Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.

Similar presentations


Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability

2 © 2006 Cisco Systems, Inc. All rights reserved. Module 6: Implement Wireless Scalability Lesson 6.1: Implementing WLAN QoS

3 © 2006 Cisco Systems, Inc. All rights reserved. Objectives  Describe why WLANs need to support QoS policies in enterprise networks.  Explain the issues with implementing QoS in a WLAN.  Describe the technologies used to support QoS in the WLAN.  Describe the configuration parameters available in the Cisco Wireless Control System (WCS) to support QoS in the WLAN.

4 © 2006 Cisco Systems, Inc. All rights reserved. The Need for QoS in Wireless LANs  WLANs use collision avoidance rather than collision detection, which is used by Ethernet LANs.  Wired LANs use DSCP or 802.1p to provide QoS. These do not work in a WLAN.  802.11e is an extension of 802.11 that provides more consistent, quality RF transmission for voice and video.

5 © 2006 Cisco Systems, Inc. All rights reserved. WLAN QoS Queuing Overview

6 © 2006 Cisco Systems, Inc. All rights reserved. WLAN QoS RF Backoff Timing

7 © 2006 Cisco Systems, Inc. All rights reserved. Lightweight Access Point—Split MAC Architecture

8 © 2006 Cisco Systems, Inc. All rights reserved. QoS WLAN Deployment Challenges  Facts: Wireless RF (802.11e or WMM) uses Layer 2 marking. End-to-end QoS uses Layer 3 DSCP packet marking. Traffic destined for access points does not contain 802.1p QoS tag information because the access points connect to Cisco Catalyst switches via access ports rather than trunks.  Consequence: Layer 2 marking and QoS information is lost in end-to-end transit.  The Challenge: The goal is to use the Layer 3 DSCP information to preserve end-to-end QoS in the absence of Layer 2 QoS information.

9 © 2006 Cisco Systems, Inc. All rights reserved. Overcoming the Challenge  WLAN data is tunneled between the access point and WLAN controller via LWAPP.  QoS settings of the encapsulated data packet are mapped to the Layer 2 (802.1p) and Layer 3 (IP DSCP) fields of the outer tunnel packet.

10 © 2006 Cisco Systems, Inc. All rights reserved. QoS Implementation Overview LWAPP Tunnels Si 1 2 3 4

11 © 2006 Cisco Systems, Inc. All rights reserved. WLAN QoS Implementation Step 1: Ethernet Switch to Controller and Into the LWAPP Tunnel Create the outer header of the LWAPP packet with a copy of the DSCP value of the incoming packet, and a translation of the DSCP value into a 802.1p value. LWAPP Tunnels Si 1

12 © 2006 Cisco Systems, Inc. All rights reserved. QoS Packet-Marking Translations Cisco 802.1p Priority- Based Traffic Type DSCP Priority 802.1p Priority IEEE 802.11e Priority Reserved56–62 77 IP routing4867 Voice46 (EF)56 Video34 (AF41)45 Voice control26 (AF 31)34 Background gold18 AF21)22 Background silver10 (AF11)11 Best effort0 (BE)00 or 3

13 © 2006 Cisco Systems, Inc. All rights reserved. WLAN QoS Implementation Step 2: Out of the Tunnel and Through the Access Point to the Wireless Client LWAPP Tunnels Si 2 Map the DSCP value of the incoming LWAPP packet to the 802.11e priority value. Place in the 802.11 tX queue appropriate for that 802.11e/WMM value. The original DSCP value is preserved.

14 © 2006 Cisco Systems, Inc. All rights reserved. WLAN QoS Implementation Step 3: From Client to Access Point and Into the Tunnel LWAPP Tunnels Si 3 Police the 802.11e priority value, then map the value to the DSCP value.

15 © 2006 Cisco Systems, Inc. All rights reserved. Mapping Traffic from Access Point to Controller  The access point will not send tagged packets on a nontrunk port destined for the controller; therefore, the access point will not copy the 802.11e client incoming priority value to the 802.1p (outer) that is destined for the switch.

16 © 2006 Cisco Systems, Inc. All rights reserved. WLAN QoS Implementation Step 4: Out of the Tunnel Though the Controller to the Ethernet Switch LWAPP Tunnels Si 4 Map the DSCP value of the original packet to the 802.1p value. The original DSCP value is preserved.

17 © 2006 Cisco Systems, Inc. All rights reserved. 802.1p and DSCP Packet Tagging  802.1p or DSCP-tagged packets received from LAN: Tag is propagated to LWAPP frame. WLAN ID-configured QoS takes priority for assigned access category; if tag is lower than configured QoS, access point will queue packet at lower access category. AAA override can be applied to Cisco IBNS WLAN clients.  Untagged packets received from LAN: WLAN ID-configured QoS will be applied for access category. AAA override can be applied to Cisco IBNS WLAN clients.

18 © 2006 Cisco Systems, Inc. All rights reserved. 802.11e Packet Tagging  802.11e QoS packets received from WLAN: Tag is propagated to LWAPP frame. WLAN ID-configured QoS takes priority for assigned 802.1p tag; if 802.11e access category is lower than configured QoS, lower 802.1p tag will be applied. 802.11e QoS packets received from WLAN will be 802.1p-tagged when transmitted on the LAN by the controller.  Non-QoS packets received from WLAN will be best effort (default silver) when transmitted on the LAN by the controller.

19 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Unified Wireless Network Solution Location Appliance (Optional) Cisco WCS GUI or CLI CLI Console Cisco WLAN Controller Access Points Network

20 © 2006 Cisco Systems, Inc. All rights reserved. QoS Configuration: Per User bandwidth Contracts  Each level has a configurable per-bandwidth contract rate: Per-user data bandwidth contract—Configurable peak and average data rate enforcement for non-UDP traffic Per-user real-time bandwidth contract—Configurable peak and average data rate enforcement for UDP traffic

21 © 2006 Cisco Systems, Inc. All rights reserved. QoS Configuration: Over the Air QoS  Each level has configurable “over the air” QoS rates: Maximum RF usage per access point (%)—Defined maximum percentage of air bandwidth given to an access category Queue depth—Defined depth of queue for a particular user level that will cause packets in excess of the defined value to be dropped Over the Air QoS Defaults Access CategoryRF UsageQueue Depth Platinum100 percent100 Gold100 percent75 Silver100 percent50 Bronze100 percent25

22 © 2006 Cisco Systems, Inc. All rights reserved. QoS Configuration: Editing QoS Profiles  The 802.1p tag is applied to the wired side to allow proper precedence to be applied to traffic across the entire network infrastructure. Default Mappings Access Category802.1p Priority Platinum6 Gold5 Silver3 Bronze1

23 © 2006 Cisco Systems, Inc. All rights reserved. Configuring WLAN IDs for QoS

24 © 2006 Cisco Systems, Inc. All rights reserved. Self Check 1.What kind of access technology do WLANs use and why? 2.What are the four access categories or classes of traffic used for QoS in WLANs? 3.How is Enhanced DCF (EDCF) used to implement QoS policies in WLANs? 4.How are non-QoS packets handled by the controller when trasmitted on the LAN?

25 © 2006 Cisco Systems, Inc. All rights reserved. Summary  With the expansion of WLANs into enterprise and vertical (retail, finance, education) markets, WLANs are now used to transport high-bandwidth, intensive data applications in conjunction with time-sensitive multimedia applications. This requirement has led to the necessity for wireless QoS.  The lightweight access point WLAN solution enhances the way access points use Layer 3 information to ensure that packets receive the correct over-the-air prioritization when the packets are transmitted from the access point to the wireless client.  QoS protocols used on the WLAN and wired network media must be mapped to one another while traffic transits the boundary between the two media.

26 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

27 © 2006 Cisco Systems, Inc. All rights reserved. Resources  Is Your WLAN Ready for Voice? http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/network ing_solutions_white_paper0900aecd80472e80.shtml  Design Principles for Voice Over WLAN, http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/network ing_solutions_white_paper0900aecd804f1a46.shtml  The Benefits of Centralization in Wireless LANs http://www.cisco.com/en/US/products/ps6108/products_white_p aper0900aecd8040f7b2.shtml

28 © 2006 Cisco Systems, Inc. All rights reserved. Module 6: Implement Wireless Scalability Lesson 6.2: Introducing Wireless Security

29 © 2006 Cisco Systems, Inc. All rights reserved. Objectives  Describe the need for WLAN security.  Describe the evolution of WLAN security methods.  Identify common authentication and encryption technologies used in WLANs.  Explain the benefits and weaknesses of the common security methods used in WLANs.

30 © 2006 Cisco Systems, Inc. All rights reserved. The Need for WLAN Security  Vulnerabilities: War driving Non-secret SSID MAC filtering Automatic DHCP Man-in-the middle attacks Cracking WEP Initialization Vector attacks Password Cracking DoS attacks  WLAN Security requires: Authentication: Proves the user belongs on the network Encryption: Protects the data traversing the network

31 © 2006 Cisco Systems, Inc. All rights reserved. Evolution of WLAN Security

32 © 2006 Cisco Systems, Inc. All rights reserved. 802.11 WEP  WEP aims at providing Wired Equivalent Privacy  WEP is an optional IEEE standard for encryption  Keys can be static and shared among many clients  Uses RC4 algorithm—known vulnerabilities  Keys can be dynamic and unique for each client (as with 802.1x) per session 0101 1100 1001 RC4 Plain text Cipher text IV + key seed keystream

33 © 2006 Cisco Systems, Inc. All rights reserved. 802.11 Open Authentication 1.Client sends probe request. 2.Access points (A/B) send probe response. Client evaluates access point response and selects the best access point. 3.Client sends authentication request to selected access point (A). 4.Access point A confirms authentication and registers client. 5.Client sends association request to selected access point (A). 6.Access point A confirms association and registers client. Access Point A Access Point B

34 © 2006 Cisco Systems, Inc. All rights reserved. 802.11 Shared Key Authentication 4.Access point A sends authentication response containing the unencrypted challenge text. 5.Client encrypts the challenge text using one of its WEP keys and sends it to access point (A). 6.Access point A compares the encrypted challenge text to its copy of the encrypted challenge text. If the text is the same, access point A will allow the client onto the WLAN. Access Point A Access Point B Steps 1-3 are the same as with open authentication.

35 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Enhanced 802.11 WEP Security  Cisco prestandard enhancements  Implemented in 2001 and 2002  Authentication: 802.1x and Extensible Authentication Protocol (EAP) protocols User, token, and machine credentials Dynamic encryption key generation  Encryption: CKIP CMIC

36 © 2006 Cisco Systems, Inc. All rights reserved. Enhanced 802.11 Security  Authentication: 802.1x and Extensible Authentication Protocol (EAP) protocols User, token, and machine credentials Dynamic encryption key generation IEEE 802.11i  Encryption: TKIP and MIC Wi-Fi Protected Access (WPA)—TKIP encryption WPA2—Advanced Encryption Standard (AES)

37 © 2006 Cisco Systems, Inc. All rights reserved. Encryption—TKIP and MIC  TKIP: Key hashing for unique seed values per packet to protect against WEP initialization vector vulnerabilities MIC from Michael algorithm Broadcast key rotation  MIC: Provides more protection than Integrity Check Value (ICV) by protecting the header and the payload Protects against man-in-the-middle or replay attacks

38 © 2006 Cisco Systems, Inc. All rights reserved. WPA2 and AES  WPA2 offers the following: Authenticated key management Key validation mechanisms for unicast and broadcast keys TKIP is used, which for WPA includes both per-packet keying and MIC Expanded IV (defeats AirSnort) Broadcast key rotation  AES Encryption: 128-bit block cipher—cryptographically more robust than RC4 Requires new radio cards on clients and access points because more CPU power is required

39 © 2006 Cisco Systems, Inc. All rights reserved. 802.1x Authentication Overview  The wireless client must be authenticated before it gains access to the network  Extensible and interoperable supports: Different EAP authentication methods or types May be used with multiple encryption algorithms Depends on client capability  Supported by Cisco since December 2000

40 © 2006 Cisco Systems, Inc. All rights reserved. 802.1x Authentication Key Benefits  Mutual authentication between client and authentication (RADIUS) server  Encryption keys derived after authentication  Centralized policy control

41 © 2006 Cisco Systems, Inc. All rights reserved. 802.1x and EAP Authentication Protocols  LEAP—EAP Cisco Wireless  EAP-FAST  EAP-TLS  PEAP: PEAP-GTC PEAP-MSCHAPv2

42 © 2006 Cisco Systems, Inc. All rights reserved. Components Required for 802.1x Authentication  Authentication server is an EAP-capable RADIUS server: Cisco Secure ACS, Microsoft IAS, Meetinghouse Aegis Local authentication service on Cisco IOS access point May use either local RADIUS database or an external database server such as Microsoft Active Directory or RSA SecurID  Authenticator is an 802.1x-capable access point.  Supplicant is an EAP-capable client: Requires 802.1x-capable driver Requires an EAP supplicant—either available with client card, native in operating system, or from third-party software

43 © 2006 Cisco Systems, Inc. All rights reserved. Cisco LEAP  Client support: Windows 98-XP-Vista, Windows CE, Macintosh OS 9.X or 10.X, and Linux Kernel 2.2 or 2.4 Cisco Compatible Extensions Clients (CCXv1)  RADIUS server: Cisco Secure ACS and Cisco Access Registrar Meetinghouse Aegis Interlink Merit  Microsoft domain or Active Directory (optional) for back- end authentication (must be Microsoft format database)  Device support: Cisco autonomous access points and bridges Cisco lightweight access points and WLAN controllers Cisco Unified Wireless IP Phone 7920 (VoIP) handset

44 © 2006 Cisco Systems, Inc. All rights reserved. Cisco LEAP Authentication

45 © 2006 Cisco Systems, Inc. All rights reserved. EAP-FAST: Flexible Authentication via Secure Tunneling  Considered in three phases: Protected access credential is generated in Phase 0 (Dynamic PAC provisioning): Unique shared credential used to mutually authenticate client and server Associated with a specific user ID and an authority ID Removes the need for PKI A secure tunnel is established in Phase 1. Client is authenticated via the secure tunnel in Phase 2.

46 © 2006 Cisco Systems, Inc. All rights reserved. EAP-FAST Authentication

47 © 2006 Cisco Systems, Inc. All rights reserved. EAP-TLS  Client support: Windows 2000, XP, and Windows CE (natively supported) Non-Windows platforms: Third-party supplicants (Meetinghouse) User certificate required for each client  Infrastructure requirements: EAP-TLS-supported RADIUS server Cisco Secure ACS, Cisco Access Registrar, Microsoft IAS, Aegis, Interlink RADIUS server requires a server certificate Certificate authority server (PKI)  Certificate management: Both client and RADIUS server certificates to be managed

48 © 2006 Cisco Systems, Inc. All rights reserved. EAP-TLS Authentication

49 © 2006 Cisco Systems, Inc. All rights reserved. EAP-PEAP  Hybrid authentication method: Server-side authentication with TLS Client-side authentication with EAP authentication types EAP-GTC EAP-MSCHAPv2  Clients do not require certificates.  RADIUS server requires a server certificate: RADIUS server has self-issuing certificate capability. Purchase a server certificate per server from PKI entity. Set up a simple PKI server to issue server certificates.  Allows for one-way authentication types to be used: One-time passwords Proxy to LDAP, Unix, Microsoft Windows NT and Active Directory, Kerberos

50 © 2006 Cisco Systems, Inc. All rights reserved. EAP-PEAP Authentication

51 © 2006 Cisco Systems, Inc. All rights reserved. Wi-Fi Protected Access  WPA introduced in late 2003  Prestandard implementation of IEEE 802.11i WLAN security  Addresses currently known security problems with WEP  Allows software upgrade on deployed 802.11 equipment to improve security  Components of WPA: Authenticated key management using 802.1x: EAP authentication and preshared key authentication Unicast and broadcast key management Standardized TKIP per-packet keying and MIC protocol Initialization vector space expansion: 48-bit initialization vectors Migration mode—coexistence of WPA and non-WPA devices (optional implementation that is not required for WPA certification)

52 © 2006 Cisco Systems, Inc. All rights reserved. 802.11i and WPA Authentication and Key Management Overview

53 © 2006 Cisco Systems, Inc. All rights reserved. WPA Issues  WPA uses TKIP, which uses the same base encryption algorithm, RC4, as WEP.  WPA cannot entirely avoid the design flaws of WEP.  WPA is a compromise solution.  Software upgrade is required for clients and access points, which gives no guarantee that all vendors will support the solution.  Operating system support or a supplicant client is required.  WPA is susceptible to a new type of DoS attack.  WPA is susceptible to a recently discovered weakness when preshared keys are used.

54 © 2006 Cisco Systems, Inc. All rights reserved. IEEE 802.11i—WPA2  802.11i: Ratified in June 2004 Standardizes: 802.1x for authentication AES encryption—Facilitates U.S. government FIPS 140-2 compliance Key management  WPA2: Supplement to WPA “version 1”—Wi-Fi Alliance interoperable implementation of 802.11i Provides for AES encryption to be used Proactive Key Caching Third-party testing and certification for WLAN device compatibility

55 © 2006 Cisco Systems, Inc. All rights reserved. Wireless Intrusion Detection Systems  Address RF-related vulnerabilities: Detect, locate, and mitigate rogue devices Detect and manage RF interference Detect reconnaissance if possible  Address standards-based vulnerabilities: Detect management frame and hijacking-style attacks Enforce security configuration policies  Complementary functionality: Forensic analysis Compliance reporting

56 © 2006 Cisco Systems, Inc. All rights reserved. WPA and WPA2 Modes WPAWPA2 Enterprise mode (business, education, government) Authentication: IEEE 802.1x/EAP Encryption: TKIP/MIC Authentication: IEEE 802.1x/EAP Encryption: AES-CCMP Personal mode (SOHO, home, personal) Authentication: PSK Encryption: TKIP/MIC Authentication: PSK Encryption: AES-CCMP

57 © 2006 Cisco Systems, Inc. All rights reserved. WPA2 Issues  Client (supplicant) must have a WPA2 driver that supports EAP.  RADIUS server must understand EAP.  PEAP carries EAP types within a channel secured by TLS and so requires a server certificate.  WPA2 is more computationally intensive with optional AES encryption.  WPA2 may require new WLAN hardware to support AES encryption.

58 © 2006 Cisco Systems, Inc. All rights reserved. Self Check 1.What does WEP stand for? 2.Which is considered more secure, shared key authentication or open authentication? 3.What is MIC? 4.What RF-related vulnerabilities does an Intrusion Detection System (IDS) system address?

59 © 2006 Cisco Systems, Inc. All rights reserved. Summary  With increased reliance on WLANs, businesses are becoming more concerned about network security. Network managers need to provide end users with freedom and mobility without offering intruders access to the WLAN or the information sent and received on the wireless network.  Authentication and encryption are the two primary facilities for securing the WLAN. While encryption using static WEP keys is very vulnerable, WLANs can now be configured to support EAP and the 802.1x standards including LEAP, EAP-FAST, EAP-TLS, PEAP, WPA, and WPA2.

60 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

61 © 2006 Cisco Systems, Inc. All rights reserved. Resources  Addressing Wireless Threats with Integrated Wireless IDS and IPS http://www.cisco.com/en/US/products/hw/modules/ps2706/prod ucts_white_paper0900aecd804f155b.shtml  Five Steps to Securing Your Wireless LAN and Preventing Wireless Threats http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/n etworking_solutions_white_paper0900aecd8042e23b.shtml  Wireless LAN Security White Paper http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/n etworking_solutions_white_paper09186a00800b469f.shtml  Security of the WEP algorithm http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

62 © 2006 Cisco Systems, Inc. All rights reserved. Module 6: Implement Wireless Scalability Lesson 6.3: Managing WLANs

63 © 2006 Cisco Systems, Inc. All rights reserved. Objectives  Identify the components of Wireless LAN networks.  Describe the differences between distributed and centralized WLANs.  Describe the purpose and features of the CiscoWorks Wireless LAN Solution Engine.  Describe the purpose and features of the Cisco Wireless Control System.  Explain how the Cisco Location device can be used in WLANs.

64 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Unified Wireless Network

65 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Unified Wireless Network (Cont.)

66 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WLAN Implementation  Distributed WLAN solution Autonomous AP Wireless LAN Solution Engine (WLSE)  Centralized WLAN solution Lightweight AP Wireless LAN Controller (WLC) Cisco offers 2 “flavors” of wireless solutions:

67 © 2006 Cisco Systems, Inc. All rights reserved. Wireless LAN Solution Components Distributed Solution Centralized Solution Autonomous access points Lightweight access points Wireless Domain Services (WDS) WLAN controller WLAN Solution Engine (WLSE) WLAN Control System (WCS) PoE switches, routers DHCP, DNS, AAA

68 © 2006 Cisco Systems, Inc. All rights reserved. Comparison of the WLAN Solutions  Autonomous WLAN: Autonomous access point Configuration of each access point Independent operation Management via CiscoWorks WLSE and WDS Access point redundancy  Lightweight WLAN: Lightweight access point Configuration via Cisco Wireless LAN Controller Dependent on Cisco Wireless LAN Controller Management via Cisco Wireless LAN Controller Cisco Wireless LAN Controller redundancy

69 © 2006 Cisco Systems, Inc. All rights reserved. CiscoWorks WLSE Software Features  CiscoWorks WLSE is a solution for managing the Cisco autonomous access point infrastructure: Configuration of access points Fault and policy monitoring Reporting Firmware upgrade on access points and bridges Radio management CiscoWorks WLSE administration Deployment wizard for access points

70 © 2006 Cisco Systems, Inc. All rights reserved. Improved WLAN security Simplified access point deployment RF visibility Dynamic RF management Simplified operations CiscoWorks WLSE Key Benefits

71 © 2006 Cisco Systems, Inc. All rights reserved. CiscoWorks WLSE and CiscoWorks WLSE Express  Both offer centralized management appliance for autonomous access point solutions  CiscoWorks WLSE Express: Used for SMB, commercial, and branch offices (up to 100) AAA server included  CiscoWorks WLSE: Used for medium-to-large enterprises (up to 2500) Requires external AAA server CiscoWorks WLSE CiscoWorks WLSE Express

72 © 2006 Cisco Systems, Inc. All rights reserved. Simplified CiscoWorks WLSE Express Setup  Setup options: Automatic configuration download from DHCP server: DHCP enabled by default Options 66 and 67 provide TFTP IP address and filename Use setup command to configure CiscoWorks WLSE Express

73 © 2006 Cisco Systems, Inc. All rights reserved. CiscoWorks WLSE Configuration Template

74 © 2006 Cisco Systems, Inc. All rights reserved. CiscoWorks WLSE Benefits FeatureBenefits Centralized configuration, firmware, and radio management Reduces WLAN total cost of ownership by saving time and resources required to manage large numbers of access points Autoconfiguration of new access points Simplifies large-scale deployments Security policy misconfiguration alerts and rogue access point detection Minimizes security vulnerabilities Access point use and client association reports Helps in capacity planning and troubleshooting Proactive monitoring of access points, bridges, and 802.1x EAP servers Improves WLAN uptime

75 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Wireless Control System (WCS) Features  Solution for managing Cisco lightweight access point infrastructure  Flexible and secure network management tool: Intuitive GUI Browser accessible via HTTPS Device management via SNMP (supports SNMPv1, SNMPv2, and SNMPv3)  Ease of system maintenance  Three versions of Cisco WCS: Cisco WCS Base Cisco WCS Location Cisco WCS Location + Cisco 2700 Series Wireless Location Appliance

76 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS Versions

77 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS Base Software Features  Autodiscovery of access points  Autodiscovery of rogue access points  Map-based organization of access point coverage areas  User-supplied campus, building, and floor plan graphics  System-wide control of streamlined network, controller, and managed APs: Configuration with customer-defined templates Status and alarm monitoring Automated and manual data client monitoring and control Automated monitoring of rogue APs, coverage holes, security violations, controllers, and APs Full event logs Automatic channel and power level assignment User-defined automatic controller status audits, missed trap polling, configuration backups, and policy cleanups

78 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS Location Software Features  All Cisco WCS Base software features  On-demand location of rogue access points to within 33 feet (10 meters)  On-demand location of clients to within 33 feet  Ability to use Cisco Wireless Location Appliances

79 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS System Requirements  Runs as a normal application or a service on: Microsoft Windows 2000 Microsoft Windows 2003 Red Hat Enterprise Linux ES  Configures and monitors one or more WLAN controllers and associated access points.

80 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS Network Summary Page All reporting is available for a seven day rolling window to allow detailed trending reports.

81 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS Controller Summary Page Cisco WCS can support 50 Cisco Wireless Controllers and 1500 access points.

82 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Wireless Location Appliance Overview  Cisco 2710 Series Wireless Location Appliances combine the features of a Cisco WCS server and a stand alone chassis to: Compute historical location data Collect historical location data Store historical location data  Configuration and operation uses Cisco WCS with an easy-to-use GUI.  Uses a CLI console session for initial configuration before using the GUI.

83 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Wireless Location Appliance Architecture

84 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Wireless Location Appliance Applications  Visibility and tracking of 1500 mobile devices for 30 days  Work-flow automation and people tracking  Telemetry  WLAN security and network control  RF capacity management and visibility

85 © 2006 Cisco Systems, Inc. All rights reserved. Self Check 1.Which type of WLAN deployment uses controllers and lightweight APs? 2.What is the purpose of the controller? 3.How is the Wireless Location Appliance used?

86 © 2006 Cisco Systems, Inc. All rights reserved. Summary  The Cisco Unified Wireless Network is an end-to-end unified wired and wireless network that cost-effectively addresses WLAN security, deployment, management, and control issues.  The distributed WLAN solution is based on autonomous access points and uses the Wireless LAN Solution Engine (WLSE) for management. The centralized WLAN solution is based on lightweight access points and wireless LAN controllers.  The Cisco Wireless Location Appliance uses advanced RF fingerprinting technology to track thousands of 802.11 wireless devices simultaneously from directly within a WLAN infrastructure.

87 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

88 © 2006 Cisco Systems, Inc. All rights reserved. Resources  User Guide for the CiscoWorks WLSE and WLSE Express 2.13 http://www.cisco.com/en/US/products/sw/cscowork/ps3915/prod ucts_user_guide_book09186a008061ab4f.html  Cisco Wireless Control System Configuration Guide, Release 4.0 http://www.cisco.com/en/US/products/ps6305/products_configur ation_guide_book09186a00806b57ec.html  Cisco 2700 Series Wireless Location Appliance Deployment Guide http://cisco.com/en/US/partner/products/ps6386/prod_technical _reference09186a008059ce31.html

89 © 2006 Cisco Systems, Inc. All rights reserved. Module 6: Implement Wireless Scalability Lesson 6.4: Deploying Cisco WCS

90 © 2006 Cisco Systems, Inc. All rights reserved. Objectives  Describe how to add and configure a WLAN controller using WCS.  Describe how to add and configure a access point using WCS.  Describe how to add and manage maps in WCS.  Describe how to detect and locate rogue access points in WCS.

91 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS Server Login The default access is the IP address of the server as the URL and HTTPS as the access method, which may also require a designated port. A default username “root” and password “public” are predefined.

92 © 2006 Cisco Systems, Inc. All rights reserved. Cisco WCS Network Summary Horizontal Menus Vertical Menus

93 © 2006 Cisco Systems, Inc. All rights reserved. Adding a Controller The Cisco WCS instance is initially empty and needs to be populated using the Select a command drop-down list. Cisco WCS has search criteria, such as networks, controller name, or IP address.

94 © 2006 Cisco Systems, Inc. All rights reserved. Configure > Controller > Add Controller > OK

95 © 2006 Cisco Systems, Inc. All rights reserved. Configure > Access Points After adding a controller, associated access points are automatically added.

96 © 2006 Cisco Systems, Inc. All rights reserved. Monitor > Maps > New Campus > OK

97 © 2006 Cisco Systems, Inc. All rights reserved. Monitor > Maps > New Campus > OK (Cont.) Maps can start at either a campus or building, but only a campus will provide an outdoor coverage area. A building can be added as a single entity or as part of a campus.

98 © 2006 Cisco Systems, Inc. All rights reserved. Adding a New Building

99 © 2006 Cisco Systems, Inc. All rights reserved. Detecting and Locating Rogue Access Points  An alarm indicator appears in Cisco WCS showing 93 rogue access points detected.  Select the alarm for more information. Color CodeType of Alarm ClearNo alarm RedCritical alarm OrangeMajor alarm YellowMinor alarm

100 © 2006 Cisco Systems, Inc. All rights reserved. Rogue Access Points Alarms

101 © 2006 Cisco Systems, Inc. All rights reserved. Rogue Access Points Location

102 © 2006 Cisco Systems, Inc. All rights reserved. Summary  The Cisco Wireless LAN Controller (WCS) provides a summary of the Cisco WLAN solution, including reported coverage holes, access point operational data, the most recently detected rogue access points, and client distribution over time.  WCS is used to manage and configure controllers and access points in a graphical user interface.  WCS alarms provide a visual indication of the current fault or state of an element that needs attention

103 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

104 © 2006 Cisco Systems, Inc. All rights reserved. Resources  Cisco Wireless Control System (WCS) http://www.cisco.com/en/us/products/ps6305/products_data_sh eet0900aecd802570d0.html  Cisco Wireless Control System Configuration Guide, Release 4.0 http://www.cisco.com/en/US/products/ps6305/products_configur ation_guide_book09186a00806b57ec.html

105 © 2006 Cisco Systems, Inc. All rights reserved. Module 6: Implement Wireless Scalability Lesson 6.5: Configuring Encryption and Authentication on Lightweight Access Points

106 © 2006 Cisco Systems, Inc. All rights reserved. Objectives  Describe how to use the WLAN controller to configure WLAN security options: Open authentication WEP key authentication WPA preshared key Web authentication 802.1x WPA2

107 © 2006 Cisco Systems, Inc. All rights reserved. WLAN Controllers ProductFeatures Cisco 4400 Series Wireless LAN Controllers For medium-to-large enterprise facilities The Cisco 4402 with 2 Gigabit Ethernet ports supports configurations for 12, 25, and 50 access points Cisco 4404 with 4 Gigabit Ethernet ports supports 100 access points Cisco 2100 Series Wireless LAN Controllers For small to medium-sized businesses or branch offices

108 © 2006 Cisco Systems, Inc. All rights reserved. WLAN Controller Topology and Network Connections WLAN Controller

109 © 2006 Cisco Systems, Inc. All rights reserved. Configuring Open Authentication

110 © 2006 Cisco Systems, Inc. All rights reserved. Configuring Static WEP Key Authentication

111 © 2006 Cisco Systems, Inc. All rights reserved. Configuring WPA Preshared Key This example shows WPA preshared key.

112 © 2006 Cisco Systems, Inc. All rights reserved. Web Authentication  Users authenticate via a web browser interface.  Clients using HTTP are automatically directed to a login page: Customizable for logos and text Maximum simultaneous authentication requests—21 Maximum local web authentication users—2500  Generally used for guest access: Data is not secure between the access point and the client.

113 © 2006 Cisco Systems, Inc. All rights reserved. Configuring Web Authentication

114 © 2006 Cisco Systems, Inc. All rights reserved. Customizing the Web Login Page

115 © 2006 Cisco Systems, Inc. All rights reserved. 802.1x Authentication Microsoft Windows XP clients support only 40-bit or 104-bit dynamic WEP keys.

116 © 2006 Cisco Systems, Inc. All rights reserved. Configuring WPA with 802.1x This example shows WPA with dynamic keys.

117 © 2006 Cisco Systems, Inc. All rights reserved. WPA2 This example shows WPA2 with dynamic keys.

118 © 2006 Cisco Systems, Inc. All rights reserved. Self Check 1.What is web authentication? 2.How is it typically used? 3.Which controller supports web authentication?

119 © 2006 Cisco Systems, Inc. All rights reserved. Summary  Authentication and encryption are the two primary facilities for securing the WLAN. While encryption using static WEP keys is very vulnerable, WLANs can now be configured to support EAP and the 802.1x standards including LEAP, EAP-FAST, EAP-TLS, PEAP, WPA, and WPA2.

120 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

121 © 2006 Cisco Systems, Inc. All rights reserved. Resources  Five Steps to Securing Your Wireless LAN and Preventing Wireless Threats http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/n etworking_solutions_white_paper0900aecd8042e23b.shtml  Wireless LAN Security White Paper http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/n etworking_solutions_white_paper09186a00800b469f.shtml  Security of the WEP algorithm http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

122 © 2006 Cisco Systems, Inc. All rights reserved.


Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability."

Similar presentations


Ads by Google