The Cisco UWN Architecture

In a traditional WLAN, each AP operates as a separate autonomous node configured with SSID, RF channel, RF power settings, and so forth. Scaling to large contiguous, coordinated WLANs and adding higher-level applications is challenging with these autonomous APs. For example, if an autonomous AP hears a nearby AP operating on the same channel, the autonomous AP has no way of determining whether the adjacent AP is part of the same network or a neighboring network. Some form of centralized coordination is needed to allow multiple APs to operate across rooms and floors.

Cisco UWN Elements

The Cisco UWN architectural elements allow a WLAN to operate as an intelligent information network and to support advanced mobility services. Beginning with a base of client devices, each element provides additional capabilities needed as networks evolve and grow, interconnecting with the elements above and below it to create a unified, secure, end-to-end enterprise-class WLAN solution. The five interconnected elements of the Cisco UWN architecture are as follows:

■ Client devices: With more than 90 percent of shipping client devices certified as Cisco Compatible under the CCX program, almost any client device that is selected will support the Cisco UWN advanced features.

■ Lightweight APs: Dynamically configured APs provide ubiquitous network access in all environments. Enhanced productivity is supported through plug-and-play with the LWAPP used between the APs and the Cisco WLCs. Cisco APs are a proven platform with a large installed base and market share leadership. All Cisco lightweight APs support mobility services, such as fast secure roaming for voice, and location services for real-time network visibility.

■ Network unification: Integration of wired and wireless networks is critical for unified network control, scalability, security, and reliability. Seamless functionality is provided through wireless integration into all major switching and routing platforms.

■ Network management: The same level of security, scalability, reliability, ease of deployment, and management for WLANs as wired LANs is provided through network management systems such as the Cisco WCS, which helps visualize and secure the airspace. The Cisco wireless location appliance provides location services.

■ Mobility services: Unified mobility services include advanced security threat detection and mitigation, voice services, location services, and guest access.

Benefits of the Cisco UWN architecture include ease of deployment and upgrades, reliable connectivity through dynamic RF management, optimized per-user performance through user load balancing, guest networking, Layer 2 and 3 roaming, embedded wireless IDS, location services, voice over IP support, lowered total cost of ownership, and wired and wireless unification.

The Cisco WCS is an optional Windows or Linux server-based network management component that works in conjunction with Cisco Aironet lightweight APs and Cisco WLCs. With Cisco WCS, network administrators have a single solution for RF prediction, policy provisioning, network optimization, troubleshooting, user tracking, security monitoring, and WLAN systems management. The Cisco WCS includes tools for WLAN planning and design, RF management, basic location tracking, intrusion prevention systems, and WLAN systems configuration, monitoring, and management.

The Cisco wireless location appliance integrates with Cisco WCS for enhanced physical location tracking of many wireless devices to within a few meters. This appliance also records historical location information that can be used for location trending, rapid problem resolution, and RF capacity management.

An enterprise network can start with client devices, lightweight APs, and WLCs. As the enterprise's wireless networking requirements grow, additional elements, such as the Cisco WCS and the Cisco wireless location appliance, can be incorporated into the network.

Cisco UWN Lightweight AP and WLC Operation

An autonomous AP acts as an 802.1Q translational bridge and is responsible for putting the wireless client RF traffic into the appropriate local VLAN on the wired network, as illustrated in Figure 9-9.

Figure 9-9 An Autonomous Access Point Bridges and Puts Traffic into VLANs

Figure 9-9 An Autonomous Access Point Bridges and Puts Traffic into VLANs

WPA or WPA2 Encryption

KEY POINT

In contrast, the Cisco UWN architecture centralizes WLAN configuration and control on a WLC; the APs are lightweight, meaning that they cannot act independently of a WLC. The lightweight APs and WLCs communicate using LWAPP, and the WLCs are responsible for putting the wireless client traffic into the appropriate VLAN.

Figure 9-10 shows an example of this architecture.

Figure 9-10 Cisco UWN Includes Lightweight APs and WLCs

Lightweight AP

Lightweight AP

LWAPP Control Messages

LWAPP LWAPP Data Tunnel Encapsulation

Campus Infrastructure

WLAN

Controller

WLAN

Controller

To and from Switched/Routed Wired Network (802.1Q Trunk)

To and from Switched/Routed Wired Network (802.1Q Trunk)

It is a recommended enterprise practice that the connection between client device and APs be both authenticated and encrypted, as described in the next section. When a WLAN client sends a packet as an RF signal, it is received by a lightweight AP, decrypted if necessary, encapsulated with an LWAPP header, and forwarded to the WLC. From the perspective of the AP, the controller is an LWAPP tunnel endpoint with an IP address. At the controller, the LWAPP header is stripped off, and the frame is switched from the controller onto the appropriate VLAN in the campus infrastructure.

KEY POINT

In the Cisco UWN architecture, the WLC is an 802.1Q bridge that takes client traffic from the LWAPP tunnel (from the lightweight AP) and puts it on the appropriate VLAN in the wired network.

Figure 9-11 illustrates this process. Figure 9-11 In the UWN, the WLC Bridges and Puts Traffic into VLANs

Figure 9-11 illustrates this process. Figure 9-11 In the UWN, the WLC Bridges and Puts Traffic into VLANs

WPA or WPA2 Encryption

NOTE If you move a statically addressed AP to a different IP subnet, it cannot forward traffic, because it will not be able to form a LWAPP tunnel with the WLC.

When a client on the wired network sends a packet to a WLAN client, the packet first goes into the WLC, which encapsulates it with an LWAPP header and forwards it to the appropriate AP. The AP strips off the LWAPP header, encrypts the frame if necessary, and then bridges the frame onto the RF medium.

Consequently, much of the traditional WLAN functionality has moved from autonomous APs to a centralized WLC under the Cisco UWN architecture. LWAPP splits the MAC functions of an AP between the WLC and the lightweight AP. The lightweight APs handle only real-time MAC functionality, leaving the WLC to process all the non-real-time MAC functionality. This split-MAC functionality allows the APs to be deployed in a zero-touch fashion such that individual configuration of APs is not required.

Although Cisco WLCs always connect to 802.1Q trunks on a switch or a router, Cisco lightweight APs do not understand VLAN tagging and so should be connected only to untagged access ports on a neighbor switch. Table 9-3 summarizes the lightweight AP and WLC MAC functions within the Cisco UWN.

Table 9-3 UWN Lightweight AP and WLC MAC Functions

Lightweight AP MAC Functions

WLC MAC Functions

802.11: Beacons, probe response

802.11 Control: Packet acknowledgment and transmission

802.11e: Frame queuing and packet prioritization 802.11i: MAC layer data encryption/decryption

802.11 MAC management: Association requests and actions

802.11e Resource reservation

802.11i Authentication and key management

Cisco UWN Wireless Authentication and Encryption

The Cisco UWN provides full support for WPA and WPA2 with its building blocks of 802.1X EAP mutual authentication and TKIP or AES encryption.

802.1X EAP is recommended in the Cisco UWN architecture. The client device, called the EAP supplicant, communicates with the Cisco WLC, which acts as the EAP authenticator. The WLC communicates with an authentication server such as Cisco Secure ACS; this server is also a RADIUS server. Figure 9-12 illustrates this process.

Figure 9-12 UWN Wireless Authentication and Encryption

Supplicant

EAP-Capable Client

^^Authenticator^^

Authentication Server

Supplicant

EAP-Capable Client

Lightweight AP

Lightweight AP

Switched/Wired EAP/RADlUS

astructure Tunnel

802.1X Authentication

Key Management

Key Distribution

Secure Data Flow

After the wireless client associates to the AP, the AP blocks the client from gaining access to anything on the network, except the authentication server, until the client has logged in and authenticated. The client (the supplicant) supplies network login credentials such as a user ID and password to the authenticator (the WLC). The supplicant, the authenticator, and the authentication server participate in the authentication process. If the authentication process succeeds, the authenticator allows network access to the supplicant through the appropriate port. The WLC tells the lightweight AP which dynamic interface (as described in the "WLC Interfaces" section later in this chapter) and policies to use for the client.

After mutual authentication has been successfully completed, the client and RADIUS server each derive the same encryption key, which is used to encrypt all data exchanged between the client and the WLC. Using a secure channel on the wired LAN, the RADIUS server sends the key to WLC, which stores and uses it when communicating with the client. The result is per-user, per-session encryption keys, with the length of a session determined by a policy defined on the RADIUS server. When a session expires or the client roams from one AP to another, a reauthentication occurs and generates a new session key. The reauthentication is transparent to the user.

Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and EAP for communication between a client and the authentication server. Cisco UWN EAP support includes the following types:

■ EAP-Transport Layer Security (EAP-TLS): EAP-TLS is an Internet Engineering Task Force (IETF) open standard that is well supported among wireless vendors but rarely deployed. It uses PKI to secure communications to the RADIUS server using TLS and digital certificates; it requires certificates on both the server and client.

■ EAP-Tunneled TLS (EAP-TTLS): EAP-TTLS was codeveloped by Funk Software and Certicom. It is widely supported across platforms and offers very good security. EAP-TTLS uses PKI certificates only on the RADIUS authentication server. The authentication of the client is done with a username and password.

■ Protected Extensible Authentication Protocol (PEAP): PEAP was a joint proposal by Cisco Systems, Microsoft, and RSA Security as an open standard. Authentication of the client is done using PEAP-Generic Token Card (GTC) or PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2). PEAP-MSCHAPv2 is the most common version and is widely available in products and widely deployed. It is similar in design to EAP-TTLS but requires a PKI certificate only on the server to create a secure TLS tunnel to protect user authentication. PEAP-GTC allows more generic authentication to a number of databases, such as Novell Directory Services.

■ Cisco Lightweight Extensible Authentication Protocol (LEAP): LEAP is an early proprietary EAP method and is supported in the CCX program. It is vulnerable to dictionary attack.

■ Cisco EAP-Flexible Authentication via Secure Tunneling (EAP-FAST): EAP-FAST is a proposal by Cisco Systems to fix the weaknesses of LEAP; it is supported in the CCX program. EAP-FAST uses a protected access credential (PAC) and optionally uses server certificates. EAP-FAST has three phases. Phase 0 is an optional phase where the PAC can be provisioned manually or dynamically. In Phase 1, the client and the AAA server use the PAC to establish TLS tunnel. In Phase 2, the client sends user information across the tunnel.

Each EAP type has advantages and disadvantages. Trade-offs exist between the security provided, manageability, operating systems supported, client devices supported, client software and authentication messaging overhead, certificate requirements, user ease of use, and WLAN infrastructure device support. When selecting an EAP type to use, considerations include the type of security mechanism used for the security credentials, the user authentication database, the client operating systems in use, the available client supplicants, the type of user login needed, and whether RADIUS or AAA servers are used.

Was this article helpful?

+1 0

Post a comment