standards-based Backwards compatibility, investment protection Time-to-market Integration with existing IETF & IEEE standards Integrated Services over Specific Link Layers (ISSLL) 802.1(p) priorities Services in Process
Proposal for Enhanced Wireless QoS Better to approach it as an integrated system Address queue management in the infrastructure devices –Contention-free period can only be sustained if the queues on the access point or stations are adequately managed Address medium access limitations to ensure access –Chicken-egg problem; polling to manage medium access – potential contention to get on polling list Address unlicensed band regulations –Some regulatory domains do not allow constant occupancy by one device Maximize investment protection –While also acknowledging that some legacy devices may require an enhanced DCF Systems always spend some time in the DCF
Wireless QoS Summary Simple but efficient –Easy to implement –Good support for legacy stations –Inline with what is standardized by other workgroups and standardization bodies Simulations will prove concept Some ‘loose-ends’ need to be worked out
Additional Network Services: Load Balancing AP’s configured for load sharing use different RF channels in coverage area Policy based on number of users, bit error rate, or signal strength Channel 1 Channel 6
Additional Network Services: Hot Standby AP’s co-located for hot standby use SAME RF channel in coverage area Standby AP acts as probe for monitoring and management ActiveStandby Channel X
Summary: Vision for Mobile Connectivity Channels Products Solutions Partners Offer key services to accommodate wireless data, voice and video that is: –Secure –Manageable –Scalable –Delivers improved Price/Performance Preserve customers investment in existing WLAN infrastructure Partner to enhance wireless hardware and software solutions for customers
Additional Committed Services: L3 Roaming Currently support fast subnet roaming through Inter Access Point Protocol (IAPP) L3 client upgrade into Access Point Supports DHCP and static addresses, does not interrupt real time voice or messaging applications Enterprise Intranet L2 Roaming Services X Y L2 Roaming Services X Y L3 Roaming Services Proxy Client X Proxy Client X L3 Roaming Services Proxy Client X Proxy Client X
802.1X Security Architecture Controlled port: Data traffic Open port: Authentication traffic User Client/Supplicant Authentication Server Authentication Client/Control Point Pieces of the system.
EAP Architecture EAPLayer MethodLayer EAPEAP TLSTLS MediaLayer NDISAPIs EAPAPIs PPP IKEIKEGSS_APIGSS_API
802.1X Security Services SupplicantAuthentication ServerAuthentication client/control point Cisco/ Microsoft Cisco/ Microsoft, etc. Cisco Device Mini-certificate (MD5/PAP-CHAP) Future supplicant for Win2K/WinCE 3.0 (User authentication options) Radius server available from Cisco Future enhanced servers available from others Non-IP communications until device authenticated
Authentication Process Normal Data Authentication traffic Wireless laptopRadius ServerAccess Point Authentication traffic Radius traffic Wireless client assoc. at layer. Data blocked by AP. Access Point blocks everything except authentication traffic. The authentication traffic is allowed to flow. The Access point relays authentication traffic.
Authentication Process cont. Normal Data Authentication traffic Wireless laptopRadius ServerAccess Point Radius traffic Wireless client mutually authenticates with Radius Server Client receives grant WEP key. Client stack is initiated. DHCP request and subsequent traffic is encrypted with session key Authentication traffic Radius server authenticates client and creates a WEP key. AP receives grant and key. Key is installed in data base and normal data is forwarded to client
Authentication Process cont. Normal Data Authentication traffic Wireless laptopAccess Point trafficIP traffic Wireless client and AP use WEP key. AP allows traffic to flow. AP pre-authenticates client for intra subnet roaming Secure traffic. No performance impact Enterprise Intranet
Future User Authentication for non- EAP/802.1x Clients Options under consideration –Device level authentication w/passwords Create APIs to pass username and password to LEAP For generic support, statically assign username and password into card. –This becomes device security.
Pre-Authentication for Roaming APs multicast keys of authenticated clients as part of Inter Access Point Protocol (IAPP) Pre-authentication m-casts encrypted APs cache pre-authenticated clients (1000s of entries).
Pre-Authentication and Roaming Roam from AP1 to AP2 AP2 AP1 Disassociation Pre- auth When roam occurs, AP1 sends a disassociation notice. AP2 associates client, cached key and retrieves queued data from AP1.