1 / 23

Module 7

Module 7. WLANs. Objectives. Identify the maximum number of BSSID and ESSID supported on an access point radio Describe the best practice for mapping ESS identifiers to BSS identifiers Describe the supported encryption and authentication methods in WiNG 5.x. WLAN – Introduction .

keanu
Télécharger la présentation

Module 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 7 WLANs

  2. Objectives • Identify the maximum number of BSSID and ESSID supported on an access point radio • Describe the best practice for mapping ESS identifiers to BSS identifiers • Describe the supported encryption and authentication methods in WiNG5.x

  3. WLAN – Introduction

  4. Introduction WLAN 1 WLAN 2 WLAN 3 • Each WLAN is defined using a unique name • WLANs can be assigned to groups of AP radios using profiles or to individual device radios as overrides • WLANs assigned to device radios will override all WLANs assigned from the profile • Each radio can support a maximum of 16 WLANs with a total of 32 WLANs per Access Point • The number of BSSIDs per radio have been increased from 4 to 8 • SSID and VLAN overrides can be assigned to RF Domains or individual Access Points as overrides permitting a common WLAN to be deployed across multiple Sites with each Site or Access Point being assigned a unique SSID name or VLAN assignment Radio 1 (16 x WLANs) (8 x BSSIDs) Radio 2 (16 x WLANs) (8 x BSSIDs) Device or Profile

  5. ESSID and BSSID • A WLAN maps to an Extended Service Set Identifier (ESSID) • An ESSID is mapped to a Basic Service Set Identifier (BSSID) on an AP radio • MAX number of BSSIDs per AP Radio: 8 • MAX number of ESSIDs per AP Radio: 16 • BSSID is derived from the MAC address of the AP radio

  6. ESSID to BSSID Mapping Best Practice • Do not map ESSIDs with strong and weak encryption to the same BSSID • Set the DTIM interval to 10 for battery-sensitive client devices • One-to-one mapping of ESSID to BSSID • Clients view each ESSID/BSSID association as a different AP • Each individual ESSID/BSSID adds overhead traffic

  7. WLAN Scaling • The following tables provide the various scaling limits for each model of Wireless Controller:

  8. VLANs – Static VLANs • As with WiNG4 each WLAN can assign users to a single VLAN or pool of VLANs: • Single VLAN – All devices are assigned to a Local or Tunneled VLAN • VLAN Pool – Devices are load-balanced between 2 or more Local OR Tunneled VLANs Single VLAN VLAN Pool VLAN 11 VLAN 11 VLAN 12 VLAN 13 Load Balanced WLAN WLAN

  9. VLANs – Dynamic • 802.1X and MAC authenticated users can be dynamically assigned a Local or Tunneled VLAN using the standard Tunnel-Private-Group-ID RADIUS return attribute forwarded with the RADIUS Access-Accept: • RADIUS VLAN overrides are enabled per WLAN • If no VLAN is assigned from RADIUS, the user is assigned to the Single VLAN or a VLAN from the VLAN pool • When dynamic VLANs are enabled, each VLAN that can be assigned from AAA must be defined as a Local or Tunneled VLAN on all the Access Points supporting the users Dynamic VLANs VLAN 11 VLAN 12 VLAN 13 WLAN RADIUS Server Username: Bob VLAN: 11 Username: Sally VLAN: 13 Username: Jim VLAN: 12

  10. Encryption • Each WLAN can be configured to support one of the following encryption ciphers: • WPA2-CCMP • WPA/WPA2-TKIP • WEP-128 • WEP-64 • KeyGuard • Supports multiple WLANs with the same SSID name each with a different encryption ciphers • This capability is useful for customers migrating from WEP to 802.11i without deploying a separate ESSID • WPA2-CCMP or None are the only encryption standards defined for 802.11n WPA2 CCMP WPA/WPA2 TKIP WLAN Encryption WEP-64 KeyGuard WEP-128

  11. Encryption Cont. • All WLAN encryption/decryption in WiNG5 now occurs locally on the APs: • Mirrors the encryption model used for WiNG4.x Adaptive Access Points • Removes the Wireless Controller from the encryption/decryption path providing increased scaling for 802.11n deployments • Pairwise Master Keys (PMKs) for Wireless Clients are automatically distributed between Access Points as Wireless Clients roam • Eliminates the 4-way handshake during roams • PMK Caching and Opportunistic Key Caching are enabled by default on WPA2-CCMP and WPA/WPA2-TKIP WLANs • Pre-Authentication is disabled by default on WPA2-CCMP and WPA/WPA2-TKIP WLANs

  12. Authentication • Each WLAN can be configured to support one of the following authentication methods: • 802.1X EAP • 802.1X EAP with PSK • Kerberos • MAC • None • 802.1X EAP with PSK is a new option for WiNG5 allowing a common WLAN to support TKIP and CCMP encryption with 802.1X or PSK authentication • Intended to provide easy transitions from PSK deployments to 802.1X EAP • WPA/WPA2 PSK WLANs now support a primary and secondary pre-shared keys • Provides a mechanism to rotate shared-keys • When 802.1X EAP, 802.1X EAP PSK and MAC authentication methods are selected, a AAA policy also needs to be defined • LEAP pass-through is also now supported! 802.1X EAP 802.1X EAP and PSK WLAN Authentication None MAC Kerberos

  13. MAC Authentication • Device-level authentication based on MAC address • Augments security for legacy clients that only support deprecated encryption methods • Useful for policy assignment to clients by MAC address or address range • MAC Authentication Best Practice • Enable MAC authentication for WLANs using, WPA-PSK, or WPA2-PSK • Use MAC authentication to assign policies and dynamic VLAN membership to client devices

  14. AAA Polices

  15. Introduction Guest Access WLAN • Each WLAN that support 802.1X, MAC or Guest Access authentication requires a AAA policy • AAA policies define RADIUS authentication and accounting configuration parameters which includes: • A pool of up to 6 RADIUS authentication and accounting servers and individual configuration parameters • RADIUS server pool mode • Non-EAP authentication protocol configuration • EAP wireless client settings • RADIUS accounting mode • MAC address formatting • Network Access Control • Each WLAN may only be assigned to one AAA policy at a time, however a AAA policy can be assigned to multiple WLANs • For Guest Access WLANs the AAA policy is assigned to the Guest Access policy Guest Access Policy MAC Auth WLAN 802.1X WLAN AAA Policy RADIUS Authentication Server Pool RADIUS Accounting Server Pool RADIUS Parameters

  16. Server Pooling Modes • When multiple RADIUS authentication and accounting servers are defined, authentication and accounting requests can ether be load-balanced between the pool of RADIUS servers or can failover between RADIUS servers in the pool • Requests can be load-balanced or fail-over between centralized AAA services or distributed AAA services RADIUS Server Pool RADIUS Server Pool   AAA AAA AAA AAA AAA AAA Load-Balanced Fail-Over

  17. RADIUS Server Pools • Each AAA policy can include up to 6 RADIUS authentication and accounting servers definitions: • Each RADIUS authentication and accounting server entry is assigned a unique ID (1 – 6) • Each server can be reached using an IP address or hostname (requires DNS name resolution) • Each entry supports standard RADIUS configuration parameters such as Secret, Port, Timers and Realms • Each AAA server pool can consist of: • External RADIUS servers (i.e. Microsoft IAS, Microsoft NPS, Juniper SBR, Cisco ACS) • Integrated RADIUS services running on Wireless Controllers or Access Points • Combination of both External RADIUS servers and Integrated RADIUS services

  18. Server Proxy Modes • For flexibility each RADIUS server entry includes a proxy operating mode: • None – RADIUS authentication and accounting requests are forwarded directly from the Access Point to a RADIUS server (Requires and IP Address to be assigned) • Through-Controller – RADIUS authentication and accounting requests are proxied through the Wireless Controller managing the Access Point to a RADIUS server • Through-RF-Domain-Manager – RADIUS authentication and accounting requests are proxied through the local RF Domain Manager (elected Wireless Controller or Access Point) to a RADIUS server RADIUS Server Pool RADIUS Server Pool RADIUS Server Pool AAA AAA AAA WLAN WLAN WLAN WLAN WLAN WLAN Proxy Mode: None Proxy Mode: Through-Controller Proxy Mode: Through-RF-Domain-Manager

  19. AAA Policies – Example Use Case

  20. Example Use Case (Medium / Large Deployments) • AAA Policies enable new redundancy models supporting up to 6 AAA servers that can be deployed anywhere on the network • RADIUS User Pools and Groups can also be managed centrally and assigned to Wireless Controllers and Access Points using device overrides or Profiles Users Users AAA Users AAA AAA AAA Primary Secondary Primary Secondary Primary Secondary Users Users AAA AAA Tertiary Users AAA AAA Redundancy Example 1 AAA Redundancy Example 2 AAA Redundancy Example 3

  21. Best Practices • Enable EAP for all proprietary or mission-critical WLANs • Do not use centralized RADIUS architecture unless round-trip delay does not exceed 150 ms (this assumes you are roaming) • Install a valid digital certificate on all infrastructure devices providing RADIUS EAP services

  22. LAB: WLANs LAB 04: Simple WLAN Create PSK WLAN Assign to local VLAN Test LAB 05: 802.1x Tunnelled WLAN Configure onboard RADIUS server Configure local user database Create AAA Polciy Create 802.1x WLAN Assign to tunnelled VLAN Test

  23. Identify the maximum number of BSSID and ESSID supported on an access point radio • Describe the best practice for mapping ESS identifiers to BSS identifiers • Describe the supported encryption and authentication methods in WiNG 5.x • Module Summary

More Related