1 / 40

Chap 7 – Configure Wireless Routers Learning Objectives

Chap 7 – Configure Wireless Routers Learning Objectives. Describe the components and operations of basic wireless LAN topologies. Describe the components and operations of basic wireless LAN security. Configure and verify basic wireless LAN access.

adli
Download Presentation

Chap 7 – Configure Wireless Routers Learning Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chap 7 – Configure Wireless Routers Learning Objectives • Describe the components and operations of basic wireless LAN topologies. • Describe the components and operations of basic wireless LAN security. • Configure and verify basic wireless LAN access. • Configure and troubleshoot wireless client access.

  2. Why Wireless? • Mobility • Scalability • Flexibility • Short & long term cost savings • Installation advantages • Reliability in harsh environments • Reduced installation time

  3. Basic Wireless LAN Topologies • Wireless signals are electromagnetic waves • No physical medium is necessary • The ability of radio waves to pass through walls and cover great distances makes wireless a versatile way to build a network.

  4. Wired Versus Wireless • RF does not have boundaries, allowing data frames traveling over the RF media to be available to anyone that can receive the RF signal. • RF is unprotected from outside signals, whereas cable is in an insulating sheath. Radios operating independently in the same geographic area but using the same or a similar RF can interfere with each other. • RF transmission is subject to range limitations, as the signal is attenuated severely with distance from a transmitter. Wired LANs have cables that are of an appropriate length to maintain signal strength. • RF bands are regulated differently in various countries. The use of WLANs is subject to additional regulations and sets of standards that are not applied to wired LANs.

  5. R1 Wireless LANs • 802.11 wireless LANs extend the 802.3 Ethernet LAN infrastructures to provide additional connectivity options. • However, additional components and protocols are used to complete wireless connections Fa0/0.10 172.17.10.1/24 Fa0/0.30 172.17.30.1/24 S3 S1 Fa0/1 Fa0/1 Fa0/5 Fa0/2 Fa0/2 Fa0/3 Fa0/4 Fa0/3 Fa0/4 PC6 172.17.30.24/24 (VLAN 30) Fa0/2 Fa0/3 S2 Fa0/1 Fa0/4 Fa0/11 Fa0/6 Fa0/18 PC1 172.17.10.21/24 (VLAN 10) PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30)

  6. Wireless LAN Standards

  7. IEE 802.11n • The IEEE 802.11n draft standard is intended to improve WLAN data rates and range without requiring additional power or RF band allocation. • 802.11n uses multiple radios and antennae at endpoints, each broadcasting on the same frequency to establish multiple streams. • The multiple input/multiple output (MIMO) technology splits a high data-rate stream into multiple lower rate streams and broadcasts them simultaneously over the available radios and antennae. • This allows for a theoretical maximum data rate of 248 Mb/s using two streams.

  8. Wi-Fi™ Wi-Fi™ Alliance: • WECA changed its name to Wi-Fi • Wireless Fidelity Alliance • 170+ members • Over 350 products certified Wi-Fi’s™ Mission • Certify interoperability of WLAN products (802.11) • Wi-Fi™ is the “stamp of approval” • Promote Wi-Fi™ as the global standard

  9. Wireless Infrastructure Components • Wireless NICs are most often associated with mobile devices, such as laptop computers. In the 1990s , wireless NICs for laptops were cards that slipped into the PCMCIA slot. PCMCIA wireless NICs are still common, but many manufacturers have begun building the wireless NIC right into the laptop. • Desktops located in an existing, non-wired facility can have a wireless PCI NIC installed. • To quickly set up a PC, mobile or desktop, with a wireless NIC, there are many USB options available as well.

  10. Wireless Infrastructure Components • An access point (AP) connects wireless clients (or stations) to the wired LAN. Client devices do not typically communicate directly with each other; they communicate with the AP. • Access points convert the TCP/IP data packets from their 802.11 frame encapsulation format in the air to the 802.3 Ethernet frame format on the wired Ethernet network.

  11. Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) • Access points oversee a distributed coordination function (DCF) called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). • Devices on a WLAN must sense the medium for energy and wait until the medium is free before sending. Because all devices are required to do this, the function of coordinating access to the medium is distributed. • If an access point receives data from a client station, it sends an acknowledgement to the client that the data has been received. This acknowledgement keeps the client from assuming that a collision occurred and prevents a data retransmission by the client.

  12. Hidden Nodes • PC1 and PC2 can reach AP • PC1 and PC2 cannot reach each other • PC1 Doesn’t detect PC2 activity • PC1 transmits at the same time as PC2 • A collision occurs • If two clients can connect to an access point, but not each other due to their distance from each other, neither of those stations sense the other on the medium, and they may end up transmitting simultaneously. • This is known as the hidden node (or station) problem.

  13. Shared Service Set Identifier (SSID) • A unique identifier that clients use to distinguish between multiple WLANs in the same vicinity. • Can be any alphanumeric, case-sensitive entry from 2 to 32 characters long. • Several access points on a network can share an SSID.

  14. Frequency Selection • Best practices for WLANs that require multiple access points are to use non-overlapping channels. • If there are three adjacent access points, use channels 1, 6, and 11. • If there are just two, select any two that are 5 channels apart, such as channels 5 and 10

  15. PC1 172.17.20.22/24 PC2 172.17.20.23/24 802.11 Wireless LAN Topologies Adhoc • The IEEE 802.11 standard refers to an ad hoc network as an Independent Basic Service Set (IBSS)

  16. R1 802.11 Wireless LAN Topologies Basic Service Set (BSS) Fa0/0.10 172.17.10.1/24 Fa0/0.30 172.17.30.1/24 S3 S1 Fa0/1 Fa0/1 Fa0/5 • The coverage area for both an IBSS and a BSS is the Basic Service Area (BSA) Fa0/2 Fa0/2 Fa0/3 Fa0/4 Fa0/3 Fa0/4 Fa0/2 Fa0/3 S2 Fa0/1 Fa0/4 Fa0/11 Fa0/6 Fa0/18 PC1 172.17.10.21/24 (VLAN 10) PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30)

  17. R1 802.11 Wireless LAN Topologies Extended Service Set (ESS) Fa0/0.10 172.17.10.1/24 Fa0/0.30 172.17.30.1/24 S3 S1 Fa0/1 Fa0/1 Fa0/5 Fa0/2 Fa0/2 Fa0/3 Fa0/4 Fa0/3 Fa0/4 PC6 172.17.30.24/24 (VLAN 30) Fa0/2 Fa0/3 S2 Fa0/1 Fa0/4 • An ESS generally includes a common SSID to allow a user to roam from access point to access point Fa0/11 Fa0/6 Fa0/18 PC1 172.17.10.21/24 (VLAN 10) PC2 172.17.20.22/24 (VLAN 20) PC3 172.17.30.23/24 (VLAN 30)

  18. Client / AP Association A key part of the 802.11 process is discovering a WLAN and subsequently connecting to it. The primary components of this process are: • Beacons - Frames used by the WLAN network to advertise its presence. • Probes - Frames used by WLAN clients to find their networks. • Authentication - A process which is an artifact from the original 802.11 standard, but still required by the standard. • Association - The process for establishing the data link between an access point and a WLAN client.

  19. Client / AP Association Probe SSID +Supported Rates 1. Probing Probe Response SSID +Supported Rates + Security Implementation Authentication Request Type + Key 2. Authentication Authentication Response Type + Key + successful/unsuccessful

  20. Client / AP Association Association Request Client MAC + AP MAC (BSSID) + ESS Identifier (ESSID) 3. Association Association Response Successful/unsuccessful +Association ID (AID)

  21. WLAN Planning • Position access points above obstructions. • Position access points vertically near the ceiling in the center of each coverage area, if possible. • Position access points in locations where users are expected to be. For example, conference rooms are typically a better location for access points than a hallway.

  22. Wireless Security Issues Unauthorised Access • War driving - driving around a neighborhood with a laptop and an 802.11b/g client card looking for an unsecured 802.11b/g system to exploit. • Hacker/Cracker - malicious intruders who enter systems as criminals and steal data or deliberately harm systems. • Rogue Access Point - installed by employees without authorisation. Employees install access points intended for home use on the enterprise network. These APs typically do not have the necessary security configuration, so the network ends up with a security hole.

  23. Wireless Security Issues Man-In-The-Middle Attack • A hacker selects a station as a target and uses packet sniffing software, such as Wireshark, to observe the client station connecting to an access point. The hacker might be able to read and copy the target username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response, which is passed in clear text between station and access point. • If an attacker is able to compromise an access point, the attacker can potentially compromise all users in the BSS. The attacker can monitor an entire wireless network segment and wreak havoc on any users connected to it.

  24. Wireless Security Issues Denial of Service • A hacker using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which defeat the CSMA/CA function used by the stations. The access points, in turn, flood the BSS with simultaneous traffic, causing a constant stream of collisions. • Another DoS attack that can be launched in a BSS is when an attacker sends a series of disassociate commands that cause all stations in the BSS to disconnect. When the stations are disconnected, they immediately try to reassociate, which creates a burst of traffic. The attacker sends another disassociate command and the cycle repeats itself.

  25. Wireless Security Protocols • Today, the standard that should be followed in most enterprise networks is the 802.11i standard. This is similar to the Wi-Fi Alliance WPA2 standard. • For enterprises, WPA2 includes a connection to a Remote Authentication Dial In User Service (RADIUS) database.

  26. Extensible Authentication Protocol (EAP) AAA Server Client Access Point • If stricter security is required, network login can be enforced prior to granting clients access to the WLAN. • This login process is managed by the Extensible Authentication Protocol (EAP). • IEEE developed the 802.11i standard for WLAN authentication and authorisation to use IEEE 802.1x.

  27. Extensible Authentication Protocol (EAP) AAA Server Client Access Point • The 802.11 association process creates a virtual port for each WLAN client at the access point, but blocks all data frames, except for 802.1x-based traffic. • The 802.1x frames carry the EAP authentication packets via the access point to a server that maintains authentication credentials. This server is an Authentication, Authorization, and Accounting (AAA) server running a RADIUS protocol. • If the EAP authentication is successful, the AAA server sends an EAP success message to the access point, which then allows data traffic from the WLAN client to pass through the virtual port. • Before opening the virtual port, data link encryption between the WLAN client and the access point is established to ensure that no other WLAN client can access the port that has been established for a given authenticated client.

  28. Encryption • Both protocols encrypt the Layer 2 payload, and carry out a message integrity check (MIC) to help ensure against a message being tampered with. • Although TKIP addresses all the known weaknesses of WEP, the AES encryption of WPA2 is the preferred method, because it brings the WLAN encryption standards into alignment with broader IT industry standards and best practices, most notably IEEE 802.11i.

  29. Configuring the AP • With a PC is connected to the access point via a wired connection, access the web utility with a web browser - enter the WRT300N default IP address, 192.168.1.1, in the address field. • Setup - Enter your basic network settings (IP address). • Management - Click the Administration tab and then select the Management screen. The default password is admin. To secure the access point, change the password from its default. • Wireless - Change the default SSID in the Basic Wireless Settings tab. Select the level of security in the Wireless Security tab and complete the options for the selected security mode.

  30. Wireless Settings Network Mode • Wireless-N, Wireless-G, and 802.11b devices are in the network, keep Mixed, the default setting. • Wireless-G and 802.11b devices, select BG-Mixed. • Wireless-N devices, select Wireless-N Only. • Wireless-G devices, select Wireless-G Only. • Wireless-B devices, select Wireless-B Only. • To disable wireless networking, select Disable.

  31. Wireless Settings Network Name (SSID) • The SSID must be identical for all devices in the wireless network. It is case-sensitive and must not exceed 32 characters (use any of the characters on the keyboard). For added security, change the default SSID (linksys) to a unique name. • SSID Broadcast - When wireless clients survey the local area for wireless networks to associate with, they detect the SSID broadcast by the access point. • To broadcast the SSID, keep Enabled, the default setting, to turn off the broadcast, select Disabled.

  32. Security Settings • Security Mode - Select the mode you want to use: PSK-Personal, PSK2-Personal, PSK-Enterprise, PSK2-Enterprise, RADIUS, or WEP. • Mode Parameters - Each of the PSK and PSK2 modes have configurable parameters. PSK2-Enterprise security version, requires a RADIUS server attached to the access point. Need to provide RADIUS Server IP address and port number (normally 1812). • Encryption - Select the algorithm required, AES or TKIP. (AES is a stronger encryption method than TKIP.) • Pre-shared Key - Enter the key shared by the router and other network devices. It must have 8 to 63 characters. Key Renewal - Enter the key renewal period, which tells the router how often it should change encryption keys.

  33. Security Settings There are seven wireless security modes supported by the WTR300N, listed here in the order seen in the GUI, from weakest to strongest: • WEP • PSK-Personal, or WPA-Personal in v0.93.9 firmware or older • PSK2-Personal, or WPA2-Personal in v0.93.9 firmware or older • PSK-Enterprise, or WPA-Enterprise in v0.93.9 firmware or older • PSK2-Enterprise, or WPA2-Enterprise in v0.93.9 firmware or older • RADIUS • Disabled (no encryption) "Personal" in a security mode indicates that no AAA server is used. "Enterprise" in the security mode name means a AAA server and EAP authentication is used.

  34. Configuring a Wireless NIC • Verify that the wireless client has successfully connected to the correct wireless network, as there be many WLANs available with which to connect. • PCs running Microsoft Windows XP have a built-in wireless networks monitor and client utility.

  35. Configuring a Wireless NIC

  36. Configuring a Wireless NIC • Select preferred authentication method - WPA2 and PSK2 are preferred because of their strength. • Select the Data encryption method - AES is a stronger cipher than TKIP, but ensure choice matches AP configuration. • After selecting the encryption method, enter and confirm the Network key – ensure that it matches key set in AP.

  37. Troubleshooting in a WLAN 1. Check the client – IP address, SSID, encryption type, encryption key, RF channel. 2. Poor performance – range from AP, other RF transmitters in the locality, overlapping RF channels in an ESS. 3. Check the AP –ping a wired interface, access the web-base GUI, check all parameters.

  38. Chap 7 – Configure Wireless Routers Learning Objectives • Describe the components and operations of basic wireless LAN topologies. • Describe the components and operations of basic wireless LAN security. • Configure and verify basic wireless LAN access. • Configure and troubleshoot wireless client access.

  39. Any Questions?

  40. Chap 7.3.2 – Basic Wireless Config R1 Lab Topology R1 Sub-interfaces: Fa0/0.10 172.17.10.1/24 Fa0/0.20 172.17.20.1/24 Fa0/0.88 172.17.88.1/24 Fa0/0 WPC1 DHCP Internet 172.17.88.25 Internet 172.17.88.25 Fa0/5 Fa0/7 WPC2 DHCP Fa0/11 Fa0/18 WPC3 DHCP PC2 172.17.20.22/24 VLAN 20 PC1 172.17.10.21/24 VLAN 10

More Related