CCDA 640-864 Summary Notes – Chapter 5 – Day 11

Posted on Updated on


Exam Topic 2 – Part 2: Cisco Unified Wireless Network (UWN) Architecture

LWAPP Discovery of WLC

LWAPP Image procedure:

Untitled

CAPWAP Image procedure:

  • CAPWAP AP sends a CAPWAP discovery request
  • WLC responds withCAPWAP response within 60 seconds
    • WLC selection is configurable onWLC. AP selects according to the following order
      • Primary sysName (preconfigured)
      • Second sysName (preconfigured)
      • Tertiary sysName (preconfigured)
      • Master controller
      • WLC with greatest capacity for AP associations
    • If no response within 60 sec, AP uses LWAPP discovery
    • If no response within 60 seconds, step 1 is repeated
  • AP sends CAPWAP response + derives encryption key
  • Selects WLC and sends join request

WLAN Authentication

  • Clients associate with AP
  • Clients authenticate with authentication server (in wired net)
    • WLC sets up an EAP/ RADIUS tunnel with the authentication server

Authentication Options

EAP-Transport Layer Security (EAP-TLS)

  • IETF Open Standard
  • Rarely deployed
  • Uses PKI with TLS and digital certificates to secure communication to the RADIUS server

Protected Extensible Authentication Protocol (PEAP)

  • Open standard proposed by Cisco, Microsoft and RSA Security
  • Most commonly deployed: PEAP/MSCHAPv2
  • Similar to EAP-TTLS but requires a server side PKI cert to form a TLS tunnel
  • PEAP-GTC delivers more generic authentication to a number of databases eg Novell Directory Services (NDS)

EAP-Tunneled TLS (EAP-TTLS)

  • Developed by Funk Software and Certicom
  • Widely supported across platforms
  • Requires PKI certificate only on authentication server

Cisco Lightweight Extensible Authentication Protocol (LEAP)

  • Cisco proprietary
  • Supported in Cisco Certified Extensions (CCX) program
  • Vulnerable to dictionary attacks

EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)

  • Proposed by Cisco to fix LEAP weaknesses
  • Uses Protected Access Credential (PAC)
  • Server certificates are optional
  • Phases :
    • Phase 0 (Optional): PAC can be provisioned manually or dynamically
    • Phase 1: Client and AAA server use PAC to form TLS tunnel
    • Phase 2: Client sends info over tunnel

WLAN Controller Components

WLANs

  • Have unique SSIDs
  • Each has an interface in the WLC
  • Each has parameters such as:
    • radio policies
    • QoS

Ports

  • Physical connection to switch or router
  • Default: 802.1q trunk port
  • Can be combined into a single port-channel using link aggregation (LAG)
  • Some WLC have a service port – out of band management

WLC Interfaces

  • Logical connection mapping to a VLAN on wired network
  • Each has a unique IP, gateway, port, VLAn tag and DHCP server
WLC Interface Types

Management interface

  • Mandatory Interface
  • Configured at setup
  • Statically configured
  • Usedfor
    • in-band management
    • Connectivity to AAA
    • L2 discovery and association

Service-port interface

  • Optional Interface
  • Configured at setup
  • Statically configured
  • Out of band management

AP manager interface

  • Mandatory Interface except on 5508
  • Configured at setup
  • Statically configured
  • Used for:
    • L3 discovery and association
  • Has source IP of statically configured AP

Dynamic interface

  • Dynamically configured (like VLAn)
  • Used for WLAN client data

Virtual interface

  • Mandatory Interface
  • Configured at setup
  • Statically configured
  • Used for
  • WLC supports only 1 LAG per controller. When enabled, all the physical ports except the service port are in the bundle
  • WLC with LAG can only have 1 neighbour device

Roaming and Mobility Groups

Roaming:

  • The ability to access network resources from common areas and in areas where it is difficult to run cabling
  • Roaming occurs when the wireless client changes association from one AP to another
  • Types:
    • intracontroller
    • intercontroller
      • L2
      • L3

Intracontroller Roaming:

  • Client moves from AP to AP connected in the same WLC
  • WLC updates the client’s database with the new associated AP but does not change client IP
  • (optional) Client can be reauthenticated
  • establishes new security association
  • Client database remains on same WLC

Layer 2 Intercontroller Roaming

  • Client moves from one AP to another AP in different WLC but same subnet
  • No IP address change for client
  • Client database is moved from WLC1 to 2
  • Client is reauthenticated
  • New security session

Layer 3 Intercontroller Roaming

  • Client moves from one AP to another AP in different WLC  in different subnet
  • Traffic is bridged to a different subnet
  • Client associates to AP2, WLC2 changes mobility messages with WLC1
  • Original client database is not moved between WLCs
  • WLC1 marks the client with an *anchor* entry in database, copies it to WLC2 who marks it as a *foreign* entry
  • Client maintains original IP
  • Client reauthenticated
  • New security session

Mobility Groups

  • WLCs peer with each other so as to support roaming
  • WLCs dynamically exchange mobility messages
  • Data is tunneled via EtherIP between anchor and foreign AP
  • Used for controller redundancy
  • Max 24 WLCs
  • Max APs depends on max of each WLC
  • Mobility list – group of controllers configured on a single controller that specifies members in different mobility groups
  • Controllers can communicate between mobility groups
  • Clients can roam between APs in different mobility groups if WLC is included in each others mobility list
  • Max WLC in mobility list 72 (v5.1) and 48 (v5.0)
  • Messages between controllers are exchanged in
    • UDP port 16666 for unencrypted
    • UDP port 16667 for encrypted
  • APs learn IP addresses of other members in mobility group after CAPWAP join process

(Recommended)

  • Minimize intercontroller roaming in network
  • < 10ms RTT latency etween controllers
  • L2 is more efficient than L3 roaming because L3 roaming uses asymetric communication
  • To speed up and secure roaming use\
    • Proactive key caching (PKC) or
    • Cisco Compatible Extensions (CCKM) Version 4

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s