Wireless LAN Design
WLAN Standards
First standard for WLAN was established by IEEE, 802.11, ratified in 1997. Originally implemented at speeds of 1-2 MBPS using direct sequence spread spectrum (DSSS) and frequency-hopping spread spectrum (FHSS) at the Physical Layer of OSI model. DSSS separates data into sections which is transmitted over different frequencies at the same time, while FHSS uses frequency-hopping to send data in bursts, transmitting part of the data on channel 1, then hopping to channel 2 for the next part, then back to channel 1.
802.11b was announced in 1999 which provided 11MBPS data rate, using 11 channels of the Industrial, Scientific and Medical (ISM) frequencies. 802.1b uses DSSS and is backwards compatible with other 802.11 systems which use DSSS.
802.11a was approved as a second standard in 1999, providing 54MBPS data rate but being incompatible with 802.11b. 802.11a uses 13 channels of Unlicensed National Information Infrastructure (UNII) frequencies and is incompatible with 802.11b/g.
802.11g was approved in 2003 which used ISM frequencies and provided 54 MBPS data rate. 802.11g was also backwards-compatible with 802.11b.
802.11n standard was ratified in 2009. It uses multiple-input multiple-output (MIMO) antennas and expected max data rate of 600 MBPS using 4 streams, each with 40-MHz width. Uses DSSS and orthogonal frequency-division multiplexing (OFDM) as the digital carrier modulation method, 802.11n uses both 2.4-GHz and 5-GHz bands.
ISM and UNII Frequencies
802.11b/g uses 2.4-GHz range of frequencies as set in ISM, with overlapping channels that are 22MHz wide. Common non-overlapping channels used are 1, 6 and 11 to prevent interference.
UNII has three ranges:
- 5.15 GHz - 5.25 GHz, and 5.25 GHz - 5.35 GHz
- 5.47 GHz - 5.725 GHz. Used by High Performance Radio LAN in Europe
- 5.725 GHz - 5.875 GHz. This range overlaps ISM
802.11a has 12 non-overlapping channels.
Service Set Identifier
WLANs use an SSID to identify WLAN network name. SSIDs can be 2 to 32 characters, and all devices in WLAN must use the same SSID to communicate. This acts very much like a vlan in a wired network. The main difficulty in large networks is configuring SSID, frequency and power settings for remotely located access points. Cisco use Wireless Control System (UCS).
WLAN Layer 2 Access
802.11 media layer access control uses Carrier Sense Multiple Access Collision Avoidance (CSMA/CA) as the access method. Each WLAN station listens for other stations transmitting, and then transmits if no other traffic is detected on the radio frequency. Of course, with a centrally located access point it is entirely possible to have stations unable to detect each other, whereas on a wired network the collision would be detected by all participants on the network segment. If the AP does not receive the transmission, the station backs off a random amount of time before trying again.
WLAN Security
Because of wireless signals proliferation and ease of eavesdropping on signal, wireless security has its own set of challenges. Several standards were created to address wireless security concerns. The first was Wireless Equivalent Privacy (WEP) which was used in the 802.11b standard. This method used a short preshared key to encrypt traffic and was easily cracked. In 2004, the 802.11i standard was created to provide additional security for WLAN networks. This standard is also known as Wireless Protected Access 2 (WPA2) and Robust Security Network (RSN). 802.11 contains the following:
- 4-Way Handshake and Group Key Handshake, both using 802.1x for authentication (using Extensible Authentication Protocol and an authentication server)
- Robust Security Network for establishment and tracking of robust security associations
- Advanced Encryption Standard (AES) for confidentiality, integrity, and origin authentication
Unauthorized Access
Wireless signals are difficult to control and contain. Because wireless signal may extend beyond the physical boundaries, attackers may be able to gain access to the network. If the wireless network does not have a mechanism to compare wireless card MAC addresses of hosts to a database of approved MACs, attackers may achieve unauthorized access. Simply having a database is also not protection because MAC addresses can be spoofed by attackers. Because static MAC address lists are not scalable and are defeated by spoofing, wireless encryption methods such as WEP/WPA2 need to be employed so that attackers cannot gain access without the security keys.
WLAN Security Design Approach
Two assumptions are made concerning the security design approach described:
- All WLAN devices are connected to a unique IP subnet
- Most services available to the wired network are also available to users of the WLAN
With those assumptions in mind, there are two basic security approaches:
- Use EAP via Secure Tunneling (EAP-FAST) to secure authentication
- Use VPN with IP Security (IPSec) to secure traffic from wireless to wired network
WLANS can potentially open new attack vectors for hackers and so security should be enhanced by using VPN with IPSec, 802.1x protocol, and WPA.
802.1x Port-Based Authentication
802.1x is a port-based authentication protocol that can be used on Ethernet, Fast Ethernet and WLAN networks. Client hosts run 802.1x software utilizing EAP to communicate with the AP. The AP relays the authentication request to an authentication server that will accept or deny the credentials, activating or deactivating the port/wireless connection. Usually a Remote Authentication Dial-In User Service (RADIUS) server handles authentication requests. This request is not encrypted as 802.1x is not an encryption protocol.
Dynamic WEP Keys and LEAP
Cisco offers dynamic, per-session WEP keys that are more secure than statically configured WEP keys. To centralize user-based authentication, Cisco developed LEAP. LEAP uses mutual authentication between client/server and 802.1x for wireless authentication messaging. LEAP can use Temporary Key Integrity Protocol (TKIP) rather than WEP to overcome the weakness of WEP. LEAP uses RADIUS to manage user information.
LEAP combines 802.1x and EAP, combining the ability to authenticate to various servers (such as RADIUS) with the ability to force users to log onto an AP that compares logon info with RADIUS. This solution is far more scalable than trying to keep a database of authorized MAC addresses.
Because the WLAN access depends on receiving an address using DHCP, and authenticating connection attempts via RADIUS, the WLAN needs access to these servers. LEAP does not support one-time passwords (OTP) so good password security practice is essential.
Controlling WLAN Access to Servers
The security posture of servers accessible to the WLAN should be similar to that of a DMZ because it is potentially accessible by attackers. WLAN RADIUS and DHCP servers should be kept on a separate segment (vlan) from other primary servers. Access into this vlan should be filtered, which ensures that attacks on these WLAN-accessible servers are contained within that segment. Network access to these servers should be controlled and restricted, as the WLAN should be considered an unsecured network segment.
These WLAN-accessible servers also need to be protected from attack, possibly using IDS/IPS or firewalls.
Cisco Unified Wireless Network
Cisco UWN Architecture
The Cisco Unified Wireless Network architecture combines elements of wireless and wired networks to manage, secure and scale WLANS. Cisco UWN architecture is comprised of five elements:
- Client Devices: Laptops, workstations, IP phones, PDAs and manufacturing devices to access WLAN
- Access Points: Placed in strategic locations to maximize signal and minimize interference
- Network Unification: The WLAN should support wireless applications by providing security policy, QoS, intrusion prevention, and radio management. Cisco WLAN Controllers provide this functionality and integrates within all major routing/switching platforms
- Network Management: Cisco Wireless Control System (WCS) provides central management tool to allow design, control and monitoring of WLAN
- Mobility Services: Includes guest access, location services, voice services, threat detection/mitigation
The Cisco UWN provides benefits:
- Reduced Total Cost of Ownership (TCO)
- Enhanced visibility/control
- Dynamic radio management
- WLAN Security
- Unified wireless/wired network
- Enterprise mobility
- Enhanced collaboration/productivity
Lightweight Access Point Protocol
LWAPP is an IETF standard for control messaging between APs and WLCs. LWAPP control messages can be transmitted as Layer 2 or Layer 3 tunnels. Layer 2 LWAPP tunnels came first, and APs did not need an IP address, but the WLC had to be on every subnet on which an AP resides because only Layer 2 traffic was available. Layer 3 LWAPP is now the preferred solution, but lightweight APs can support both. LWAPP Layer 3 tunneling uses IP addresses that are collected from a mandatory DHCP server. When using Layer 2 tunneling, LWAPP uses a proprietary code to communicate with access points. WLCs reside on the wired network and the lightweight APs are at the edge, not directly connected. This is why tunneling is needed, to protect control traffic between WLCs and LWAPs.
LWAPP Layer 2 uses EtherType code 0xBBBB, Layer 3 uses UDP ports 12222/12223.
Control And Provisioning for Wireless Access Points
CAPWAP is an IETF standard for control messaging between APs and WLCs. Using Control Software 5.2, Cisco LWAPs use CAPWAP to communicate between LWAPs and WLCs. CAPWAP is different from LWAPP in the following ways:
- CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between LWAP and WLC. LWAPP uses EAP for the same.
- CAPWAP has a dynamic MTU discovery mechanism.
- CAPWAP control messages use UDP port 5246.
- CAPWAP data messages use UDP port 5247.
CAPWAP uses Layer 3 tunnels between the LWAP and WLC. The LWAP obtains an IP from DHCP servers. Control and data messages sent from an LWAP use an ephemeral UDP port that is derived from a hash of the AP MAC addresses, while WLC traffic uses UDP port 5246/5247 for control/data traffic.
Cisco Unified Wireless Split-MAC Architecture
With split-MAC architecture, LWAP control and data messaging is split. LWAPs communicate with WLCs using control messages over the wired network, while LWAPP/CAPWAP data messages are encapsulated and forwarded to/from wireless clients. WLCs provide configuration and firmware updates to APs as needed.
LWAP MAC functions:
- 802.11: Beacons, probe response
- 802.11 Control: Packet acknowledgement and transmission
- 802.11e: Frame queuing and packet prioritization
- 802.11i: MAC layer data encryption/decryption
Controller MAC Functions:
- 802.11 MAC Management: Association requests and actions
- 802.11e Resource Reservation: Reserves resources for specific applications
- 802.11i: Authentication and key management
Local MAC
Local MAC is supported by CAPWAP, which moves the MAC management from the WLC to the local AP. This allows termination of client traffic at the wired port of the AP. This is useful at small or remote offices where a WLC isn't needed.
LWAP MAC Functions:
- 802.11: Beacons, probe response
- 802.11 Control: Packet acknowledgement/transmission
- 802.11e: Frame queuing/packet prioritization
- 802.11i: MAC layer data encryption/decryption
- 802.11 MAC Management: Association requests/actions
Controller MAC Functions:
- 802.11: Proxy association requests/actions
- 802.11e Resource Reservation: Reserves resources for specific applications
- 802.11i: Authentication and key management
With autonomous APs not associated to a WLC, the AP simply acts as a trunk carrying different vlan traffic. With a WLC connected with CAPWAP, the AP tunnels to the WLC and then the WLC trunks to the switch.
AP Modes
- Local mode: Default mode of operation. Every 180 secs, the AP measures noise floor/interference and scans for IDS events. This occurs on unused channels, lasts 60ms
- Hybrid Remote Edge AP (H-REAP) Mode: Enables LWAP to reside across a WAN from the WLC. It uses local MAC, and is supported on Cisco 1130, 1140, 1240AB, and 1250AG series LWAPs.
- Monitor mode: Feature to allow specific CAPWAP-enabled APs to opt out of handling data traffic, instead serving as sensors for rogue APs, intrusion detection and location-based services (LBS). These monitors continuously cycle through channels listening to each for 60ms.
- Rogue Detector mode: LWAPs in this mode monitor for rogue APs. RD APs are attached to a trunk port to enable seeing all traffic since rogue APs can be connected to any vlan. The wired switch sends a list of rogue AP/client MACs to the RD AP and the RD AP forwards the list to the WLC to compare with MACs registered over the WLAN. If there are matches, then the WLC is aware that a rogue AP is plugged into the wired network and what rogue clients are connected.
- Sniffer mode: LWAP that operates in sniffer mode captures and forwards packets on a particular channel to a remote machine running AiroPeek. This mode only works with AiroPeek, a 3rd party packet sniffer.
- Bridge mode: This mode is only available on Cisco 1130 and 1240 series (typically indoor), and 1500 APs (typically outdoor mesh) and provides high-bandwidth cost-effective bridging. Point-to-point, point-to-multipoint, point-to-point wireless access with integrated backhaul and point-to-multipoint wireless access with integrated backhaul
LWAPP Discovery of WLC
LWAPs placed on the network attempt DHCP discovery to obtain an IP address, followed by a Layer 3 LWAPP discovery attempt. If the WLC does not respond, the AP reboots and tries again. Layer 3 LWAPP discovery algorithm follows:
- AP sends a Layer 3 LWAPP discovery request
- All WLCs that receive this request reply with a unicast LWAPP discovery response message
- The requesting AP compiles a list of responding WLCs.
- The AP selects its preferred WLC based on certain criteria
- The AP validates the selected WLC and sends an LWAPP join response. An encryption key is agreed upon and future communications are encrypted.
Layer 3 discovery requests are sent in one or more of the following ways:
- Local subnet broadcast
- Unicast LWAPP discovery requests to WLCs advertised by other APs
- Previously stored WLC addreses
- IP addresses learned by DHCP option 43
- IP addresses learned by DNS resolution of CISCO-LWAPP-CONTROLLER.local-domain
The WLC which is selected is selected based on certain criteria:
- Previously configured primary/secondary/tertiary WLCs
- WLC configured as master
- WLC which has the most capacity for AP associations
If the WLC has CAPWAP, the AP follows this process:
- CAPWAP AP begins discovery process to find the WLC using a CAPWAP request, to which the WLC sends a CAPWAP response.
- If the AP receives no CAPWAP response within 60 seconds, the AP uses LWAPP discovery
- If the AP cannot find a WLC using LWAPP within 60 seconds it tries CAPWAP again.
CAPWAP is a design decision that is configurable within the WLC. APs select the WLC to create a CAPWAP tunnel based on information contained within the WLC responses. These responses contain the controller sysName, current capacity and load, status of the master WLC and the AP manager IP address. Based on this information, the AP will select its preferred WLC as followed:
- Primary/Secondary/Tertiary WLC preconfigured sysName (preconfigured preference)
- Master WLC
- WLC with greatest capacity for AP associations
WLAN Authentication
When wireless clients try to associate with an AP, they need to authenticate with an authentication server before being granted access to the WLAN. The authentication server resides in the wired LAN and and EAP/RADIUS tunnel is built from the WLC to the server to handle the request. Cisco has a Secure Access Control (ACS) which uses EAP which can service these requests.
Authentication Options
Different types of EAP have advantages and disadvantages. There are trade-offs in security, types of devices supported, ease of use and infrastructure support.
- EAP-Transport Layer Security (EAP-TLS): Open IETF standard that is well-supported but rarely deployed. Uses PKI to secure communications to the RADIUS server using TLS and digital certificates.
- Protected Extensible Authentication Protocol (PEAP): PEAP/MSCHAPv2 is the most common version deployed and is widely available. Similar in design to EAP-TTLS, needing only a server-side PKI cert to create a secure TLS tunnel to protect user authentication. PEAP-GTC allows more generic authentication to other kinds of user databases such as Novell Directory Services.
- EAP-Tunneled TLS (EAP-TTLS): Widely supported across platforms, offers good security, using PKI certs on the authentication server.
- Cisco Lightweight EAP (LEAP): Early proprietary method of EAP supported in Cisco Certified Extensions (CCX) program. Vulnerable to dictionary attacks.
- EAP-Flexible Authentication via Secure Tunneling (EAP-FAST): Proposal by Cisco to address the weaknesses of LEAP. EAP-FAST uses a Protected Access Credential with optional server certificates. EAP-FAST has three phases:
- Phase 0: Optional phase where PAC can be provisioned manually or dynamically.
- Phase 1: Client and AAA server use the PAC to establish a TLS tunnel.
- Client sends information over the established tunnel
WLAN Controller Components
Three major components of WLCs:
- WLANS: Identified by unique SSID network names, each assigned to an interface on the WLC.
- Interface: A logical connection mapping a wireless network to a vlan on the wired network
- Port: Physical connection to the wired LAN, usually a trunk. There could be multiple ports on a WLC that are port-channeled into a single interface. Some WLCs may have an out-of-band management port.
WLC Interface Types
WLCs have five different interface types:
- Management: Mandatory static interface configured at setup, used for in-band management, AAA authentication and Layer 2 discovery/association
- Service Port: Optional, statically configured at setup, used for out-of-band management
- AP Manager: Static, configured at setup, mandatory on all but 5508 model WLC. Used for Layer 3 discovery/association, has source IP of AP that is statically configured
- Dynamic: Analogous to vlans, used for client data
- Virtual: Static, configured at setup, and mandatory, used for Layer 3 security authentication, DHCP relay, and mobility management
