Vertical Deployment Examples

This section covers WLAN deployment examples in key vertical markets, including retail, education, healthcare, manufacturing, and finance. Wireless access is used as the primary network access method in certain verticals such as retail and healthcare. An example (or two) for each vertical market is provided in this section, detailing WLAN applications, overall deployment criteria, and WLAN security implementation specifics to accommodate each unique environment.

In a retail deployment, multiple APs typically are deployed across a store. (The number of required APs depends on the store's size.) The WLAN APs and infrastructure are connected to a store's wired infrastructure, which in turn is connected to the central HQ via a WAN link. The WLAN link BW typically is limited between the central HQ and the store, and the backup connectivity mechanism is dialup ISDN, where usage is limited to critical applications such as credit card transaction processing. One of the major challenges in WLAN deployment for a retail environment is legacy handhelds. Legacy handhelds deployed to work with 900-MHz and frequency hopping (FH) wireless technologies are prevalent in the retail environment. These handhelds use DOS or a vendor-proprietary operating system and have limited processor capability. Typically, these handhelds are deployed in hundreds per store and take a long time to be replaced with newer Windows CE?based devices. Migrating the legacy handhelds to be 802.11b compliant and providing sufficient security are the major design and implementation challenges.

WLAN deployment in healthcare also brings specific challenges. Healthcare professionals tend to be highly mobile, and proper RF, mobility, and security design play a key role in ensuring continuous and secure connectivity throughout a health institution. Deployment criteria such as Layer 3 roaming and session persistence must be considered in conjunction with a security deployment in a healthcare environment. Session persistence is required because users could temporarily roam out of a WLAN coverage area, during which time the user application sessions must be sustained (that is, the WLAN infrastructure should not disconnect the user). Additionally, the Health Insurance Portability and Accountability Act (HIPPA) in the United States or equivalent laws around the world must be complied with for a healthcare WLAN deployment.

A WLAN deployment in an education environment such as a university campus also has unique requirements. For example, the IT department might standardize on WLAN infrastructure; however, students are allowed to bring any laptop with their choice of OS and WLAN NIC adapter. This creates challenges with standardizing on a specific WLAN security mechanism for the user community, including the students and faculty/staff. Typically, WLAN connectivity is considered the primary connectivity mechanism for students to access learning materials. User authentication is considered a must to only allow access to valid users; however, data confidentiality is not considered a must because nonconfidential learning material is typically shared over the WLAN medium. However, both user authentication and data confidentiality are usually required for faculty and teaching staff to secure their communication over the WLAN.

Mobility is a key requirement in a manufacturing environment in which mobile workers (such as forklift drivers within a warehouse) use several applications, including inventory management. Similar to the healthcare environment, fast Layer 2/Layer 3 roaming and session persistence become critical in a manufacturing environment to facilitate the mobile workers. Also, similar to the retail environment, legacy devices along with new Windows CE devices (multivendor clients) must be facilitated.

Finally, a security deployment criterion to provide strong mutual user authentication along with data confidentiality are musts in financial environments. Due to strong regulatory requirements to protect individual financial data, strict security deployment criteria are used to ensure identity verification and end-to-end data protection. Typically, multiple layers of security (such as Layer 2 and Layer 3 user-based authentication and data confidentiality) are deployed in a financial WLAN deployment scenario.

Retail WLAN Deployment Example I

This deployment example is taken from a retail WLAN deployment. WLAN has been extensively deployed and used in retail store applications for the past two decades, including in inventory tracking (bar-code scanning), wireless-enabled cashier machines, wireless-enabled scales, printers, and so on. This deployment example is taken from a large-scale WLAN rollout for thousands of retail stores across the United States to provide primary network connectivity at each store. In this deployment scenario, one of the major deployment challenges was to enable user authentication and data confidentiality for legacy handhelds.

The customer deployment criteria include the following:

  • Legacy DOS-based handheld scanners (for example, Symbol PDT 6800 series scanners at http://www.symbol.com/) are supported.

  • Wireless printers and wireless VoIP devices are supported.

  • Mutual authentication and strong encryption (minimum dynamic WEP) are preferred.

  • No PKI (digital certificate) requirement exists for user authentication.

The customer deployment environment includes the following:

  • A reliable 64-Kbps Frame Relay link exists between a store and the corporate or regional HQ. A redundant WAN link is provided via dialup ISDN and limited for critical services (such as banking transactions).

  • Multiple devices types, including legacy DOS-based handheld scanners used for inventory tracking, new handheld PDAs (based on Palm OS) used for inventory tracking, VoIP handsets, wireless-enabled scales, printers, and cash registers, are deployed across each store.

  • A combination of Cisco Aironet 350 PCMCIA and non-Cisco (or non-CCX) adapters are deployed in different handhelds.

  • Microsoft AD infrastructure is deployed at the central HQ only.

  • A Cisco 2600 series router is used per store along with multiple Catalyst 3500 series switches.

WLAN Security Deployment Details

In this deployment scenario, a single "wireless cell" cannot be used to accommodate unique security requirements per device type. This is primarily due to the customer requirement to support legacy DOS-based handheld devices (static WEP capable only) and newer PDA devices (EAP/802.1x capable) along with VoIP devices. Therefore, multiple "virtual" wireless cells were deployed in which each virtual WLAN cell had a unique security implementation to suit a specific device type. Multiple virtual cells were enabled with the use of multiple wireless VLANs (SSIDs) in each store. Each SSID was mapped to a unique, wired VLAN where Layer 3/Layer 4?based policies were implemented on the store router. This enabled the administrator to enforce a specific security policy per wireless/wired VLAN. Figure 13-3 illustrates the overall deployment topology for this customer scenario. As shown in the figure, multiple SSIDs and VLANs are deployed to accommodate multiple security profiles (as desired for various devices) using a single WLAN infrastructure.

Figure 13-3. Retail WLAN Deployment Example I


Static WEP was enabled on the legacy wireless VLAN as the security mechanism for legacy DOS-based handheld scanners and wireless-enabled scales due to limited capabilities on these devices. In addition to static WEP, MAC address authentication was enabled to authenticate the legacy devices and the wireless-enabled scales. MAC addresses of these devices were centrally stored on the RADIUS infrastructure at the HQ site. However, these MAC addresses were locally stored on the WDS to MAC-address authenticate legacy devices during WAN link outage. Network access to these devices was limited to specific inventory servers using Layer 3 (IP address?based) ACLs on the store router.

New Palm OS handheld devices were integrated with Cisco Aironet PCMCIA adapters, and LEAP was enabled for mutual authentication with dynamic WEP for data confidentiality. The LEAP authentication credential was securely stored on the Palm OS device. Palm OS devices were deployed on wireless VLAN "storeEAP1" (configured to enable LEAP authentication with dynamic WEP) and were given appropriate network access rights using Layer 3/Layer 4 ACLs on the store router.

Wireless VoIP devices were deployed on a third SSID/VLAN (VoIP VLAN) and were given voice QoS along with access to Call Manager and VoIP voice gateway at each store. Cisco 7920 VoIP handsets were deployed with LEAP authentication, CCKM, and WPA-TKIP on the VoIP VLAN. CCKM enable fast secure roaming (as part of the Cisco SWAN solution) by expediting 802.1x roaming between APs for VoIP users. Without fast secure roaming implementation for VoIP users, 802.1x reauthentication would have been executed over the WAN link in this deployment scenario, which can result in variable (and possibly lengthy) delays during roaming between APs. Thus, the fast secure roaming feature significantly improved roaming performance to minimize delay and jitter for VoIP users in this deployment scenario.

On wireless VLAN "storeEAP2," LEAP was enabled with dynamic WEP for wireless-enabled printers (such as HP Jet direct 680n with 802.11b internal wireless print server). Employees used printing services across the store for various purposes. As with other devices, access to the wireless-enabled printers was limited using Layer 3 and Layer 4 ACLs on the store router.

A strong password policy was implemented for all LEAP-enabled devices (Cisco 7920 handsets and wireless-enabled printers) to mitigate risks due to the offline (passive) dictionary attack scenario. The IT department required a 16-character password with four nonalphanumeric characters to generate passwords for LEAP authentication. A user ID/password combination was securely stored on each device for LEAP authentication.

Finally, a fifth VLAN was created as the management VLAN for the APs. The management VLAN was not mapped to the radio interface, and access was restricted via AP's Ethernet interface with the use of Layer 3 and Layer 4 ACLs on the store router. ACLs on the store router were used to limit access to AP's management VLAN to allow only RADIUS and management traffic between the AP and the management (RADIUS server and WLSE) devices.

WDS and AAA Infrastructure Implementation Details

WDS was enabled on an AP1200 per store to enable fast secure roaming for VoIP devices and local authentication service for all LEAP devices. Alternatively, WDS services can be enabled on the store router if a Cisco 26xx or Cisco 36xx/37xx router is used as the store router.

In addition to using WDS to facilitate fast secure roaming via CCKM, RF management was enabled via WDS to facilitate RF monitoring at the store level, including functionality such as rogue AP detection. WLSE version 2.5 (and above) and AP IOS release 12.2(13) JA (and above) are required to enable RF monitoring functionality.

Each LEAP-enabled device at the store level was configured with a unique user account at the HQ RADIUS user database. LEAP user accounts for each store are grouped and maintained at the HQ RADIUS user database. In addition to this, user accounts for a specific store are distributed via WLSE template?based configuration to populate WDS at each store with appropriate user accounts. When devices are added and removed from each store, the HQ RADIUS database and the appropriate store local database (on the local store WDS) are updated.

When the primary WAN link is available, an initial LEAP authentication request is sent to the primary RADIUS infrastructure via the WAN link. However, when the WAN link fails, a local authentication service on the WDS AP authenticates the LEAP users during the initial client association and during 802.1x reauthentication (if required).

Deployment Challenges

One of the biggest challenges in this retail deployment was client management with regard to managing client firmware, drivers, and configuration. The Wavelink Avalanche solution was used to manage WLAN firmware, drivers, and configuration on clients from multivendors. Configuration management on the clients included static WEP-key management and LEAP authentication profile management. Another challenge was to configure a local WDS per store with the LEAP authentication credential for LEAP-enabled devices. As discussed previously, each LEAP-enabled device was configured with a unique authentication credential (username and password). WLSE was used to automate WDS configuration per store. A generic template was created using WLSE for WDS configuration across stores and a separate WDS template per store with unique configuration information such as relevant LEAP authentication credentials for LEAP-enabled devices used at each store.

Summary of Retail WLAN Deployment Example I

As discussed in this example, it is important to a provide a wired/wireless LAN infrastructure to accommodate multiple device types, each with its unique security requirement at the store level. In addition, the deployment model should provide capabilities to migrate from legacy retail deployment to a new deployment supporting 802.11i-capable devices.

Local WDS is required at each store level to facilitate fast secure roaming and RF management. Additionally, local authentication service is enabled on the WDS AP to facilitate fallback radius authentication service during the primary WAN link outage. However, the fallback (local) authentication service implementation does mandate that ongoing maintenance of the local user database is synchronized with the central HQ user database.

Retail WLAN Deployment Example II

This example is also taken from a retail WLAN deployment. WLAN connectivity was implemented as the primary network connectivity for several in-store applications, including inventory management. This example has deployment characteristics that are similar to Retail Example I. The overall architecture is such that legacy and new devices must be facilitated over a WLAN network, store-to-HQ WAN connectivity is nonredundant, and multivendor clients are deployed for various in-store applications.

The customer deployment criteria are as follows:

  • Support legacy DOS-based handheld scanners (such as Symbol PDT 6800 series scanners).

  • Enable a long-term transition to 802.11i standards?based security implementation.

    - Migrate legacy devices to new handheld PDAs (based on Windows CE).

  • Support wireless-enabled web tablets (HTML, web browser?enabled WLAN devices mounted on shopping carts) provided by retailer to shoppers.

    - Wireless-enabled web tablets are used to advertise special offers to shoppers.

  • Mutual authentication and strong encryption are preferred.

  • Possibly provide public hotspot service to customers at the deli section in the future.

The customer deployment environment is as follows:

  • Reliable 64-Kbps Frame Relay link between a store and the corporate or regional HQ. Redundant WAN link is provided via dialup 28.8 Public Switched Telephone Network (PSTN) link and is limited for critical services (such as banking transactions).

  • Multiple device types, including legacy DOS-based handheld scanners used for inventory tracking, new handheld PDAs (based on Windows CE) used for inventory tracking, and wireless-enabled tablets, are deployed at each store.

  • Multivendor WLAN NIC adapters (including Cisco NIC adapters) and embedded clients are deployed to facilitate in-store retail applications.

  • A Cisco 3700 series router is used per store along with 2900 series Catalyst switches.

Like Retail Example I, Cisco WLAN infrastructure (in this case, AP1100s) was used to enable multiple SSIDs and VLANs within the store. A dedicated wired switch (Cisco Catalyst 2900) was deployed per store to accommodate WLAN devices and users. Along with an additional wired switch, a Cisco 3700 router with firewall services was used to provide isolation between wired and wireless networks.

As shown in Figure 13-4, one wireless VLAN (SSID mapped to wired VLAN) was created to facilitate legacy DOS-based handheld devices. This VLAN, called legacy, was configured with static WEP. Legacy devices were only allowed to communicate with the inventory servers on the wired segment. Access privileges were limited to legacy VLAN using stateful firewall features on the in-store router (Cisco 3700). A second VLAN named legacy was created to allow only devices configured with EAP authentication and WPA. PEAP/MS-CHAPv2 was selected as the EAP protocol to facilitate the multivendor NICs used on PDAs (Windows-CE 4.2 or above) and web tablets (Windows XP based). However, the local RADIUS server was deployed due to lack of local authentication support for PEAP. A user authentication credential (user ID/password) was securely stored on each PEAP-capable device. Broader access privileges were allowed for legacy VLAN (as compared to legacy VLAN) using Cisco 3700 stateful firewall capabilities. A third VLAN could be implemented in the future to facilitate hotspot services for deli customers. Guest traffic could be groomed at the store router and tunneled to the hotspot service provider network. Stateful firewall services on the 3700 series routers could be used to enforce appropriate security policy on the hotspot VLAN.

Figure 13-4. Retail WLAN Deployment Example II


Cisco SWAN solution was implemented using WLSE 2.5 (and above) and a minimum of 12.2(13)JA IOS release on the APs. This enabled RF monitoring at the store level, including rogue AP detection and unauthorized activity detection on the hotspot VLAN.

As with Retail Example I, client management was one of the biggest challenges as far as managing multivendor client firmware, drivers, and configuration. The Wavelink Avalanche solution was used to manage WLAN firmware, drivers, and configuration on clients from multivendors. Configuration management on the clients included static WEP-key management and periodic static-WEP key rotation.

University WLAN Deployment Example

This WLAN deployment example is taken from a university environment. WLAN coverage is provided across the university to give students and staff access to the university network as well as Internet access. Typically, university deployments tend to be open architecture that is oriented to accommodate different types of devices, operating systems, and WLAN NIC adapters.

The customer deployment criteria include the following:

  • Authenticate students to back-end LDAP DB using HTTP redirect (application layer level authentication).

  • Provide mutual authentication and strong data confidentiality for staff.

  • Detect unauthorized WLAN activity across the campus network.

  • Support VoIP over WLAN deployment for staff and maintenance personnel.

The customer deployment environment is as follows:

  • Students can bring any WLAN-enabled laptop for network access.

    - The administrator does not and cannot standardize client OS or client NIC adapter.

    - Students are given a university account.

  • Staff members are standardized on Windows 2000 and Windows XP operating systems, along with Cisco Aironet 802.11a/b/g client NIC adapters.

  • Staff and student authentication credentials are kept in an LDAP database.

  • Cisco Secure ACS is standardized for the RADIUS infrastructure.

  • Cisco 7920 VoIP handsets are deployed across the campus.

Based on the previous deployment criteria and the deployment environment, multiple SSIDs/VLANs were enabled on the Aironet APs and wired infrastructure to accommodate students and staff. Figure 13-5 shows the use of multiple VLANs/SSIDs in a university WLAN deployment scenario. As shown in the figure, 802.1Q trunking was enabled to the APs to facilitate mapping of SSIDs to wired VLANs.

Figure 13-5. University WLAN Deployment Example


The wireless Student VLAN was provisioned with open/no WEP (that is, open access) across the campus as a result of the inability to standardize on any security model due to the nonstandardized client environment. All traffic from Student VLAN was routed to the core network, where Cisco Building Broadband Service Manager (BBSM) control led user access into the campus network. BBSM blocked all access at the Layer 3 level for unauthenticated users. Further, using the HTTP redirect functionality available on BBSM, unauthenticated students were redirected to the login web page. Using secure HTTP, students are requested to provide an authentication credential to BBSM, which in turn authenticates the student to the back-end LDAP DB. Note that secure HTTP is required to secure student authentication credentials from eavesdroppers. After successful authentication, student traffic is allowed into the campus network to access learning materials or the Internet. Note that data confidentiality is not provided here due to the nonstandardized client environment.

A second VLAN named "Staff" was provisioned across the campus to enable WLAN access with EAP/802.1x with the TKIP model. PEAP/GTC with WPA was implemented to provide mutual authentication and strong data confidentiality for staff users across the campus. The PEAP/GTC supplicant on the Cisco Aironet 802.11a/b/g client adapter was configured to obtain the LDAP DB authentication credential from the user and authenticate the user to the RADIUS infrastructure via back-end LDAP DB.

A third VLAN was created for VoIP deployment (named "VoIP"). LEAP with WPA was implemented for the VoIP VLAN to facilitate mutual authentication and strong data confidentiality. The IT administrator used a strong password policy of 14 characters with a combination of alphanumeric and nonalphanumeric characters to create the LEAP authentication credential for Cisco 7920 devices. VoIP authentication credentials were locally stored on the Cisco Secure ACS infrastructure. Also, the Cisco 7920 devices were configured to securely store the LEAP authentication credential. Fast secure roaming using the CCKM protocol was enabled on the VoIP VLAN.

Finally, a fourth VLAN was created as the management VLAN for the APs. The management VLAN was not mapped to the radio interface, and access was restricted via AP's Ethernet interface with the use of Layer 3 and Layer 4 ACLs at the distribution layer level (the Layer 3 termination point for the management VLAN). Layer 3 (IP address?based) and Layer 4 (for example, protocol-based) ACLs were used to limit access to AP's management VLAN to allow only RADIUS and management traffic between the AP and the management (RADIUS server and WLSE) devices.

WDS functionality was initially enabled on an active AP1200 (the AP services 802.11 clients and functioning as the WDS) or standalone AP1200 (the AP functions as the WDS and does not service 802.11 clients) located at each building to enable the SWAN solution and to facilitate fast secure roaming and RF management. RF management (also referred to as radio management) services include rogue AP detection and suppression, client anomaly detection, non-802.11 interference detection, and so on. WLSE version 2.5 and above and AP IOS release 12.2(13)JA and above are required to enable fast secure roaming and RF management services. As the network grows from a medium to large size (more than 200 APs), WDS functionality will be migrated to Catalyst 6500 switches equipped with WLSM to be deployed either at the building aggregation layer level or possibly at the data center level.

Wired deployment policies are not discussed in detail in this example, but the IT administrator implemented access controls for student, staff, and VoIP VLANs at the building distribution layer level (the Layer 3 termination point for these VLANs). Layer 3 and higher ACLs, in addition to policy-based routing (PBR) or the VPN virtual routing and forwarding (VRF) feature, can be used at the distribution layer level switch. For the student traffic aggregation, GRE tunnels can aggregate the student traffic from each building to a central aggregation point in the core network to be authenticated via the BBSM (or a BBSM-like device). Catalyst 6500 WLSM integration provides a much easier way to aggregate student, staff, and VoIP traffic to a central point in the wired network and apply appropriate security policies and an appropriate level of network access for each group of users.

One of the challenges in this deployment is the inability to provide data confidentiality to students due to the nonstandardized client environment. The long-term goal is to deploy WPA for students using Windows 2000 and XP platforms. However, if the student uses a non-Microsoft OS that does not support WPA, a third-party supplicant can be purchased with a per-supplicant license fee.

Financial WLAN Deployment Example I

This deployment example is taken from a financial WLAN deployment. In this scenario, WLAN deployment is considered an overlay network deployment and is used for non-mission-critical financial applications. Initially, WLAN is deployed within restricted areas with the intention of expanding coverage globally across all locations.

The customer deployment criteria are as follows:

  • WLAN users have mutual authentication and strong encryption.

    - Hardware token?based One Time Password (OTP) authentication is the preferred user authentication method.

  • Minimize client management. Minimize the number of SW components to be managed on the WLAN client for user authentication and encryption.

  • Monitor WLAN deployment to detect unauthorized activity.

The customer deployment environment is as follows:

  • Wireless LAN users are standardized on Windows 2000 and XP.

  • WLAN users are standardized on Cisco Aironet client NICs and embedded CCX laptop clients.

  • RSA secure ID infrastructure is deployed for OTP authentication.

  • Central (corporate and regional HQ) to remote sites have redundant WAN links.

    - Redundant WAN links can be relied on to provide reliable RADIUS service to authenticate remote WLAN users.

  • A subset of the user community (sales representatives and support personal) is mobile within a country and at times across the globe.

  • The long-term plan is to migrate to 802.11i-compliant AES implementation on WLAN clients and WLAN infrastructure.

Based on the preceding deployment criteria and deployment environment, EAP/802.1x with WPA was chosen as the security model. The initial deployment covered about 1000 users at multiple locations (primarily executive staff). PEAP/GTC was implemented to facilitate OTP user authentication. Cisco Aironet client NIC adapters and CCXv2 laptops were chosen to support both PEAP/GTC and WPA. Selected clients were upgradeable to 802.11i-compliant AES implementation via firmware and software upgrade. User laptops were configured for PEAP/GTC authentication with WPA. The user was required to enter an OTP authentication credential using his or her hardware-based token. ACS infrastructure was configured to relay PEAP/GTC user authentication to the RSA secure ID server. A public PKI entity (such as VeriSign) was used to issue RADIUS server certificates for the ACS infrastructure for PEAP authentication. PEAP/GTC clients were configured to trust the certificate from this public PKI entity and belonging to the "FinancialCompany.com" domain. Note that most operating systems (including Windows) are usually populated with trusted PKI entity certificates.

The Cisco AP1200 platform was deployed to facilitate dual-band (802.11a/b/g) deployment and to provide 802.11i-compliant security features (including AES). Deployment topology similar to that described in "Large Enterprise Example I" was used to facilitate future expansion and to support multiple types of applications. Initially, this meant deploying a single VLAN per building to accommodate the WLAN data users and, as the WLAN user population grew, possibly segmenting the users into multiple VLANs per building. Using isolated VLANs for WLAN deployment allowed the IT administrator to implement specific security policies per WLAN VLAN.

Finally, the SWAN solution was implemented to enable RF monitoring and rogue AP detection capabilities. This required WLSE 2.5 or above and AP IOS release 12.2(13)JA or above. This allowed the IT administrator to monitor for any unauthorized WLAN activity. As the network grows from medium to large, Catalyst 6500 equipped with WLSM can be considered to scale WDS services and to centrally aggregate both WLAN user and control traffic. Alternatively, the Catalyst 6500 WLSM deployment model (also known as the SWAN central switching deployment mode, discussed in Chapter 9) can be used from the beginning as the WLAN network grows from small (fewer than 50 APs) to large (more than 200 APs) across a large campus network. Secure management policy was implemented; Telnet was disabled and SSH was enabled. HTTP, SNMP, RADIUS, Wireless LAN Control and Context Protocol (WLCCP), and SSH traffic to the APs were restricted to allow access only from management servers (such as WLSE, Cisco Secure ACS, and so on).

One of the major challenges in this deployment was client management due to a continuous need to upgrade client firmware, drivers, and software to provide the latest security capabilities. IT tools such as the Altiris client management solution can automate client firmware, drivers, software, and configuration. Cisco ACAT tool can create an enterprise client configuration for Cisco Aironet adapters. Also, Cisco Installation Wizard packages drivers, firmware, and software together to enable automated upgrades.

Financial WLAN Deployment Example II

This example is also taken from a large financial WLAN deployment. In this scenario, WLAN deployment is the primary network used for mission-critical financial applications. Typical applications used over WLAN in this implementation were electronic trading applications, e-mail access, and intranet/Internet web browsing.

The customer deployment criteria are as follows:

  • Mutual authentication and strong encryption exists for WLAN users.

  • Provide user authentication and data confidentiality at both Layer 2 and Layer 3 levels.

  • Minimize manual user logon intervention to one time at the most and implement two-factor user authentication.

  • Minimize client management. Minimize the number of SW components to be managed on the WLAN client for user authentication and encryption.

  • Monitor WLAN deployment to detect unauthorized activity.

The customer deployment environment is as follows:

  • WLAN users are standardized on Windows 2000 and XP.

  • WLAN users are standardized on Cisco Aironet client NIC adapters and embedded CCX laptops.

  • The WLAN network is deployed at multiple locations across the globe.

  • RSA secure ID infrastructure is deployed to facilitate OTP user authentication.

Based on the preceding customer deployment criteria, EAP/802.1x with WPA and IPSec VPN over WLAN models were implemented to provide user authentication and data confidentiality at both Layer 2 and Layer 3 levels. OTP user authentication was implemented with IPSec VPN to facilitate two-factor authentication as required by the company security policy. EAP-FAST authentication with WPA was implemented as the Layer 2 security model. The user authentication credential was securely stored on the laptop to minimize user intervention during the Layer 2 authentication and authorization phase. Overall, the user is only required to provide the authentication credential once during the initial logon.

The typical IPSec VPN over WLAN deployment model leaves the WLAN network (Layer 2 network) unprotected (that is, EAP/802.1x with WPA is not implemented) possible DHCP starvation attacks and DNS targeted attacks are possible. These attacks are possible because IPSec VPN users require DHCP services and possibly DNS services before successfully authenticating with the network. However, the combined Layer 2 and Layer 3 security model prevents these attacks albeit with increased deployment complexity. In this deployment scenario, successful Layer 2 authentication enables the user to obtain a DHCP IP address and enables DNS services. However, all other traffic is blocked until successful Layer 3 IPSec VPN authentication and authorization. Layer 3 and Layer 4?based ACLs are used at the distribution layer level to allow only DHCP, DNS, RADIUS, and IPSec traffic into the network. The IPSec VPN session is also terminated at the distribution layer level (such as the VPNSM module on the Catalyst 6500 switch).

As shown in Figure 13-6, a single, isolated VLAN per building was created for WLAN users. If necessary, WLAN was segmented to one VLAN per X number of floors based on the number of users (to scale for broadcast traffic). Additionally, isolated VLANs were added in the long run for different applications such as VoIP and guest access. RADIUS and OTP authentication infrastructures were centralized at the corporate HQ for main campus deployment and the branch offices.

Figure 13-6. Financial WLAN Deployment Example II


Cisco SWAN solution was implemented to enable RF monitoring and rogue AP detection capabilities. In this implementation, WDS was enabled on the Catalyst 6500 switch equipped with WLSM at the distribution switch level (as shown in Figure 13-6) to enable RM data aggregation and forwarding to WLSE. This allowed the IT administrator to monitor for any unauthorized WLAN activity across the main campus deployments and at remote sites. As discussed in Chapter 9, all WLAN user traffic and control traffic is aggregated using the SWAN central switching deployment mode (such as using the Catalyst 6500 WLSM integration model). In addition to WLSM, the VPN Service Module (VPNSM) was integrated at the distribution switch level to terminate IPSec VPN users and allow access into the campus network.

Secure management policy was implemented; Telnet was disabled and SSH was enabled. HTTP, SNMP, RADIUS, WLCCP, TFTP, and SSH traffic to the APs was restricted to allow access only from management servers (such as WLSE, Cisco Secure ACS, and so on).

The major challenge in this deployment was to maintain client configuration and software components to facilitate both Layer 2 and Layer 3 security model implementations. Specifically, WPA/EAP supplicant and the VPN supplicant had to be maintained in the long term. Client-automated maintenance tools were created to facilitate this process.

Finally, note that if the WAN links between remote sites and the corporate HQ fail, WLAN users at remote sites cannot gain WLAN network access. This was deemed appropriate because most of the applications required servers located at the corporate HQ.

Healthcare WLAN Deployment Example I

This example is taken from a healthcare deployment. WLAN penetration has increased in hospital and patient clinic environments. WLAN deployment facilitates seamless roaming for medical staff members who use 802.11-enabled laptop and PDA-based devices to access patient care information.

The healthcare mobile applications include the following:

  • Mobile carts? These are mobile patient-care workstations that provide "point of care" services. Typically, mobile carts are used to access patient care information and are integrated with various healthcare applications. A mobile cart is assembled with various types of computer hardware, including a flat-screen LCD panel, CPU, hard disk, wireless network adapter, and external battery. Mobile carts are available from vendors such as Stinger Industries, Elliott DATA systems, and Tremont Medical.

  • e-dictation? This application is typically run on wireless-enabled iPAQ-based PDAs to automate radiology reporting and so on. Healthcare professionals use voice-recognition software along with predefined templates to record and transmit patient-care information over WLAN.

  • Patient monitoring? Real-tme patient monitoring applications are typically enabled over WLAN.

The customer deployment criteria are as follows:

  • A desire exists to deploy WLAN ubiquitously across all clinics and hospitals.

  • A scalable WLAN infrastructure can support 100,000+ users in 300+ locations.

  • Mutual authentication and strong encryption exist for WLAN users.

  • Single sign-on integrates WLAN authentication with Windows login.

  • Authenticate WLAN users to back-end AD infrastructure.

  • Applications include mobile carts and patient monitoring.

  • A desire exists to deploy wireless VoIP applications (on-call paging and so on).

  • Minimize client management. Minimize the number of SW components to be managed on the WLAN client for user authentication and encryption.

  • Detect unauthorized WLAN activity across clinics and hospitals.

  • A long-term strategy exists to migrate to PDAs and tablets.

  • A requirement exists to meet HIPPA compliance for securing patient information.

The customer deployment environment is as follows:

  • Wireless LAN users are standardized on the Windows 2000 platform (with long-term migration planned for Windows XP).

  • Microsoft AD infrastructure is deployed for user authentication.

  • Client adapters are standardized on embedded clients (CCXv2-compliant laptops).

  • Central and regional HQs (corporate NOC and regional NOCs) to remote sites have redundant WAN links.

    - Redundant WAN links can be relied on to provide reliable RADIUS service to authenticate remote WLAN users.

    - Each remote NOC and the central NOC have multiple RADIUS servers.

  • The user community (doctors and nurses) is mobile across clinics and hospitals.

Figure 13-7 describes the deployment topology for this implementation example. EAP/802.1x with TKIP was selected as the deployment model based on the preceding deployment criteria and deployment environment. PEAP/MS-CHAPv2 with WPA was deployed for mobile carts (with CCXv2-compliant PCs running Windows XP and Windows 2000 operating systems). LEAP, WPA TKIP, and CCKM were selected as the solution to enable fast secure roaming for VoIP devices (such as Cisco 802.11-enabled 7920 VoIP devices). To accommodate multiple security solutions, multiple VLANs/SSIDs were enabled on the Cisco WLAN infrastructure.

Figure 13-7. Healthcare WLAN Deployment Example I


Wireless VLAN "EAPandWPA" was provisioned for mobile cart devices that were configured with PEAP and WPA. A second wireless VLAN "VoIP" was provisioned for 802.11-enabled VoIP devices configured with LEAP, WPA-TKIP, CCKM, and voice QoS. The IT administrator used strong password policy to create 15-character passwords with multiple nonalphanumeric characters to be used for LEAP authentication on VoIP devices. A unique user ID/password was securely stored on each LEAP-enabled VoIP device. Additionally, wired Layer 3 ACLs were applied to the "VoIP" VLAN to limit access to the CallManager and the VoIP gateway.

Both PEAP and LEAP authentication credentials were stored in the distributed AD infrastructure to authenticate mobile health professionals between different clinics and hospitals. RADIUS and AD infrastructure were deployed at each regional NOC and the central NOC. RADIUS server certificates for PEAP authentication were obtained from a public PKI entity (such as VeriSign), and PEAP clients were configured to trust only certificates from VeriSign and those belonging to HealthcareCompany.com, where the company's domain information is incorporated within the RADIUS server certificate. This eliminated the requirement to distribute the trusted root CA entity certificate. (Microsoft and most operating systems by default contain trusted public PKI entity certificates.)

One of the major deployment issues addressed was RADIUS server scalability. To scale to support multiple thousands of users per region, multiple RADIUS servers were deployed at each regional NOC and at the central NOC. (Multiple ACS servers were deployed at the central NOC, and a minimum of two ACS servers were deployed per regional NOC.) A load balancer product (such as Cisco Catalyst 6500 server content switching module) was used to load balance between multiple RADIUS servers. WLAN infrastructure at each clinic was configured to communicate with a regional or central NOC RADIUS infrastructure as the primary server and a different NOC as the secondary NOC. This provided redundancy for RADIUS servers during primary NOC failure.

Cisco SWAN solution was deployed to enable WDS, which facilitated fast secure roaming (requires AP IOS release 12.2[11]JA and above). In addition to fast secure roaming, RF monitoring was implemented to enable the wireless IDS capability including rogue AP detection (requires WLSE 2.5 and above and AP IOS release 12.2[13]JA and above). Initially, WDS was deployed on a single-radio AP1200 at each clinic and hospital (one per subnet). As the WLAN deployment grew, WDS functionality was migrated to the Cisco switching infrastructure (the Catalyst 6500 switch equipped with Supervisor 720 module and the WLSM).

Long-term migration is planned to enable 802.11i-standardized AES implementation for the mobile carts. This requires a driver, firmware, and supplicant update on the CCX-compliant WLAN NIC adapter (used on the mobile carts). Thus, the need to upgrade the CCX clients to add new security and management features is an ongoing operational challenge. Client management applications such as Altiris automated this process.

Healthcare WLAN Deployment Example II

This example is taken from a distributed healthcare deployment. WLAN deployment facilitates seamless roaming for medical staff members who use WLAN and laptop-based devices to access patient care information. In this example, the WLAN deployment covers approximately 600+ clinics throughout a country.

The customer deployment criteria include the following:

  • A desire exists to deploy WLAN ubiquitously across all 600+ clinics.

  • Mutual authentication and strong encryption exists for WLAN users.

  • Provide local fall-back EAP authentication service to users on the local clinic AP.

  • 802.11-enabled laptops (for physicians and nurses) can facilitate instantaneous access to patient-care information and so on.

  • Minimize client management. Minimize the number of SW components to be managed on the WLAN client for user authentication and encryption.

  • Remotely monitor RF activity across all clinics, including rogue AP detection.

  • HIPPA compliance is required (user-based authentication and strong data encryption).

The customer deployment environment is as follows:

  • Distributed WLAN infrastructure supports 3000 users in 600+ locations (on average 5 users per location).

  • Each clinic has one AP1200 deployed (maximum two APs deployed at some clinics).

  • Most of the staff is restricted to one location with the exception of specialists, who roam among multiple locations.

  • Wireless LAN users are standardized on the Windows XP platform.

  • Client adapters are standardized on embedded clients (CCXv2-compliant laptops).

  • Microsoft AD infrastructure is deployed for user authentication.

  • Each clinic has one WAN link for connectivity to the central NOC.

    - Under WAN link failure conditions, the dialup ISDN link provides connectivity for mission-critical services (credit card transactions and so on).

Figure 13-8 illustrates the deployment topology for this example. As shown in the figure, sites 1 to N (N represents the clinic number) have the WLAN network deployed in a distributed fashion. Based on the preceding customer deployment criteria and deployment environment, EAP/802.1x with WPA was selected as the security model. Specifically, Cisco LEAP was selected due to the local authentication feature requirement under WAN link failure conditions. LEAP accounts were created for physicians and nurses on the RADIUS infrastructure. The IT administrator used a strong password policy of a 14-character password with at least four nonalphanumeric characters to create a strong LEAP authentication credential to minimize risks due to offline dictionary attacks. The LEAP authentication credential was securely stored using the WLAN supplicant on each CCX-compliant laptop.

Figure 13-8. Healthcare WLAN Deployment Example II


An AP1200 per location (most of the locations contained only one AP) was configured as the local authenticator. The LEAP authentication credential for all users per local location was securely stored on the AP. One of the challenges in this deployment was to populate LEAP authentication user accounts per location and continuously synchronize the local database with the central RADIUS database. Along with the local authentication service, WDS was deployed to enable radio management services, including rogue AP detection. AP IOS release 12.2(13) JA or above and WLSE 2.5 or above are required to enable radio management services, including rogue AP detection, rogue AP suppression, and RF monitoring. In this deployment, WLSE was centrally positioned at the HQ, where RF management data was collected over the WAN link via WDS at each clinic.

Finally, as with other deployments, the continuous need to upgrade CCX clients to add new security and management functionality was addressed. Client management tools (such as Altiris) automated periodic client driver, firmware, and supplicant upgrades.

Manufacturing WLAN Deployment Example

This example is taken from a manufacturing deployment. Many mobile devices enable applications with stateful communication. Typical manufacturing applications include inventory tracking and so on. A combination of new and legacy devices was deployed across the manufacturing floor.

The customer deployment criteria include the following:

  • Support mobile users. A typical application would be a laptop on a forklift to enable inventory tracking.

  • Support legacy DOS-based handheld scanners (such as Symbol PDT 6800 series scanners).

  • Support wireless VoIP devices.

  • Mutual authentication and strong encryption (minimum dynamic WEP) are preferred.

The customer deployment environment is as follows:

  • Multiple, large manufacturers are to be facilitated with WLAN access as the primary network connectivity within a country.

    - Each manufacturing facility is 200,000 square feet or larger. Both wired and WLAN infrastructures are deployed across a manufacturing facility.

    - High bandwidth and redundant WLAN links are provided between a manufacturing facility and the regional/corporate NOCs.

  • Multiple device types, including legacy DOS-based handheld scanners used for inventory tracking, new handheld PDAs (based on Windows CE) and Windows XP?based laptops used for inventory tracking, and WLAN-enabled VoIP handsets, are deployed across the manufacturing floor.

  • A combination of Cisco Aironet client adapters and non-Cisco/non-CCX adapters is deployed in different devices along with CCXv2 certified laptops.

  • Microsoft AD infrastructure and Cisco Secure ACS infrastructure are deployed at each manufacturing location and at the central HQ.

  • Cisco Catalyst 3500 series switches are deployed at the building access layer level, and Catalyst 6500 switches are deployed at the building distribution layer level.

As shown in Figure 13-9, multiple SSIDs and VLANs were enabled on Cisco APs to facilitate multiple levels of security. Each SSID was mapped to a unique wired VLAN where Layer 3 and Layer 4?based policies were implemented on the building distribution Layer 3 switch. This enabled the administrator to enforce the specific security policy per wireless/wired VLAN.

Figure 13-9. Manufacturing WLAN Deployment Example


On wireless VLAN, the "Legacy" static WEP was enabled as the security mechanism for legacy DOS-based handheld scanners due to limited capabilities on these devices. In addition to static WEP, MAC address authentication was enabled to authenticate the legacy devices. MAC addresses of these devices were stored on the regional RADIUS infrastructure and on the HQ RADIUS infrastructure. The regional NOC RADIUS infrastructure was used as the primary server for MAC address authentication, and HQ RADIUS infrastructure was used as the secondary (or fall-back) server.

New PDA devices based on the Windows CE OS and Windows XP laptops were integrated with CCX client adapters, and EAP-FAST was enabled for mutual authentication with WPA for data confidentiality. A second SSID/VLAN called "EAPandWPA" was enabled on the WLAN infrastructure to allow EAP-FAST authentication with WPA. Similar to MAC address authentication, the regional NOC RADIUS infrastructure was used as the primary server for EAP-FAST authentication, whereas the central NOC was used as the redundant fall-back server. The Cisco Secure ACS RADIUS server was configured to relay the EAP-FAST authentication request to the Microsoft AD infrastructure.

A third VLAN/SSID called "VoIP" was created to facilitate Cisco 7920 wireless VoIP handsets. This wireless/wired VLAN was given voice QoS along with access to CallManager and VoIP voice gateway. Cisco 7920 VoIP handsets were deployed with LEAP authentication, CCKM, and WPA-TKIP to enable fast secure roaming on the VoIP VLAN. A separate VoIP account was provisioned per user on the Microsoft AD infrastructure, along with strong password policy with a minimum 10-character password using a combination of alphanumeric and nonalphanumeric characters.

On the "EAPandWPA" wireless VLAN, fast secure roaming was configured (CCKM was enabled) for PDAs (Windows CE?based) and Windows XP?based mobile laptop devices using EAP-FAST authentication with WPA-TKIP for data confidentiality. When EAP-FAST and LEAP users roam from AP to AP, the roaming process is expedited using the fast secure roaming services available via WDS. This ensures that stateful communication is maintained for mobile devices and jitter and latency are controlled for VoIP devices.

Finally, a fourth VLAN was created as the management VLAN for the APs. The management VLAN was not mapped to the radio interface, and access was restricted via the AP's Ethernet interface with the use of Layer 3 and Layer 4 ACLs on the distribution switch. ACLs were used to limit access to the AP's management VLAN to only allow RADIUS and management traffic between the AP and the management (RADIUS server and WLSE) devices.

A pair of Catalyst 6500 switches equipped with WLSMs and supervisor 720 modules was deployed at the data center level to groom all WLAN user traffic and to enable scalable WDS services for the entire WLAN network. Appropriate security policies for each user/device group were applied at the WLAN traffic aggregation switch level. (Layer 3/Layer 4 ACLs were implemented on the mGRE tunnel interfaces on the Catalyst 6500 supervisor.) In addition to using the WDS to facilitate fast secure roaming via CCKM, RF management (including rogue AP detection and suppression) was enabled via WDS to facilitate RF monitoring at each facility.

One of the biggest challenges in this manufacturing deployment was client management with regard to managing client firmware, drivers, and configuration. The Wavelink Avalanche solution was used to manage WLAN firmware, drivers, and configuration on clients from multivendors. Configuration management on the clients included static WEP-key management, LEAP authentication profile, and EAP-FAST authentication profile management. Overall, this deployment provides capabilities to facilitate legacy and new handheld devices, typical manufacturing applications, and VoIP over WLAN.