Enterprise Wireless LAN Evaluation Test Plan

Enterprise Wireless LAN Evaluation Test Plan
Enterprise WLAN Test Plan
Enterprise Wireless LAN Evaluation
Test Plan
i
Enterprise WLAN Test Plan
1.0 INTRODUCTION ....................................................................................................................................... 1
2.0 ADMINISTRATION AND MANAGEMENT .................................................................................................. 2
2.1
Controller and Access Point Installation .................................................................................... 2
2.2
Managing Multiple Controller and Access Points....................................................................... 3
2.3
RF Planning and Location Tracking Services ............................................................................ 4
2.4
Controller Redundancy Configuration ....................................................................................... 5
2.5
Troubleshooting and Debugging Functions ............................................................................... 6
3.0 RF MANAGEMENT AND QUALITY OF SERVICE...................................................................................... 7
3.1
Radio Management.................................................................................................................. 7
3.2
Adaptive RF Scanning and Dynamic RF ................................................................................... 8
3.3
Co-channel Interference Mitigation ........................................................................................... 9
3.4
Channel Re-Use Management ................................................................................................. 9
3.5
Mixed Mode Client Support .................................................................................................... 10
3.6
Spectrum Load Balancing ...................................................................................................... 10
3.7
VoWLAN Scalability ............................................................................................................... 12
3.8
Voice Aware 802.1x and Inter Controller Mobility .................................................................... 13
3.9
VoWLAN End-to-End QoS ..................................................................................................... 14
3.10
Multicast Video Distribution over WLAN.................................................................................. 15
3.11
Enterprise 802.11n Mesh ....................................................................................................... 16
4.0 NETWORK AND WIRELESS SECURITY ................................................................................................. 17
4.1
Security Architecture.............................................................................................................. 17
4.2
Access Rule and Policy Definitions......................................................................................... 18
4.3
User Authentication................................................................................................................ 19
4.4
Guest User Access ................................................................................................................ 20
4.5
Wireless Intrusion Detection Services (WIDS)......................................................................... 21
4.6
Blacklisting ............................................................................................................................ 22
5.0 L2 L3 FUNCTIONS AND REMOTE OFFICE SOLUTIONS ........................................................................ 23
5.1
L2 L3 Functions ..................................................................................................................... 23
5.2
Remote Office Solutions......................................................................................................... 24
ii
Enterprise WLAN Test Plan
1.0 Introduction
This document outlines the test plan to evaluate an enterprise WLAN solution and it is prepared to meet
the different set of network infrastructure deployment, management, RF performance, quality of service
and security requirements. The results of the tests conducted as a part of the evaluation provides the
evaluator with the data required to compare different WLAN solutions and make an educated choice on
the right solution.
The different parameters that should be considered by an evaluator before choosing the solution are:
Section
Test
2.0
ADMINISTRATION and MANAGEMENT
3.0
RF MANAGEMENT and QUALITY OF SERVICE
4.0
NETWORK and WIRELESS SECURITY
5.0
L2-L3 FUNCTIONS and REMOTE OFFICE SOLUTIONS
This test plan has been divided into different sections for the different areas that need to be tested and
compared when evaluation a wireless LAN solution. While some of the test cases are designed to see if
the WLAN solution under test can support a particular feature, some are explained in detail and require
deployment of a WLAN testbed and (possibly repeated) execution of the test item.
The WLAN solution under test should interoperate with wireless clients from different vendors at the same
level without causing performance degradation. It is advised that performance and mobility tests are
executed against different type of clients to get the best performance metrics from different WLAN
equipment vendor solutions.
Each section has a set of test cases. Each of the test cases has been presented in the following format:
Test case
Description for different
items to test
Results
1
Enterprise WLAN Test Plan
2.0
Administration and Management
This section includes the test cases that validate the support for required set of administrative and
management functions for an enterprise WLAN solution.
2.1
Controller and Access Point Installation
Test Case
Verify that the WLAN solution offers an easy way to install WLAN controllers and
access points within the WLAN infrastructure.
Test Items
1. Verify that the WLAN controller can be configured with multiple IP interfaces
easily and management IP address can be any of the ones configured. Verify
that specific access rules can be assigned (eg. source subnet) during the
management access to the WLAN controller.
2. Verify that WLAN controller can be setup through the web user interface
during initial installation or through the setup dialog using the serial console.
3. Verify that AP installation, SSID configuration, AAA configuration and access
rule definitions can be configured through the use of setup wizards – instead
of requiring navigation through different set of configuration windows.
4. Verify that both external antenna and integrated antenna versions of 802.11n
access points can be fully functional with 802.3af PoE – external power
injectors or high power switches should not be required.
5. Verify that the successful communication path between the authentication
server (eg. RADIUS) can be tested from within the controller, without requiring
an external wireless client.
6. Verify that WLAN controller offers copper Gigabit Ethernet, SFP Fiber Gigabit
Ethernet, 10Gbps Ethernet, Ethernet Port Channel connectivity options to the
existing wired network infrastructure in order to enable ease of deployment.
7. Verify that WLAN controller can be installed in a “bump in the wire”
configuration with one or more of the Ethernet ports ‘serving’ access points
and other Ethernet ports ‘serving’ the applications and networked users.
8. Verify that the WLAN controller comes with a defined set of network access
rules (eg. guest, voice, etc.), network services definitions (eg. HTTP, FTP) in
order to reduce the setup time for user policy management
Results
1–
2–
3–
4–
5–
6–
7–
8–
2
Enterprise WLAN Test Plan
2.2
Managing Multiple Controller and Access Points
Test Case
Verify that the WLAN solution offers a reliable and efficient way to manage a multicontroller multiple AP network. Note down the extra operational requirements if the
WLAN solution requires the use of a Network Management System (NMS) to execute
the related set of functions.
Test Items
1. Verify the support for fast and reliable upgrade for controllers and APs –
record the expected time of upgrade for a controller supporting 200 APs.
2. Verify the support for “no-touch” pre-configuration (access points not active
and connected to the controllers) of AP SSID, radio configuration, enc-type,
rate, mode of operation, VLAN, rf-mgmt, etc. properties
3. Verify the support for online or offline provisioning of “groups” of APs from
within the WLAN controller
4. Verify the support for central management (configuration, monitoring, updates,
etc.) of AAA Services, Wireless Intrusion Detection Services (WIDS), access
control, mobility, RF management services within the multi-controller network
– configuration on one of the controllers should be automatically synchronized
to the other controller within the WLAN.
Results
1–
2–
3–
4–
3
Enterprise WLAN Test Plan
2.3
RF Planning and Location Tracking Services
Test Case
Verify that the WLAN solution offers built-in RF planning and location tracking services
for multiple client devices. Note down the extra operational requirements if the WLAN
solution requires the use of an NMS solution to execute the related set of functions.
Note if the solution requires ‘RF fingerprinting’ (manual measurement of signal
strength) in order to enable accurate location tracking information.
Test Items
1. Verify the support for a central RF planning management within a multiple
controller WLAN with multiple “building”, “floor” definitions
2. Verify the support for “sensor” planning, as well as the AP planning, as part of
the capacity and coverage planning
3. Verify the support for live RF heatmap visualization based on SNR, RSSI,
coverage rate, etc. after the access points are deployed
4. Verify the support for real-time location tracking of multiple client devices,
interfering APs, etc. Note down the number of appliances (WLAN controller,
NMS, location tracking appliance, etc.) to enable accurate tracking of clients
5. Verify the support for re-optimization of RF plan data after manual changes to
the coverage / capacity / AP placement information. After access point
placement is changed, location tracking information should be updated by the
infrastructure automatically (another round of RF fingerprinting data should not
be required).
Results
1–
2–
3–
4–
5–
4
Enterprise WLAN Test Plan
2.4
Controller Redundancy Configuration
Test Case
Verify that the WLAN solution offers easy-to-manage redundancy architecture and
fast-recovery for critical pieces of the WLAN solution.
Test Items
1. Verify that the APs and Sensors can be deployed to support active-active and
active-standby N to 1 redundancy scenarios. Test and note down the recovery
time for the real client data traffic.
2. Verify that the WLAN solutions offers Offline design and deployment of
redundancy architecture without requiring the APs to be online or without
storing the active / standby controller information on the access points, in
order to ease of network deployment during moves, adds and changes
3. Verify that the WLAN solution offers controller redundancy for “centralized”
mobility, AAA, RF management, WIPS Services as part of a WLAN
Results
1–
2–
3–
5
Enterprise WLAN Test Plan
2.5
Troubleshooting and Debugging Functions
Test Case
Verify that the WLAN solution offers several ways to debug and troubleshoot client,
AP, controller, mobility, authentication related problems.
Test Items
1. Verify that the WLAN solution offers “real-time” (without disrupting active
clients on the radios) packet capture on the APs
2. Verify that the WLAN solution provides support for Ethereal / Wireshark,
Omnipeek or any other enterprise analyzer tools for real-time packet capture
3. Verify that the real-time packet capture can be configured with filters based on
src/dst 802.11 MAC, packet type, etc.
4. Verify that the WLAN controller support port mirroring on the Ethernet ports
present on the controller
5. Verify that the WLAN controller supports packet capture on the control path, in
order to quickly resolve any authentication, encryption related issues
6. Verify that the individual L3-L7 “sessions” for a client device can be monitored
for debugging, authentication and health monitoring
7. Verify the ability to perform controller log search, logging level definitions,
generate / view / download tech-support logs directly from the WLAN controller
webUI and/or network management system
8. Verify the ability to monitor the internal voltage readings, temperature state,
fan status, and similar hardware readings on the WLAN controllers
Results
1–
2–
3–
4–
5–
6–
7–
8–
6
Enterprise WLAN Test Plan
3.0
RF Management and Quality of Service
This section includes the test cases that aim to validate the enterprise grade voice over Wi-Fi service
support for the WLAN solution.
3.1
Radio Management
Test Case
Verify that the WLAN solution can offer high performance RF connectivity to
802.11abgn wireless clients and is capable of managing RF and traffic management
capabilities to offer reliable throughput for end user applications.
Test Items
1. Intel 4965agn, Intel 5300agn, Broadcom 4321agn and Atheros agn, 11n
capable, internal WLAN NICs should be made part of the test plan and the
client mix – as they are the most widely available client types in the market
today.
2. Ensure that the system under test can perform RF scanning (a) for wireless
security purposes (b) to monitor the availability (error rates, retry rates, noise
floor, etc.) of other 802.11 channels.
3. As the RF scanning continues, ensure that system under test is able to select
best channel of operation and power level automatically for each of the APs
deployed – without requiring manual intervention. This is required in order to
move away from neighbor interference and noise, act as a good neighbor, and
maximize per AP and overall network performance.
4. Channel and power changes on the AP should cause AP reboots and
extended periods of service outages.
5. Verify that all APs within a WLAN discover their neighbors and channel
selection decisions are performed as a system, instead of on a per AP basis
6. With multiple APs, ensure that the system under test is able to automatically
create channel blankets by assigning different channels to different APs
dynamically without requiring network admin involvement for static channel
assignments per AP – hence improving the total available network capacity at
any given location within the WLAN.
Results
1–
2–
3–
4–
5–
6–
7
Enterprise WLAN Test Plan
3.2
Adaptive RF Scanning and Dynamic RF
Test Case
As the RF scanning is performed within the WLAN, system under test should make
sure that high load of client traffic and delay sensitive applications are not adversely
affected. Verify that the WLAN solution can offer mechanisms to adapt to presence of
different applications and high load on the radio as it decides to perform RF scanning
and channel/power change functions.
Test Items
1. During a voice call test, system under test should be capable of understanding
whether the call is in place or not, and delaying RF scanning activities
accordingly. Turning off RF scanning completely should not be an acceptable
solution. Delaying RF scanning due to presence of traffic on the voice queue
should not be accepted as well, since this approach is prone to errors.
2. During high load 11n performance tests, system under test should be capable
of delaying RF scanning activities in order to prevent high data loss. Threshold
in which this protection takes place should be configurable by the network
administrator.
3. System under test should also support a mechanism to define different set of
delay sensitive applications where RF scanning delay would be required –
hence should be scalable for future applications.
Results
1–
2–
3–
8
Enterprise WLAN Test Plan
3.3
Co-channel Interference Mitigation
Test Case
As the WLANs are pervasively deployed with multiple APs in a single floor, co-channel
interference (where multiple APs operate in the same channel) management becomes
important. This is especially true in 2.4GHz (where there are only 3x 20MHz channels
for client devices to work with), multi-story buildings (as inter-floor co-channel
interference increases) and voice deployments (as most voice clients require 2.4GHz
operation).
Test Items
1. With multiple APs operating in close proximity and on the same 2.4GHz
channel, associate multiple 11n 20MHz clients (at least one per AP), and run
data throughput test across all clients. Make sure that the total throughput of
the channel is around the same as one would get with a single AP and single
client. This is to ensure that the performance of the system under test does not
degrade as more APs and clients are made part of the same channel.
2. Repeat the test with 11bg 20MHz clients.
3. Repeat the test in 5GHz band with 11n 40MHz clients.
4. Repeat the test in 5GHz band with 11a 20MHz clients.
Results
1–
2–
3–
4–
3.4
Channel Re-Use Management
Test Case
As multiple number of APs are deployed as part of a WLAN, the 802.11 channels
available for use by the access point radios (3x 20MHz channels in 2.4GHz, and 8x
(22x if DFS capable) 20MHz 5GHz channels) are limited in number. Hence the “reuse” of these channels at as shorter distances as possible for increased performance
of the WLAN is desirable.
Test Items
1. With two APs operating at 100ft away from each other on the same 2.4GHz
channel (say channel 6), associate 11n 20MHz clients (at least one per AP)
nearby to the APs, and run data throughput test across all clients. Make sure
that the total throughput of the channel is higher than the total of the channel
capacity measured – the increase is due to the re-use of the channel by the
APs under test.
2. Repeat the test in 40MHz 5GHz band in channel 36+.
Results
1–
2–
9
Enterprise WLAN Test Plan
3.5
Mixed Mode Client Support
Test Case
Different types and speeds of client devices should be supported within a WLAN
infrastructure. System under test should provide methods that offer preferred access to
faster clients against slow clients – in order to prevent old legacy clients to adversely
affect overall network performance. This method of preferred access should be
adaptive to the number of clients in each category and should not require any static
bandwidth contracts assigned to different client types.
Test Items
1. Associate an 802.11b and 802.11g client to a 2.4GHz radio. Run simultaneous
throughput test against each client, and make sure that 802.11g client gets its
fair share to the channel and achieves higher throughput compared to the
802.11b client.
2. Repeat the same test with 802.11b, 802.11g and 802.11n clients.
3. Repeat the same test with 802.11a and 802.11n clients.
4. Repeat the same test with two 802.11g clients – one of them nearby the AP
and the other one 20-30m away from the AP
5. Repeat the same test with two 5GHz 40MHz 802.11n clients – one of them
nearby the AP and the other one 20-30m away from the AP
Results
1–
2–
3–
4–
5–
3.6
Spectrum Load Balancing
Test Case
Verify that the WLAN solution offers a method to load balance different types of
wireless clients across different radios with different channels.
One of the key features required in an enterprise WLAN is the capability to load
balance wireless clients across different APs and radios in order to maximize the
available bandwidth for each client, and increase the overall network performance.
Since the bottleneck in terms of WLAN performance is measured by 802.11 channels
available, system under test should offer a method to load balance clients across
different 802.11 channels – considering noise, interference, traffic load, client load as
the criteria during load balancing of wireless clients.
Test Items
1. Enable multiple data clients (preferably more than 10) across three different
APs operating in 5GHz band. Make sure that all APs assign different channel
of operation to different APs, and all clients are load-balanced properly across
these three different channels based on the criteria mentioned above.
2. Repeat the same test with all the APs configured with 2.4GHz band only.
Results
1–
2–
10
Enterprise WLAN Test Plan
11
Enterprise WLAN Test Plan
3.7
VoWLAN Scalability
Test Case
Verify that the WLAN solution offers several methods and features to implement a
scalable and secure VoWLAN infrastructure
Test Items
1. Verify the support for data and voice services on the single SSID & VLAN,
while providing separate access rules & access policies for different types of
users for security & end-to-end QoS purposes. It is critical to support
“converged” devices & platforms for scalable VoWLAN implementations.
2. Verify that the WLAN infrastructure can automatically classify a VoWLAN
session even if the QoS settings are not programmed. This should apply to
widely used protocols such as SIP.
3. Verify the support for client-agnostic battery life enhancements such as
broadcast / multicast traffic to unicast conversion, large DTIM-value
configuration for power-save clients, proxy ARP, VRRP / HSRP traffic filtering.
4. Verify that the APs support active load balancing (call-admission-control
(CAC)) functions for voice in order to to prevent “starvation” for the data clients
on the access points in the presence of high load of voice traffic.
5. Verify that the CAC functions can preemptively move inactive clients between
APs to accommodate for better “multi-tier” load balancing.
6. Verify that the CAC functions can be configured separately for different set of
VoWLAN protocols (SIP, SVP, etc.)
7. Verify the support for “Push-to-Talk” function as part of the VoWLAN solution.
Results
1–
2–
3–
4–
5–
6–
7–
12
Enterprise WLAN Test Plan
3.8
Voice Aware 802.1x and Inter Controller Mobility
Test Case
Verify that the WLAN solution offers methods to protect QoS assignments to different
traffic flows as clients are enabled with 802.1x and as they roam across WLAN
controllers
Test Items
1. Verify the support for end to end QoS after clients roam from one WLAN
controller to the other; confirm that the mobility tunnel between foreign and
home agent controllers carry the appropriate DSCP/802.1p tags across for
end-to-end QoS
2. Verify the availability of an option to dynamically change the home agent of a
voice client after it roamed to a new controller and after the voice call has
ended, in an effort to reduce the infrastructure delays within mobility tunnels
across different controllers
3. Verify that 802.1x unicast and multicast re-keying does not take place in the
middle of a voice call and the WLAN controller has the intelligence to delay the
re-keying until the end of a voice call.
Results
1–
2–
3–
13
Enterprise WLAN Test Plan
3.9
VoWLAN End-to-End QoS
Test Case
Verify that the WLAN solution offers the required set of features to provide end-to-end
QoS for voice deployments
Test Items
1. Verify that the system under test can mark particular “sessions” of VoWLAN
traffic with desired DSCP & CoS values, in case they are not marked outside
of the system under test. Verify that such DSCP mappings can be customized
to be mapped against AP radio WMM (802.11e) queues for ease of
deployment.
2. Verify that the stateful VoWLAN protocols (eg. SIP) are provided same level of
QoS service when they are using dynamic ports.
3. Verify that the QoS configuration changes do not require the WLAN SSIDs to
be put out of service.
4. Verify that infrastructure provides real time stats and call status monitoring for
the voice handsets within the WLAN
Results
1–
2–
3–
4–
14
Enterprise WLAN Test Plan
3.10
Multicast Video Distribution over WLAN
Test Case
Verify that the WLAN solution will provide an efficient method to transfer multicast
video from wired servers to wireless clients, without overloading the wireless network
and without adversely affecting the quality of the video services.
Test Items
1. System under test should perform intelligent forwarding of multicast on the
wire by utilizing IGMP proxy within the WLAN controller which would eliminate
the need to deploy a multicast router.
2. IGMP proxy will also control which APs would receive the multicast data; the
ones that do not have any clients subscribed to multicast data should not
receive traffic, saving wired bandwidth.
3. System under test should perform intelligent forwarding of multicast on
wireless by making sure that multicast traffic should be transmitted from the
APs towards the clients with unicast 802.11 header. This would allow higher
bandwidth within the WLAN for data (since it will allow unicast 802.11 rates to
be utilized), provide quality of service over data traffic and improve video
quality by enabling 802.11 acknowledgements between the AP and the
wireless client.
4. Dynamic RF scanning and automatic channel assignment functions should
adapt to the presence of video traffic on the air – WLAN controller should
provide the option for APs not to perform RF scanning and change channels in
order to prevent disruptions in video quality.
Results
1–
2–
3–
15
Enterprise WLAN Test Plan
3.11
Enterprise 802.11n Mesh
Test Case
Verify that the 802.11n access points within the WLAN solution provide enterprise
mesh functionality in order to enable high performance wireless backhaul – in order to
enable RF coverage for locations that are hard to reach with Ethernet cabling.
Test Items
1. Verify that access points can be configured as mesh portals and mesh points
without any additional license required on the APs or the WLAN controller.
2. Verify that mesh functionality can be enabled on any 802.11n access point
radio without disrupting client access – mesh backhaul and WLAN access can
be enabled simultaneously on the same radio.
3. Verify that wireless mesh across multiple access points offer self healing and
auto recovery of mesh tree in case of failures within the mesh links.
4. Verify that wired Ethernet (eg. secure video cameras) traffic backhaul can be
enabled across the mesh links. Also verify that user traffic can be locally
bridged on the mesh access point without traveling to the WLAN controller.
Results
1–
2–
3–
4–
16
Enterprise WLAN Test Plan
4.0
Network and Wireless Security
This section includes the test cases that aim to validate the enterprise grade security services support for
the WLAN solution.
4.1
Security Architecture
Test Case
Verify that the WLAN solution offers an enhanced architecture in order to meet the
scalability and performance requirements of a secure WLAN solution
Test Items
1. Verify the support for session and application aware security through the use
of a built-in stateful firewall that is capable of detecting and preventing L3 and
higher level attacks. Note down whether it is ICSA Labs Corporate Firewall
certified or not.
2. Verify that the WLAN controllers contain a dedicated “crypto” processor for
centralized encryption and decryption besides the network processor. Note
down the performance in Gbps of this processor. Verify that all encryption and
decryption processes take place on the WLAN controller.
3. Verify that the WLAN gear under test is FIPS certified for user data encryption
and decryption functions, and ICSA Labs WLAN Security and Common
Criteria certified for wireless IDS functions.
4. Verify that the WLAN controller detects and prevents ping, session, TCP SYN,
TCP RST attacks from the internal users accessing the network.
5. Verify that the WLAN solution offers a syslog parser and XML API for 3rd party
wired IDS integration (eg. Fortinet), content filtering services (eg. Snort,
Fireeye) to provide blacklisting or quarantine of wireless users in order to
protect the network against internal threats.
Results
1–
2–
3–
4–
5–
17
Enterprise WLAN Test Plan
4.2
Access Rule and Policy Definitions
Test Case
Verify that the WLAN solution offers wide-variety of options to configure access rules
and easy administration of security policies for different groups of users.
Test Items
1. Verify the support for src / dst IP, src / dst port (TCP and UDP), src / dst net
configuration options within access rule definitions
2. Verify the support for “logging”, “reject” options for the access rules that will
provide easy client activity monitoring and troubleshooting (Note: “reject”
should provide ICMP unreachable message back to sender)
3. Verify the support for “ToS / CoS” assignments within the access rule definition
that will help to provide end-to-end QoS for high-quality applications
4. Verify the support for “time-of-day” option within the definitions of the access
rules that will provide restricted access management capabilities
5. Verify the support for “blacklist” option for the access rules that will provide
deep-level of security against internal threats (eg. Voice SSID being used to
access other network resources in a WLAN)
6. Verify the support for “destination NAT and source NAT” options for the access
rules and/or access policies that can drastically simplify WLAN implementation
details and reduce deployment time
Results
1–
2–
3–
4–
5–
6–
18
Enterprise WLAN Test Plan
4.3
User Authentication
Test Case
Verify that the WLAN solution offers various ways to enhance the security architecture
and performance of the WLAN network by providing enhanced authentication functions
Test Items
1. Verify that the access rules and access policies can be driven based on
several administrator defined criteria, such as client SSID, BSSID, encryptiontype, location, authentication method used (user and server derivation rules)
2. Verify that the WLAN solution is able to apply different set of access policies to
different set of users within the same VLAN and SSID, providing better
scalability and security for the WLAN
3. Verify the support for “wired” authentication for client devices that will enable
same set of security and AAA rules / policies for the client devices whether
they are using the wireless network or the wired network. This is crucial in
supporting “wired” and “wireless” integration by providing single authentication
and authorization medium for the same client within the enterprise
4. Verify the support for “two-tier” authentication for increased security – eg.
802.1x with Captive Portal, MAC-auth with VPN etc
Results
1–
2–
3–
4–
19
Enterprise WLAN Test Plan
4.4
Guest User Access
Test Case
Verify that the WLAN solution offers extensive set of capabilities in terms of guest user
account management and guest WLAN security
Test Items
1. Verify that WLAN controllers under test support multiple captive portal
instances, each assigned to a different type or location of guest users.
2. Verify that guest users can be limited to certain amount of ‘air time’ on 802.11
Wi-Fi in order not to waste available ‘air time’ and prevent access to resources
by the employee / staff.
3. Verify that guest users can be limited to certain amount of upstream and
downstream packet per second data rate on the wire in order not to waste
available LAN and WAN resources.
4. Verify that guest user accounts can be created through a customizable user
interface on the controller where company information, visitors name, email
address and other personal information can be entered
5. Verify that WLAN controller implements an integrated SMTP client so that
guest user information can be emailed to the guest – in order to prevent
requiring interaction with a receptionist and to verify the validity of the email
address provided during the account creation.
6. Verify that within the same SSID, different types of guests can be serviced
with different network access rules, bandwidth definitions, etc.
7. Verify that the guest network SSID can be disabled during certain time of day
– for instance after 5pm through 8am next day
Results
1–
2–
3–
4–
5–
6–
7–
20
Enterprise WLAN Test Plan
4.5
Wireless Intrusion Detection Services (WIDS)
Test Case
Verify that the WLAN solution offers an extensive WIDS support for increased
enterprise-level WiFi security.
Test Items
1. Verify the support for “rogue AP aware” dynamic RF management, where the
APs change channel to attack an unsecure rogue AP
2. Verify the support for “auto-classification” of unsecure and interfering rogue
APs and clients
3. Verify the support for “auto-containment” of unsecure rogue APs and clients
(wired ARP poisoning, wired switch shutdown and/or wireless deauth)
4. Verify the support for “auto-containment” of adhoc networks, honeypot APs,
and of misconfigured APs (based on SSID, enc-type, channel, AP MAC OUIs,
etc.)
5. Verify the support for Auth, Assoc, Probe, Disassoc, Deauth frame rate
analysis per channel and / or per device MAC with threshold configuration
6. Verify the built-in support to detect well-known WiFi attack signatures. Verify
the ability to add new signatures based on BSSID, src-dst MAC, frameType,
payload, seq numbers, etc.
7. Verify the support to auto-detect spoofed disassociation, deauthentication,
broadcast deauth, fakeAP based on SSID/BSSID, the use of weak IV for WEP
encryption, sequence number anomalies and EAP handshake anomalies
8. Verify the support to prevent “valid enterprise clients” roaming to interfering
neighbor access points
9. Verify the support for preventing Man In the Middle Attacks (MITM) by
disabling disassoc / deauth processing on the access points
Results
1–
2–
3–
4–
5–
6–
7–
8–
9–
21
Enterprise WLAN Test Plan
4.6
Blacklisting
Test Case
Verify that the WLAN solution offers several ways to prevent external and internal
threats to the WLAN network clients, infrastructure and data.
Test Items
1. Verify the support to “blacklist” a client after crossing a configurable threshold
of authentication failures. Note down if the functionality is support for all authmethods: 802.1x, Captive Portal, VPN, MAC, MachineAuth
2. Verify that a client that is under attack by an impersonation AP (another form
of MITM attack) can be blacklisted for a pre-defined period of time
3. Verify that, as a result of frame rate analysis, clients that cross the pre-defined
thresholds can be blacklisted
4. Verify that clients can be blacklisted on demand
5. Verify that clients can be blacklisted for a pre-defined configurable period of
time or indefinitely
6. Verify that access rule and access policy definitions can blacklist a client as a
result of an attempt to access other data resources within the network (eg.
client device trying to access data resources while within voice access policy)
Results
1–
2–
3–
4–
5–
6–
22
Enterprise WLAN Test Plan
5.0
L2 L3 Functions and Remote Office Solutions
This section includes the test cases that aim to verify the WLAN solution support for L2-L3 switching /
routing features that significantly reduces the complexity and duration of a WLAN deployment, while
enabling additional set of services / solutions as part of the WLAN infrastructure.
5.1
L2 L3 Functions
Test Case
Verify that the WLAN solution offers an enhanced set of switching and routing
functionalities to provide ease of integration to today’s wired networks as an “overlay”.
Test Items
1. Verify that the WLAN controller supports 802.1q tagging, STP protocol, policy
enforcement and L2 Ethernet bridging on its interfaces
2. Verify that WLAN controller supports static IP routing and OSPF routing in the
WLAN controller in order to ease controller deployment
3. Verify that the WLAN controllers also support L2 and L3 GRE tunnel
rd
configuration (interoperable with 3 party routers and switches) to enable
improved security and increased flexibility during deployment
4. Verify that the WLAN controllers can support bandwidth contract on a per
VLAN basis
Results
1–
2–
3–
4–
23
Enterprise WLAN Test Plan
5.2
Remote Office Solutions
Test Case
Verify that the WLAN solution offers an enhanced set of features to enable same level
of mobility, AAA and security functions at SOHO deployments, branch offices and
regional offices
Test Items
1. Verify that WLAN controllers support site-to-site VPN functionality in order to
easily “extend” the reach of a WLAN across different sites without requiring
external VPN firewall appliance installations
2. Verify the support for IPSec and NAT traversal enabled remote AP that will act
as an enterprise AP in a remote location but managed centrally
3. Verify the support for local traffic termination as part of the remote AP
functionality; verify that local traffic and centralized traffic flows can be enabled
on the same SSID on the remote AP with the use of split tunneling
4. Verify that the per user policy enforcement on the remote AP is performed on
a per user basis with stateful firewall
5. Verify that the WLAN controller Ethernet ports can be configured to terminate
PPPoE and dynamically assign IP addresses to VLANs through DHCP
6. Verify that the access points support a second Ethernet port for wired user
authentication (eg. 802.1x) or wired VoIP phone support
Results
1–
2–
3–
4–
24
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement