300 likes | 403 Views
Wireless LAN Roadmap: Performance and Hardware Features. 1. Cisco Aironet 340 Series Wireless LAN Solution.
E N D
Cisco Aironet 340 Series Wireless LAN Solution The Cisco Aironet 340 Series of 802.11b compliant high speed wireless solutions offers the best performance, manageability, scalability and security for both in-building and building to building wireless applications ”Cisco Aironet Beats Rivals--With Ease”(Network Computing, Editors’ Choice July 2000) Editors’ Choice: Wireless LANs(PC Magazine, March 20000) • PC Card/PCI Client Adapters • Access Points • Line-of-Sight Bridge Products • Antennas & Accessories
WLAN Vision:Client Options • Workgroup Bridges • Plug and play wireless for single or multiple clients • USB • Easy to install NIC alternative • Multi-function and embedded client devices • In partnership with Xircom • Client Drivers/Services • Macintosh/Linux drivers • Automated country radio localization • Improved diagnostics tools
11Mbps 22 Mbps 6-54 Mbps 100 Mbps 802.11b Standard .11b Ext. .11a Std Superset 2.4 GHz 900 MHz 5 GHz WLAN Vision: Performance • Small, Medium and Large Enterprises • High power and performance • Telecommuter • Cost and Manageability Speed Network Radio • IEEE 802.11a/b Ratified 1999 2000 2001 2002
Cisco Access Point 925 WLAN Vision:Infrastructure Options W/C • Office applications • Simplify and reduce installations costs • In-line power • Warehouse (extreme applications) • Extended temperature In-line pwr capable switch
Telecommuter Base Station Designed for the WLAN Telecommuter • 802.11 compliant • Fully managed • Simplified configuration • Embedded Modem and Ethernet
Cisco Access Point 925 Cisco’s Services Vision • Security • Centralized device authentication • Future flexible user authentication services • Management • Enhanced auto-configuration and enforcement for client/infrastructure • Policy • Enhanced PCF services for enterprise quality QoS • Mobility • Scale L2/L3 roaming services
Security Services • Current capabilities • No Encryption • 40-Bit Encryption • 128-Bit Encryption • Hardware based encryption • Negligible performance impact (<3%) • Mac-based exclusion filtering • Encryption Choices (defined at Access Point) • No Encryption • Allow client to specify (optional) • Forced (Required)
Security Directions Summary • Utilize HW-based 802.11 encryption • Best price/performance • Minimizes impact on client and network • 1st phase (Committed): Device authentication • Cell phone security analogy • Supports all client device types • 2nd phase: User authentication (in development) • Universal user authentication through 802.1x Extensible Authentication Protocols (EAP)
Security Directions Summary (cont.) • Centralized Authentication • Phase1: Enhanced RADIUS servers • CiscoSecure Authentication Server • Directory services integration through LDAP/X.500 • Phase 2: EAP support Kerberos & PKI support • Dynamic Key Generation/Distribution • Unique 128 bit key per user per session • Roaming Pre-authentication
Centralized User-Based Authentication RADIUS Semi-Public Network / Enterprise Edge EAP Over RADIUS EnterpriseIntranet AuthenticationServer such as ACS2000 v2.6 EAP Over Wireless/LAN (EAPOW/EAPOL) Authenticator (e.g. Access Point, Catalyst Switch) Supplicant Extended Enterprise (Branch Office, Home, etc.)
Dynamic WEP Key Management RADIUS Fast Ethernet Laptop computer Access blocked 802.11 Associate 802.11 RADIUS EAPOL-Start EAPOW EAP-Request/Identity Radius-Access-Request EAP-Response/Identity Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (credential) Radius-Access-Accept EAP-Success EAPW-Key (WEP) Access allowed
Services in Development AP Authentication • Rogue AP detection requirement • Only IT installed/configured devices deliver infrastructure access • Authenticated clients learn trusted APs in area • Untrusted APs are detected, reported and, if possible, isolated and shut down • Investigating best way to control non-Cisco APs
Wireless QoS Vision Committed Services • SpectraLink Voice Prioritization (SVP) • Prioritizes IP voice traffic in AP queue • User configurable beacon period helps determine voice quality
Wireless QoS Vision (cont.) Services in Process • Extend existing 802.11 QoS services • Utilize and enhance Point Coordination Function (PCF) • Standards-based • Backwards compatibility, investment protection • Time-to-market • Integration with existing IETF & IEEE standards • Integrated Services over Specific Link Layers (ISSLL) • 802.1(p) priorities
Proposal for Enhanced Wireless QoS • Better to approach it as an integrated system • Address queue management in the infrastructure devices • Contention-free period can only be sustained if the queues on the access point or stations are adequately managed • Address medium access limitations to ensure access • Chicken-egg problem; polling to manage medium access – potential contention to get on polling list • Address unlicensed band regulations • Some regulatory domains do not allow constant occupancy by one device • Maximize investment protection • While also acknowledging that some legacy devices may require an enhanced DCF • Systems always spend some time in the DCF
Wireless QoS Summary • Simple but efficient • Easy to implement • Good support for legacy stations • Inline with what is standardized by other workgroups and standardization bodies • Simulations will prove concept • Some ‘loose-ends’ need to be worked out
Additional Network Services: Load Balancing • AP’s configured for load sharing use different RF channels in coverage area • Policy based on number of users, bit error rate, or signal strength Channel 6 Channel 1
Additional Network Services: Hot Standby • AP’s co-located for hot standby use SAME RF channel in coverage area • Standby AP acts as probe for monitoring and management Channel X Active Standby Channel X
Summary: Vision for Mobile Connectivity Offer key services to accommodate wireless data, voice and video that is: Secure Manageable Scalable Delivers improved Price/Performance Preserve customers investment in existing WLAN infrastructure Partner to enhance wireless hardware and software solutions for customers Solutions Products Partners Channels
802.1X Security Architecture Pieces of the system. Authentication Client/Control Point User Client/Supplicant Authentication Server Open port: Authentication traffic Controlled port:Data traffic
EAP Architecture TLS GSS_API IKE Method Layer EAP APIs EAP EAP Layer NDIS APIs Media Layer PPP 802.3 802.5 802.11
802.1X Security Services Cisco/Microsoft, etc. Cisco/Microsoft Cisco Supplicant Authentication client/control point Authentication Server Device Mini-certificate (MD5/PAP-CHAP) Future 802.11 supplicant for Win2K/WinCE 3.0(User authentication options) Non-IP communications until device authenticated Radius server available from Cisco Future enhanced servers available from others
Authentication Process Wireless client assoc. at 802.11 layer. Data blocked by AP. Authentication traffic Radius traffic Wireless laptop Access Point Radius Server The authentication traffic is allowed to flow. The Access point relays authentication traffic. Authentication traffic Access Point blocks everything except authentication traffic. Normal Data
Authentication Process cont. Wireless client mutually authenticates with Radius Server Authentication traffic Radius traffic Wireless laptop Access Point Radius Server Radius server authenticates client and creates a WEP key. AP receives grant and key. Key is installed in data base and normal data is forwarded to client Client receives grant WEP key. Client stack is initiated. DHCP request and subsequent traffic is encrypted with session key Authentication traffic Normal Data
Authentication Process cont. Wireless client and AP use WEP key. AP allows traffic to flow. EnterpriseIntranet 802.11 traffic IP traffic Wireless laptop Access Point Secure traffic. No performance impact Authentication traffic AP pre-authenticates client for intra subnet roaming Normal Data
Future User Authentication for non- EAP/802.1x Clients • Options under consideration • Device level authentication w/passwords • Create APIs to pass username and password to LEAP • For generic support, statically assign username and password into card. • This becomes device security.
Pre-Authentication for Roaming APs multicast keys of authenticated clients as part of Inter Access Point Protocol (IAPP) Pre-authentication m-casts encrypted APs cache pre-authenticated clients (1000s of entries).
Pre-Authentication and Roaming Roam from AP1 to AP2 AP1 Pre-auth Disassociation AP2 When roam occurs, AP1 sends a disassociation notice. AP2 associates client, cached key and retrieves queued data from AP1.