Wireless Architecture
Download
Report
Transcript Wireless Architecture
Wireless LAN Roadmap:
Performance and
Hardware Features
© 2000, Cisco Systems, Inc.
1
Cisco Aironet 340 Series Wireless
LAN Solution
The Cisco Aironet 340 Series of 802.11b compliant high speed wireless solutions
offers the best performance, manageability, scalability and security for both
in-building and building to building wireless applications
”Cisco Aironet Beats Rivals--With Ease”
(Network Computing, Editors’ Choice July 2000)
Editors’ Choice: Wireless LANs
(PC Magazine, March 20000)
• PC Card/PCI Client Adapters
• Access Points
• Line-of-Sight Bridge Products
• Antennas & Accessories
WLAN Vision:
Client Options
• Workgroup Bridges
– Plug and play wireless for
single or multiple clients
• USB
– Easy to install NIC
alternative
• Multi-function and embedded
client devices
– In partnership with Xircom
• Client Drivers/Services
– Macintosh/Linux drivers
– Automated country radio
localization
– Improved diagnostics tools
WLAN Vision: Performance
Small, Medium and Large
Enterprises
High power and
performance
Telecommuter
Cost and Manageability
Speed
11Mbps
22 Mbps 6-54 Mbps 100 Mbps
Network
802.11b Standard
Radio
900 MHz
2.4 GHz
1999
.11b Ext. .11a Std
5 GHz
IEEE 802.11a/b
Ratified
2000
Superset
2001
2002
WLAN Vision:
Infrastructure Options
Cisco Access Point 925
• Office applications
–Simplify and reduce
installations costs
•In-line power
• Warehouse
(extreme applications)
–Extended temperature
In-line pwr
capable
switch
W/C
Telecommuter Base Station
Designed for the WLAN Telecommuter
• 802.11 compliant
• Fully managed
• Simplified configuration
• Embedded Modem and
Ethernet
Wireless LANs
Services Directions
© 2000, Cisco Systems, Inc.
7
Cisco’s Services Vision
• Security
–Centralized device
authentication
–Future flexible user
authentication services
• Management
–Enhanced auto-configuration
and enforcement for
client/infrastructure
• Policy
–Enhanced PCF services for
enterprise quality QoS
• Mobility
–Scale L2/L3 roaming services
Cisco Access Point 925
Security Services
• Current capabilities
–No Encryption
–40-Bit Encryption
–128-Bit Encryption
–Hardware based encryption
•Negligible performance impact (<3%)
–Mac-based exclusion filtering
• Encryption Choices (defined at Access Point)
–No Encryption
–Allow client to specify (optional)
–Forced (Required)
Security Directions Summary
• Utilize HW-based 802.11 encryption
– Best price/performance
– Minimizes impact on client and network
• 1st phase (Committed): Device authentication
– Cell phone security analogy
– Supports all client device types
• 2nd phase: User authentication
(in development)
– Universal user authentication through 802.1x
Extensible Authentication Protocols (EAP)
Security Directions Summary
(cont.)
• Centralized Authentication
–Phase1: Enhanced RADIUS servers
•CiscoSecure Authentication Server
•Directory services integration through
LDAP/X.500
–Phase 2: EAP support Kerberos & PKI
support
• Dynamic Key Generation/Distribution
–Unique 128 bit key per user per session
–Roaming Pre-authentication
Centralized User-Based
Authentication
Semi-Public
Network /
Enterprise Edge
Supplicant
Enterprise
Intranet
R
A
D
I
U
S
Authentication
Server such as
ACS2000 v2.6
Authenticator
(e.g. Access
Point, Catalyst
Switch)
Extended Enterprise
(Branch Office, Home, etc.)
Dynamic WEP Key Management
Fast Ethernet
Laptop computer
Access blocked
802.11 Associate
802.11
R
A
D
I
U
S
RADIUS
EAPOW
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
EAP-Response (credential)
EAP-Success
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
EAPW-Key (WEP)
Access allowed
Services in Development
AP Authentication
• Rogue AP detection requirement
– Only IT installed/configured devices deliver
infrastructure access
– Authenticated clients learn trusted APs in area
– Untrusted APs are detected, reported and, if
possible, isolated and shut down
•Investigating best way to control non-Cisco APs
Wireless QoS Vision
Committed Services
• SpectraLink Voice
Prioritization (SVP)
– Prioritizes IP voice
traffic in AP queue
– User configurable
beacon period helps
determine voice quality
Wireless QoS Vision (cont.)
Services in Process
• Extend existing 802.11 QoS services
–Utilize and enhance Point Coordination Function (PCF)
•Standards-based
•Backwards compatibility, investment protection
•Time-to-market
• Integration with existing IETF & IEEE standards
•Integrated Services over Specific Link Layers (ISSLL)
•802.1(p) priorities
Proposal for Enhanced Wireless
QoS
• Better to approach it as an integrated system
•Address queue management in the infrastructure devices
– Contention-free period can only be sustained if the queues on the access point
or stations are adequately managed
•Address medium access limitations to ensure access
– Chicken-egg problem; polling to manage medium access – potential contention
to get on polling list
•Address unlicensed band regulations
– Some regulatory domains do not allow constant occupancy by one device
•Maximize investment protection
– While also acknowledging that some legacy devices may require an enhanced
DCF
• Systems always spend some time in the DCF
Wireless QoS Summary
• Simple but efficient
–Easy to implement
–Good support for legacy stations
–Inline with what is standardized by other workgroups
and standardization bodies
• Simulations will prove concept
• Some ‘loose-ends’ need to be worked out
Additional Network Services:
Load Balancing
Channel 6
Channel 1
• AP’s configured for load sharing use different RF channels in
coverage area
• Policy based on number of users, bit error rate, or signal
strength
Additional Network Services: Hot
Standby
Channel X
Active
Standby
Channel X
• AP’s co-located for hot standby use SAME RF channel in
coverage area
• Standby AP acts as probe for monitoring and management
Summary: Vision for Mobile
Connectivity
• Offer key services to accommodate wireless data, voice
and video that is:
Solutions
–Secure
–Manageable
–Scalable
Partners
Products
–Delivers improved Price/Performance
• Preserve customers investment in existing WLAN
infrastructure
• Partner to enhance wireless hardware and software
solutions for customers
Channels
802.1X Security Architecture
Pieces of the system.
User
Client/Supplicant
Authentication
Client/Control Point
Open port:
Authentication traffic
Controlled port:
Data traffic
Authentication Server
EAP Architecture
TLS
GSS_API
IKE
Method
Layer
EAP
APIs
EAP
Layer
EAP
NDIS
APIs
PPP
802.3
802.5
802.11
Media
Layer
802.1X Security Services
Cisco/
Microsoft
Supplicant
Device Mini-certificate
(MD5/PAP-CHAP)
Future 802.11
supplicant for
Win2K/WinCE 3.0
(User authentication
options)
Cisco
Authentication
client/control point
Non-IP
communications
until device
authenticated
Cisco/
Microsoft, etc.
Authentication Server
Radius server available
from Cisco
Future enhanced
servers available from
others
Authentication Process
Wireless client assoc. at 802.11 layer. Data
blocked by AP.
Authentication
traffic
Wireless laptop
Access Point
The authentication traffic
is allowed to flow. The
Access point relays
authentication traffic.
Radius traffic
Radius Server
Authentication
traffic
Access Point blocks
everything except
authentication traffic.
Normal Data
Authentication Process cont.
Wireless client mutually authenticates with
Radius Server
Authentication
traffic
Wireless laptop
Access Point
Client receives grant
WEP key.
Client stack is initiated.
DHCP request and
subsequent traffic is
encrypted with session
key
Authentication
traffic
Normal Data
Radius traffic
Radius Server
Radius server
authenticates client and
creates a WEP key.
AP receives grant and
key. Key is installed in
data base and normal
data is forwarded to
client
Authentication Process cont.
Wireless client and AP use WEP key. AP
allows traffic to flow.
Enterprise
Intranet
802.11 traffic
Wireless laptop
Secure traffic. No
performance impact
IP traffic
Access Point
Authentication
traffic
AP pre-authenticates
client for intra subnet
roaming
Normal Data
Future User Authentication for
non- EAP/802.1x Clients
• Options under consideration
–Device level authentication w/passwords
•Create APIs to pass username and password to LEAP
• For generic support, statically assign
username and password into card.
–This becomes device security.
Pre-Authentication for Roaming
APs multicast keys of authenticated clients as
part of Inter Access Point Protocol (IAPP)
Pre-authentication m-casts encrypted
APs cache pre-authenticated clients (1000s of
entries).
Pre-Authentication and Roaming
Roam from AP1 to AP2
AP1
AP2
When roam occurs, AP1
sends a disassociation
notice.
AP2 associates client,
cached key and retrieves
queued data from AP1.
Preauth
Disassociation