Cisco Unified Wireless Networking v4.1

Cisco Unified Wireless Networking v4.1
Cisco Unified Wireless
Networking v4.1
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-1
Enterprise WLAN Issues
Quotes from Cisco Unified Wireless Customers and Partners:
“I don’t trust my wireless network because I have
no idea what is happening within it”
- Bear Stearns
“We don’t think our wireless network can support
the addition of voice”
- Boeing
“Our wireless network can support email, but we would
not use it for business critical applications”
- Duke Hospital
“When the network goes down, we lose money”
- Pacific Exchange
“We can’t hire any additional staff
for our Wireless LAN”
– HP Pavilion
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-2
Enterprise WLAN Issues (Cont.)
New paradigm for information technology (IT) managers
 Must efficiently utilize limited bandwidth
 Coverage holes adversely affect service
 Coverage area will change with time
 Interference can be a factor
 Inherent security issues
It is easy to plug in
an access point
but it is difficult
to build a business
critical enterprise
WLAN...
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-3
Cisco Unified Wireless
Enterprise Solution
The First Intelligent & Integrated WLAN for Business Critical Applications
Location Server
Blade based Controllers
SNMP
Wireless Control System
SNMP
WLAN Controllers
LWAPP
LWAPP
Access Points
Location
Services
Mobility
Management
Grouping
&
Redundancy
Security
44xx WLAN Controller
Real-Time RF
Management
3750G Integrated
WLAN Controller
2106 WLAN Controller
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-4
Single Integrated WLAN System
Cisco Wireless
LAN Controller
Capacity
Management
RF Management
Mobility/VPN
(e.g., Bluesocket)
Security
Management
Wireless Control
System
 WLAN service
Location Tracking
(e.g., Newbury)
Switched/Routed
Network
 User authentication
Air Monitoring
(e.g., Air Defense)
 Data encryption
 Capacity management
 RF management
 Dynamic RF control
 WLAN protection
 Location tracking
 Centralized management
© 2007 Cisco Systems, Inc. All rights reserved.
Rogue Sensor
Access Point
Cisco Wireless Access
Point
CUWN v4.1 Course Overview-5
“Intelligent RF” Requirements
Site survey only captures a moment in time…
RF environment is constantly changing




Interference levels
Signal to noise ratio
Signal quality & coverage
Throughput & load
An intelligent WLAN system must adapt in real time…




Control channel & power
Manage signal coverage
Manage interference & noise
Measure distance accurately
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-6
Dynamic RF Management
 Channel assignment
 Transmit power adjustment
Management
 Interference avoidance
 Coverage hole management
 Load balancing
 Capacity management
Control
Data
Cisco Wireless LAN Controllers
LWAPP
Cisco Wireless Access Points
RF Domain
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-7
Wireless > 802.11a or 802.11b/g Network
> Auto RF (Cont.)
Wireless > 802.11a/n or 802.11b/g/n>RRM > Auto RF
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-8
AP Modes
10xx Series
1130, 1230, 1240 Series
Cisco APs can be configured
to operate in various modes:
• Local
• REAP
1030
• Monitor
• Rogue Detection
• Sniffer
• Bridge
1030
Operational modes of IOS
Converted APs:
 Normal (Local) mode
• HREAP
•1130
•1240
• Monitor/scanner mode
• Rogue Detector mode
• Sniffer mode
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-9
Wireless > Access Points >
All APs > Detail
Wireless > Access Points > All APs > Detail
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-10
Access Point Local Mode Monitor Timing
802.11b/g
AP on
Channel 1
13s
60ms
13s
60ms
13s
60ms
13s
60ms
13s
60ms
13s
60ms
13s
1
2
1
3
1
4
1
5
1
6
1
7
1
…
Round trip = 180 seconds if Noise Measurement parameter set to 180
AP on
Channel 36
802.11a
10s
60ms
10s
60ms
10s
60ms
10s
60ms
10s
60ms
10s
60ms
10s
60ms
10s
60ms
36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149 …
Round trip = 180 seconds if Noise Measurement parameter set to 180
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-11
Access Point Monitor Mode — Monitor
Timing
802.11b/g
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1
2
3
4
5
6
7
8
9
1.1s
1.1s
1.1s
10 11 12 …
Round trip = 1.1 seconds * number of channels
802.11a
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
1.1s
36 40 44 48 52 56 60 64 149 153 157 161 …
Round trip = 1.1 seconds * number of channels
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-12
Remote Edge Access Point (REAP)
First “lightweight” AP designed to be controlled across WAN links
 Designed to support remote offices by extending LWAPP control timers
 Control traffic is still LWAPP encapsulated and sent to Cisco Wireless
LAN Controller
 Client data is not LWAPP encapsulated but is locally bridged
All management control and RF management is available when
WAN link is up and connectivity is available to Cisco Wireless LAN
Controller
REAP will continue to provide local connectivity even if WAN is down
LWAPP Control
Remote Office
Cisco
REAP
WAN Link
(T1, DSL, FR)
Main Office
User Data
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-13
Monitor > Maps > Building > Floor > Add
Access Points > GO > OK > Save
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-14
Cisco Wireless Access Points
Cisco Wireless Access Points
 802.11a/b/g support
 Simultaneous air monitoring &
data services
 Simplified network design
 External antenna options
 Standard Model
– Thin Access Point
 Remote Edge Model 1030
– Remote office support
1500 AP’s
10x0 series AP’s
1230 AP’s
11xx AP’s
© 2007 Cisco Systems, Inc. All rights reserved.
1240 AP’s
CUWN v4.1 Course Overview-15
Cisco Wireless LAN Controllers
Cisco Wireless LAN Controllers
44xx WLAN Controller
 Enterprise reliability
 Built in layer 1- 4 security
 Centralized AP management
 Dynamic RF Management
 Appliance Models
3750G Integrated WLAN
Controller
– Gigabit Ethernet Ports
– Optional VPN Termination module
2106 WLAN Controller
WLCM Controller
© 2007 Cisco Systems, Inc. All rights reserved.
WiSM Controller
CUWN v4.1 Course Overview-16
Layer 3 Light Weight AP
Protocol (LWAPP)
 Layer 3 LWAPP is in a UDP / IP frame
 Cisco Wireless LAN Controller and AP can be either directly
connected, connected to the same VLAN/subnetwork or
connected to a different VLAN/subnetwork
 Requires Cisco AP to obtain an IP address using DHCP
LWAPP
LWAPP
LWAPP
LWAPP
Cisco AP
In Layer 3 mode
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-17
LWAPP Protocol
LWAPP issues the following request-response sequence to
complete discovery and configuration of AP’s
 AP will first broadcast an LWAPP Discovery Request
 The controller will respond with an LWAPP Discovery Response
 AP will next send an LWAPP Join Request
– The AP will include it’s x.509 certificate in the exchange
 The controller will respond with an LWAPP Join Reply
– The Controller will include it’s x.509 certificate in the exchange
– A successful exchange allows an AES TLS tunnel to secure sub
sequent exchanges
 Upon a successful Join completion, the AP will send an LWAPP
Configuration request
 The controller will respond with an LWAPP Configuration Response
 LWAPP carries measured RF information to controllers
 Controller sends configuration updates via LWAPP
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-18
AP Failover Process
X
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-19
Terminology
Service Interface
Port
Console Port Interface
Interface 1
Interface 2
Port
Interface..
Port
Interface..
Port
Interface= 512
Example: . Management Interf.
. AP-Manager Interf.
. Virtual Interf.
. VLANs
SSID1
© 2007 Cisco Systems, Inc. All rights reserved.
SSID2
SSID..
WLAN..
SSID = 16
CUWN v4.1 Course Overview-20
Client Roaming within a Subnetwork
Cisco Wireless
Controller
Cisco Wireless
Controller
Blue Mobility Group
Cisco
AP
Intra-controller mobility
© 2007 Cisco Systems, Inc. All rights reserved.
Inter-controller
mobility
CUWN v4.1 Course Overview-21
Client Roaming Across Subnetworks
Cisco Wireless
Controller
Blue Mobility Group
Cisco Wireless
Controller
Cisco
AP
Inter-subnetwork mobility
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-22
Cisco Wireless No Roaming
C
3.3.3.3
cc
bb
Anchor
Controller
Packet from client A to
client C on subnetwork 4.4.4.0
dd
ee
4.4.4.2
Foreign
Controller
Dest
MAC
Source
MAC
Source
IP
Dest
IP
bb
aa
4.4.4.4
3.3.3.3
5.5.5.2
A
aa
4.4.4.4
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-23
Cisco Wireless Asymmetric Tunnel
Layer 3 Roaming Data Path
Packet from client A to
client C on subnetwork 5.5.5.0
Dest
Source
Source
Dest
MAC
MAC
IP
IP
C
2
3.3.3.3
cc
dd
bb
Anchor
Controller
1
3
ee
1
Foreign
Controller
5.5.5.2
3
4.4.4.4
4
© 2007 Cisco Systems, Inc. All rights reserved.
3.3.3.3
aa
bb
3.3.3.3
4.4.4.4
Source
IP
Dest
IP
4.4.4.2
5.5.5.2
Packet from client C to
client A on subnetwork 4.4.4.0
Dest
Source
Source
Dest
MAC
MAC
IP
IP
A
aa
4.4.4.4
Packet encapsulated Ethernet in IP
from Anchor Controller to Foreign Controller
4
Client traffic travels an asymmetric path
ee
Packet from client C to
client A on subnetwork 4.4.4.0
Dest
Source
Source
Dest
MAC
MAC
IP
IP
2
4.4.4.2
dd
aa
ee
3.3.3.3
4.4.4.4
CUWN v4.1 Course Overview-24
Cisco Wireless Symmetric Tunnel Layer
3 Roaming Data Path
1
Packet encapsulated Ethernet in IP
2 from Foreign Controller to Anchor
Controller
Source
Dest
C
5.5.5.2
3
dd
bb
4
ee
Packet from client C to
client A on subnetwork 4.4.4.0
Dest
Source
Source
Dest
MAC
MAC
IP
IP
Foreign
Controller
3
4.4.4.2
2
5.5.5.2
4
1
5
aa
A
Client traffic travels a symmetric path
aa
4.4.4.4
5
bb
3.3.3.3
4.4.4.4
Packet encapsulated Ethernet in
IPfrom Anchor Controller to Foreign
Controller
Source
Dest
4.4.4.2
5.5.5.2
Packet from client C to
client A on subnetwork 4.4.4.0
Dest
Source
Source
Dest
MAC
MAC
IP
IP
aa
© 2007 Cisco Systems, Inc. All rights reserved.
4.4.4.2
3.3.3.3
cc
Anchor
Controller
Packet from client A to
client C on subnetwork 3.3.3.0
ee
3.3.3.3
4.4.4.4
CUWN v4.1 Course Overview-25
Open Authentication — None
 WLAN protocol defined in the 802.11 specification
– IEEE 802.11 compliant WLAN client will use open
authentication by default
 Operates at layers 1 and 2 and does not offer end-to-end security
 Implied method of association since user authentication should be
applied to provide security
– Wired Equivalent Privacy (WEP) keys do not play a part in
authentication
Authentication request
Authentication
Association request
Association
Data
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-26
Web Authentication Process
Open Authentication
Association
DHCP Request
Supplicant or Client
DHCP Reply
DNS Request
AAA
DNS Response
DNS Redirect
DHCP / DNS /
RADIUS
Server
TLS Hello
TLS Certificate
TLS Negotiation Done
Credential Request
Credential Response
Local or RADIUS
DNS Response
Data
Controller uses the Virtual Interface address for
communication to the client
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-27
802.1x
Credentials
Certificate
Username/Password
Microsoft
Cisco
TLS
Authentication
Session Key
Microsoft/Cisco/RSA
EAP-Fast
PEAP
EAP
WPA WPA2
802.1x
Encryption
© 2007 Cisco Systems, Inc. All rights reserved.
WEP TKIP AES
CUWN v4.1 Course Overview-28
EAP-PEAP-MSCHAPv2
Open Authentication
Authenticator or
Controller
Association
Request Connection
Supplicant or
Client
EAP Request Identity
EAP Request Identity Response
AAA
Request EAP-PEAP & Certificate Presentation
TLS Negotiation Start
TLS Negotiation Done
Response EAP-PEAP
Authentication or
RADIUS/EAP
Server
EAP Request Identity
TLS Tunnel
EAP Request Identity Response
EAP Request Authentication Type
EAP Request Authentication Type Response
MSCHAPv2 Exchange
MSCHAPv2 Exchange Success
Data
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-29
WPA PSK
Open Authentication
Authenticator or
Controller
Association
Connection Request
Supplicant or
Client
PSK Compare
PSK Compare
anonce Delivered
Has:
Supplicant Nonce
Supplicant MAC
Needs:
Authenticator MAC
Authenticator
Nonce
© 2007 Cisco Systems, Inc. All rights reserved.
snonce Delivered
MIC Negotiate
MIC Negotiate
Encrypted Group Key
Has:
Authenticator Nonce
Authenticator MAC
Needs:
Supplicant MAC
Supplicant Nonce
Data
CUWN v4.1 Course Overview-30
WPA/WPA2 EAP-PEAP-MSCHAPv2
Summary
Open Authentication
Authenticator or
Cisco Wireless
Controller
Association
802.1x Negotiated
Supplicant or
Client
anonce Delivered
snonce Delivered
AAA
MIC Negotiate
MIC Negotiate
Encrypted Group Key (WPA only)
MSCHAPv2 Exchange
Authentication or
RADIUS/EAP
Server
MSCHAPv2 Exchange Succes
Data
WPA uses the Encrypted
Group Key exchange, and a
race condition may occur
WPA 2 integrates this step
with MIC Negotiation.
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-31
Sniffer AP Mode
AP
Sniffer Mode
Channel 36
Collected
Data
Controller
© 2007 Cisco Systems, Inc. All rights reserved.
AP
Local Mode
AiroPeek
PC
Collected
Data
Remote AiroPeek PC must be
reachable via IP from the management
interface of the controller
CUWN v4.1 Course Overview-32
Initial Screen —
Monitor > Network Summary
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-33
Administration Drop Down
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-34
Admin > Scheduled Tasks
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-35
WCS Maps and Planning Overview
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-36
Client Troubleshooting
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-37
Map Editor Before and After
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-38
Planning Tool
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-39
Planning Mode>Add APs
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-40
Planning Tool Generate Proposal
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-41
Location Tracking using Closest AP
-70 dbm
Client could be anywhere on
the iso-dbm line
© 2007 Cisco Systems, Inc. All rights reserved.
-70 dbm
Presence of an obstruction will alter
the iso-dbm line and therefore possible
locations
CUWN v4.1 Course Overview-42
Location Tracking using Triangulation
-60 dbm
-70 dbm
Probability points can be constructed
by correlating information from multiple
AP
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-43
Location Tracking using RF
Fingerprinting
RF fingerprinting traces signal strength for every signal heard
by an Cisco AP in the network which will allow accounting for
reflection and multipath
Then a RF ‘fingerprint’ is created from every point on the
coverage map which allows WCS to then accurately place an
icon and create a probability color grid
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-44
Maps > Select a command > RF Calibration
Models > Select a command > Add Data Points
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-45
Location Appliance Overview
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-46
Cisco Location Tracking Architecture
3rd party Integrated
Applications: E911, Asset
Tracking, ERP, Workflow
SO Automation…
AP
/X
ML
Location Appliance
Browser Based
Remote Console
for Cisco WCS
HT
TP
S
WCS
SOAP/XML
Cisco Wireless LAN
Controller
P
AP
LW
P
AP
LW
Access
Point
LW
P
AP
Access
Point
Wi-Fi Handsets, clients, rogues & Wi-Fi Tags
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-47
© 2007 Cisco Systems, Inc. All rights reserved.
CUWN v4.1 Course Overview-48
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement