Vertical Deployment Examples

Wireless VoIP devices were deployed on a third SSID/VLAN (VoIP VLAN) and were given voice QoS along with access to Call Manager and VoIP voice gateway at each store. Cisco 7920 VoIP handsets were deployed with LEAP authentication, CCKM, and WPA-TKIP on the VoIP VLAN. CCKM enable fast secure roaming (as part of the Cisco SWAN solution) by expediting 802.1x roaming between APs for VoIP users. Without fast secure roaming implementation for VoIP users, 802.1x reauthentication would have been executed over the WAN link in this deployment scenario, which can result in variable (and possibly lengthy) delays during roaming between APs. Thus, the fast secure roaming feature significantly improved roaming performance to minimize delay and jitter for VoIP users in this deployment scenario.

On wireless VLAN "storeEAP2," LEAP was enabled with dynamic WEP for wireless-enabled printers (such as HP Jet direct 680n with 802.11b internal wireless print server). Employees used printing services across the store for various purposes. As with other devices, access to the wireless-enabled printers was limited using Layer 3 and Layer 4 ACLs on the store router.

A strong password policy was implemented for all LEAP-enabled devices (Cisco 7920 handsets and wireless-enabled printers) to mitigate risks due to the offline (passive) dictionary attack scenario. The IT department required a 16-character password with four nonalphanumeric characters to generate passwords for LEAP authentication. A user ID/password combination was securely stored on each device for LEAP authentication.

Finally, a fifth VLAN was created as the management VLAN for the APs. The management VLAN was not mapped to the radio interface, and access was restricted via AP's Ethernet interface with the use of Layer 3 and Layer 4 ACLs on the store router. ACLs on the store router were used to limit access to AP's management VLAN to allow only RADIUS and management traffic between the AP and the management (RADIUS server and WLSE) devices.

WDS and AAA Infrastructure Implementation Details

WDS was enabled on an AP1200 per store to enable fast secure roaming for VoIP devices and local authentication service for all LEAP devices. Alternatively, WDS services can be enabled on the store router if a Cisco 26xx or Cisco 36xx/37xx router is used as the store router.

In addition to using WDS to facilitate fast secure roaming via CCKM, RF management was enabled via WDS to facilitate RF monitoring at the store level, including functionality such as rogue AP detection. WLSE version 2.5 (and above) and AP IOS release 12.2(13) JA (and above) are required to enable RF monitoring functionality.

Each LEAP-enabled device at the store level was configured with a unique user account at the HQ RADIUS user database. LEAP user accounts for each store are grouped and maintained at the HQ RADIUS user database. In addition to this, user accounts for a specific store are distributed via WLSE template?based configuration to populate WDS at each store with appropriate user accounts. When devices are added and removed from each store, the HQ RADIUS database and the appropriate store local database (on the local store WDS) are updated.

When the primary WAN link is available, an initial LEAP authentication request is sent to the primary RADIUS infrastructure via the WAN link. However, when the WAN link fails, a local authentication service on the WDS AP authenticates the LEAP users during the initial client association and during 802.1x reauthentication (if required).

Deployment Challenges

One of the biggest challenges in this retail deployment was client management with regard to managing client firmware, drivers, and configuration. The Wavelink Avalanche solution was used to manage WLAN firmware, drivers, and configuration on clients from multivendors. Configuration management on the clients included static WEP-key management and LEAP authentication profile management. Another challenge was to configure a local WDS per store with the LEAP authentication credential for LEAP-enabled devices. As discussed previously, each LEAP-enabled device was configured with a unique authentication credential (username and password). WLSE was used to automate WDS configuration per store. A generic template was created using WLSE for WDS configuration across stores and a separate WDS template per store with unique configuration information such as relevant LEAP authentication credentials for LEAP-enabled devices used at each store.

Summary of Retail WLAN Deployment Example I

As discussed in this example, it is important to a provide a wired/wireless LAN infrastructure to accommodate multiple device types, each with its unique security requirement at the store level. In addition, the deployment model should provide capabilities to migrate from legacy retail deployment to a new deployment supporting 802.11i-capable devices.

Local WDS is required at each store level to facilitate fast secure roaming and RF management. Additionally, local authentication service is enabled on the WDS AP to facilitate fallback radius authentication service during the primary WAN link outage. However, the fallback (local) authentication service implementation does mandate that ongoing maintenance of the local user database is synchronized with the central HQ user database.

Retail WLAN Deployment Example II

This example is also taken from a retail WLAN deployment. WLAN connectivity was implemented as the primary network connectivity for several in-store applications, including inventory management. This example has deployment characteristics that are similar to Retail Example I. The overall architecture is such that legacy and new devices must be facilitated over a WLAN network, store-to-HQ WAN connectivity is nonredundant, and multivendor clients are deployed for various in-store applications.

The customer deployment criteria are as follows:

• Support legacy DOS-based handheld scanners (such as Symbol PDT 6800 series scanners).

• Enable a long-term transition to 802.11i standards?based security implementation.

  - Migrate legacy devices to new handheld PDAs (based on Windows CE).

• Support wireless-enabled web tablets (HTML, web browser?enabled WLAN devices mounted on shopping carts) provided by retailer to shoppers.

  - Wireless-enabled web tablets are used to advertise special offers to shoppers.

• Mutual authentication and strong encryption are preferred.

• Possibly provide public hotspot service to customers at the deli section in the future.

The customer deployment environment is as follows:

• Reliable 64-Kbps Frame Relay link between a store and the corporate or regional HQ. Redundant WAN link is provided via dialup 28.8 Public Switched Telephone Network (PSTN) link and is limited for critical services (such as banking transactions).

• Multiple device types, including legacy DOS-based handheld scanners used for inventory tracking, new handheld PDAs (based on Windows CE) used for inventory tracking, and wireless-enabled tablets, are deployed at each store.

• Multivendor WLAN NIC adapters (including Cisco NIC adapters) and embedded clients are deployed to facilitate in-store retail applications.

• A Cisco 3700 series router is used per store along with 2900 series Catalyst switches.

Like Retail Example I, Cisco WLAN infrastructure (in this case, AP1100s) was used to enable multiple SSIDs and VLANs within the store. A dedicated wired switch (Cisco Catalyst 2900) was deployed per store to accommodate WLAN devices and users. Along with an additional wired switch, a Cisco 3700 router with firewall services was used to provide isolation between wired and wireless networks.

As shown in Figure 13-4, one wireless VLAN (SSID mapped to wired VLAN) was created to facilitate legacy DOS-based handheld devices. This VLAN, called legacy, was configured with static WEP. Legacy devices were only allowed to communicate with the inventory servers on the wired segment. Access privileges were limited to legacy VLAN using stateful firewall features on the in-store router (Cisco 3700). A second VLAN named legacy was created to allow only devices configured with EAP authentication and WPA. PEAP/MS-CHAPv2 was selected as the EAP protocol to facilitate the multivendor NICs used on PDAs (Windows-CE 4.2 or above) and web tablets (Windows XP based). However, the local RADIUS server was deployed due to lack of local authentication support for PEAP. A user authentication credential (user ID/password) was securely stored on each PEAP-capable device. Broader access privileges were allowed for legacy VLAN (as compared to legacy VLAN) using Cisco 3700 stateful firewall capabilities. A third VLAN could be implemented in the future to facilitate hotspot services for deli customers. Guest traffic could be groomed at the store router and tunneled to the hotspot service provider network. Stateful firewall services on the 3700 series routers could be used to enforce appropriate security policy on the hotspot VLAN.

Cisco SWAN solution was implemented using WLSE 2.5 (and above) and a minimum of 12.2(13)JA IOS release on the APs. This enabled RF monitoring at the store level, including rogue AP detection and unauthorized activity detection on the hotspot VLAN.

As with Retail Example I, client management was one of the biggest challenges as far as managing multivendor client firmware, drivers, and configuration. The Wavelink Avalanche solution was used to manage WLAN firmware, drivers, and configuration on clients from multivendors. Configuration management on the clients included static WEP-key management and periodic static-WEP key rotation.

University WLAN Deployment Example

This WLAN deployment example is taken from a university environment. WLAN coverage is provided across the university to give students and staff access to the university network as well as Internet access. Typically, university deployments tend to be open architecture that is oriented to accommodate different types of devices, operating systems, and WLAN NIC adapters.

The customer deployment criteria include the following:

• Authenticate students to back-end LDAP DB using HTTP redirect (application layer level authentication).

• Provide mutual authentication and strong data confidentiality for staff.

• Detect unauthorized WLAN activity across the campus network.

• Support VoIP over WLAN deployment for staff and maintenance personnel.

The customer deployment environment is as follows:

• Students can bring any WLAN-enabled laptop for network access.

  - The administrator does not and cannot standardize client OS or client NIC adapter.

  - Students are given a university account.

• Staff members are standardized on Windows 2000 and Windows XP operating systems, along with Cisco Aironet 802.11a/b/g client NIC adapters.

• Staff and student authentication credentials are kept in an LDAP database.

• Cisco Secure ACS is standardized for the RADIUS infrastructure.

• Cisco 7920 VoIP handsets are deployed across the campus.

Based on the previous deployment criteria and the deployment environment, multiple SSIDs/VLANs were enabled on the Aironet APs and wired infrastructure to accommodate students and staff. Figure 13-5 shows the use of multiple VLANs/SSIDs in a university WLAN deployment scenario. As shown in the figure, 802.1Q trunking was enabled to the APs to facilitate mapping of SSIDs to wired VLANs.

The wireless Student VLAN was provisioned with open/no WEP (that is, open access) across the campus as a result of the inability to standardize on any security model due to the nonstandardized client environment. All traffic from Student VLAN was routed to the core network, where Cisco Building Broadband Service Manager (BBSM) control led user access into the campus network. BBSM blocked all access at the Layer 3 level for unauthenticated users. Further, using the HTTP redirect functionality available on BBSM, unauthenticated students were redirected to the login web page. Using secure HTTP, students are requested to provide an authentication credential to BBSM, which in turn authenticates the student to the back-end LDAP DB. Note that secure HTTP is required to secure student authentication credentials from eavesdroppers. After successful authentication, student traffic is allowed into the campus network to access learning materials or the Internet. Note that data confidentiality is not provided here due to the nonstandardized client environment.

A second VLAN named "Staff" was provisioned across the campus to enable WLAN access with EAP/802.1x with the TKIP model. PEAP/GTC with WPA was implemented to provide mutual authentication and strong data confidentiality for staff users across the campus. The PEAP/GTC supplicant on the Cisco Aironet 802.11a/b/g client adapter was configured to obtain the LDAP DB authentication credential from the user and authenticate the user to the RADIUS infrastructure via back-end LDAP DB.

A third VLAN was created for VoIP deployment (named "VoIP"). LEAP with WPA was implemented for the VoIP VLAN to facilitate mutual authentication and strong data confidentiality. The IT administrator used a strong password policy of 14 characters with a combination of alphanumeric and nonalphanumeric characters to create the LEAP authentication credential for Cisco 7920 devices. VoIP authentication credentials were locally stored on the Cisco Secure ACS infrastructure. Also, the Cisco 7920 devices were configured to securely store the LEAP authentication credential. Fast secure roaming using the CCKM protocol was enabled on the VoIP VLAN.

Finally, a fourth VLAN was created as the management VLAN for the APs. The management VLAN was not mapped to the radio interface, and access was restricted via AP's Ethernet interface with the use of Layer 3 and Layer 4 ACLs at the distribution layer level (the Layer 3 termination point for the management VLAN). Layer 3 (IP address?based) and Layer 4 (for example, protocol-based) ACLs were used to limit access to AP's management VLAN to allow only RADIUS and management traffic between the AP and the management (RADIUS server and WLSE) devices.

WDS functionality was initially enabled on an active AP1200 (the AP services 802.11 clients and functioning as the WDS) or standalone AP1200 (the AP functions as the WDS and does not service 802.11 clients) located at each building to enable the SWAN solution and to facilitate fast secure roaming and RF management. RF management (also referred to as radio management) services include rogue AP detection and suppression, client anomaly detection, non-802.11 interference detection, and so on. WLSE version 2.5 and above and AP IOS release 12.2(13)JA and above are required to enable fast secure roaming and RF management services. As the network grows from a medium to large size (more than 200 APs), WDS functionality will be migrated to Catalyst 6500 switches equipped with WLSM to be deployed either at the building aggregation layer level or possibly at the data center level.

One of the challenges in this deployment is the inability to provide data confidentiality to students due to the nonstandardized client environment. The long-term goal is to deploy WPA for students using Windows 2000 and XP platforms. However, if the student uses a non-Microsoft OS that does not support WPA, a third-party supplicant can be purchased with a per-supplicant license fee.

Financial WLAN Deployment Example I

This deployment example is taken from a financial WLAN deployment. In this scenario, WLAN deployment is considered an overlay network deployment and is used for non-mission-critical financial applications. Initially, WLAN is deployed within restricted areas with the intention of expanding coverage globally across all locations.

The customer deployment criteria are as follows:

• WLAN users have mutual authentication and strong encryption.

  - Hardware token?based One Time Password (OTP) authentication is the preferred user authentication method.

• Minimize client management. Minimize the number of SW components to be managed on the WLAN client for user authentication and encryption.

• Monitor WLAN deployment to detect unauthorized activity.

The customer deployment environment is as follows:

• Wireless LAN users are standardized on Windows 2000 and XP.

• WLAN users are standardized on Cisco Aironet client NICs and embedded CCX laptop clients.

• RSA secure ID infrastructure is deployed for OTP authentication.

• Central (corporate and regional HQ) to remote sites have redundant WAN links.

  - Redundant WAN links can be relied on to provide reliable RADIUS service to authenticate remote WLAN users.

• A subset of the user community (sales representatives and support personal) is mobile within a country and at times across the globe.

• The long-term plan is to migrate to 802.11i-compliant AES implementation on WLAN clients and WLAN infrastructure.

Based on the preceding deployment criteria and deployment environment, EAP/802.1x with WPA was chosen as the security model. The initial deployment covered about 1000 users at multiple locations (primarily executive staff). PEAP/GTC was implemented to facilitate OTP user authentication. Cisco Aironet client NIC adapters and CCXv2 laptops were chosen to support both PEAP/GTC and WPA. Selected clients were upgradeable to 802.11i-compliant AES implementation via firmware and software upgrade. User laptops were configured for PEAP/GTC authentication with WPA. The user was required to enter an OTP authentication credential using his or her hardware-based token. ACS infrastructure was configured to relay PEAP/GTC user authentication to the RSA secure ID server. A public PKI entity (such as VeriSign) was used to issue RADIUS server certificates for the ACS infrastructure for PEAP authentication. PEAP/GTC clients were configured to trust the certificate from this public PKI entity and belonging to the "FinancialCompany.com" domain. Note that most operating systems (including Windows) are usually populated with trusted PKI entity certificates.

The Cisco AP1200 platform was deployed to facilitate dual-band (802.11a/b/g) deployment and to provide 802.11i-compliant security features (including AES). Deployment topology similar to that described in "Large Enterprise Example I" was used to facilitate future expansion and to support multiple types of applications. Initially, this meant deploying a single VLAN per building to accommodate the WLAN data users and, as the WLAN user population grew, possibly segmenting the users into multiple VLANs per building. Using isolated VLANs for WLAN deployment allowed the IT administrator to implement specific security policies per WLAN VLAN.

Finally, the SWAN solution was implemented to enable RF monitoring and rogue AP detection capabilities. This required WLSE 2.5 or above and AP IOS release 12.2(13)JA or above. This allowed the IT administrator to monitor for any unauthorized WLAN activity. As the network grows from medium to large, Catalyst 6500 equipped with WLSM can be considered to scale WDS services and to centrally aggregate both WLAN user and control traffic. Alternatively, the Catalyst 6500 WLSM deployment model (also known as the SWAN central switching deployment mode, discussed in Chapter 9) can be used from the beginning as the WLAN network grows from small (fewer than 50 APs) to large (more than 200 APs) across a large campus network. Secure management policy was implemented; Telnet was disabled and SSH was enabled. HTTP, SNMP, RADIUS, Wireless LAN Control and Context Protocol (WLCCP), and SSH traffic to the APs were restricted to allow access only from management servers (such as WLSE, Cisco Secure ACS, and so on).

One of the major challenges in this deployment was client management due to a continuous need to upgrade client firmware, drivers, and software to provide the latest security capabilities. IT tools such as the Altiris client management solution can automate client firmware, drivers, software, and configuration. Cisco ACAT tool can create an enterprise client configuration for Cisco Aironet adapters. Also, Cisco Installation Wizard packages drivers, firmware, and software together to enable automated upgrades.

Financial WLAN Deployment Example II

This example is also taken from a large financial WLAN deployment. In this scenario, WLAN deployment is the primary network used for mission-critical financial applications. Typical applications used over WLAN in this implementation were electronic trading applications, e-mail access, and intranet/Internet web browsing.

The customer deployment criteria are as follows:

• Mutual authentication and strong encryption exists for WLAN users.

• Provide user authentication and data confidentiality at both Layer 2 and Layer 3 levels.

• Minimize manual user logon intervention to one time at the most and implement two-factor user authentication.

• Minimize client management. Minimize the number of SW components to be managed on the WLAN client for user authentication and encryption.

• Monitor WLAN deployment to detect unauthorized activity.

The customer deployment environment is as follows:

• WLAN users are standardized on Windows 2000 and XP.

• WLAN users are standardized on Cisco Aironet client NIC adapters and embedded CCX laptops.

• The WLAN network is deployed at multiple locations across the globe.

• RSA secure ID infrastructure is deployed to facilitate OTP user authentication.

Based on the preceding customer deployment criteria, EAP/802.1x with WPA and IPSec VPN over WLAN models were implemented to provide user authentication and data confidentiality at both Layer 2 and Layer 3 levels. OTP user authentication was implemented with IPSec VPN to facilitate two-factor authentication as required by the company security policy. EAP-FAST authentication with WPA was implemented as the Layer 2 security model. The user authentication credential was securely stored on the laptop to minimize user intervention during the Layer 2 authentication and authorization phase. Overall, the user is only required to provide the authentication credential once during the initial logon.

The typical IPSec VPN over WLAN deployment model leaves the WLAN network (Layer 2 network) unprotected (that is, EAP/802.1x with WPA is not implemented) possible DHCP starvation attacks and DNS targeted attacks are possible. These attacks are possible because IPSec VPN users require DHCP services and possibly DNS services before successfully authenticating with the network. However, the combined Layer 2 and Layer 3 security model prevents these attacks albeit with increased deployment complexity. In this deployment scenario, successful Layer 2 authentication enables the user to obtain a DHCP IP address and enables DNS services. However, all other traffic is blocked until successful Layer 3 IPSec VPN authentication and authorization. Layer 3 and Layer 4?based ACLs are used at the distribution layer level to allow only DHCP, DNS, RADIUS, and IPSec traffic into the network. The IPSec VPN session is also terminated at the distribution layer level (such as the VPNSM module on the Catalyst 6500 switch).

As shown in Figure 13-6, a single, isolated VLAN per building was created for WLAN users. If necessary, WLAN was segmented to one VLAN per X number of floors based on the number of users (to scale for broadcast traffic). Additionally, isolated VLANs were added in the long run for different applications such as VoIP and guest access. RADIUS and OTP authentication infrastructures were centralized at the corporate HQ for main campus deployment and the branch offices.

Healthcare WLAN Deployment Example II

This example is taken from a distributed healthcare deployment. WLAN deployment facilitates seamless roaming for medical staff members who use WLAN and laptop-based devices to access patient care information. In this example, the WLAN deployment covers approximately 600+ clinics throughout a country.

The customer deployment criteria include the following:

• A desire exists to deploy WLAN ubiquitously across all 600+ clinics.

• Mutual authentication and strong encryption exists for WLAN users.

• Provide local fall-back EAP authentication service to users on the local clinic AP.

• 802.11-enabled laptops (for physicians and nurses) can facilitate instantaneous access to patient-care information and so on.

• Minimize client management. Minimize the number of SW components to be managed on the WLAN client for user authentication and encryption.

• Remotely monitor RF activity across all clinics, including rogue AP detection.

• HIPPA compliance is required (user-based authentication and strong data encryption).

The customer deployment environment is as follows:

• Distributed WLAN infrastructure supports 3000 users in 600+ locations (on average 5 users per location).

• Each clinic has one AP1200 deployed (maximum two APs deployed at some clinics).

• Most of the staff is restricted to one location with the exception of specialists, who roam among multiple locations.

• Wireless LAN users are standardized on the Windows XP platform.

• Client adapters are standardized on embedded clients (CCXv2-compliant laptops).

• Microsoft AD infrastructure is deployed for user authentication.

• Each clinic has one WAN link for connectivity to the central NOC.

  - Under WAN link failure conditions, the dialup ISDN link provides connectivity for mission-critical services (credit card transactions and so on).

Figure 13-8 illustrates the deployment topology for this example. As shown in the figure, sites 1 to N (N represents the clinic number) have the WLAN network deployed in a distributed fashion. Based on the preceding customer deployment criteria and deployment environment, EAP/802.1x with WPA was selected as the security model. Specifically, Cisco LEAP was selected due to the local authentication feature requirement under WAN link failure conditions. LEAP accounts were created for physicians and nurses on the RADIUS infrastructure. The IT administrator used a strong password policy of a 14-character password with at least four nonalphanumeric characters to create a strong LEAP authentication credential to minimize risks due to offline dictionary attacks. The LEAP authentication credential was securely stored using the WLAN supplicant on each CCX-compliant laptop.

Finally, as with other deployments, the continuous need to upgrade CCX clients to add new security and management functionality was addressed. Client management tools (such as Altiris) automated periodic client driver, firmware, and supplicant upgrades.

Manufacturing WLAN Deployment Example

This example is taken from a manufacturing deployment. Many mobile devices enable applications with stateful communication. Typical manufacturing applications include inventory tracking and so on. A combination of new and legacy devices was deployed across the manufacturing floor.

The customer deployment criteria include the following:

• Support mobile users. A typical application would be a laptop on a forklift to enable inventory tracking.

• Support legacy DOS-based handheld scanners (such as Symbol PDT 6800 series scanners).

• Support wireless VoIP devices.

• Mutual authentication and strong encryption (minimum dynamic WEP) are preferred.

The customer deployment environment is as follows:

• Multiple, large manufacturers are to be facilitated with WLAN access as the primary network connectivity within a country.

  - Each manufacturing facility is 200,000 square feet or larger. Both wired and WLAN infrastructures are deployed across a manufacturing facility.

  - High bandwidth and redundant WLAN links are provided between a manufacturing facility and the regional/corporate NOCs.

• Multiple device types, including legacy DOS-based handheld scanners used for inventory tracking, new handheld PDAs (based on Windows CE) and Windows XP?based laptops used for inventory tracking, and WLAN-enabled VoIP handsets, are deployed across the manufacturing floor.

• A combination of Cisco Aironet client adapters and non-Cisco/non-CCX adapters is deployed in different devices along with CCXv2 certified laptops.

• Microsoft AD infrastructure and Cisco Secure ACS infrastructure are deployed at each manufacturing location and at the central HQ.

• Cisco Catalyst 3500 series switches are deployed at the building access layer level, and Catalyst 6500 switches are deployed at the building distribution layer level.

As shown in Figure 13-9, multiple SSIDs and VLANs were enabled on Cisco APs to facilitate multiple levels of security. Each SSID was mapped to a unique wired VLAN where Layer 3 and Layer 4?based policies were implemented on the building distribution Layer 3 switch. This enabled the administrator to enforce the specific security policy per wireless/wired VLAN.

On wireless VLAN, the "Legacy" static WEP was enabled as the security mechanism for legacy DOS-based handheld scanners due to limited capabilities on these devices. In addition to static WEP, MAC address authentication was enabled to authenticate the legacy devices. MAC addresses of these devices were stored on the regional RADIUS infrastructure and on the HQ RADIUS infrastructure. The regional NOC RADIUS infrastructure was used as the primary server for MAC address authentication, and HQ RADIUS infrastructure was used as the secondary (or fall-back) server.

New PDA devices based on the Windows CE OS and Windows XP laptops were integrated with CCX client adapters, and EAP-FAST was enabled for mutual authentication with WPA for data confidentiality. A second SSID/VLAN called "EAPandWPA" was enabled on the WLAN infrastructure to allow EAP-FAST authentication with WPA. Similar to MAC address authentication, the regional NOC RADIUS infrastructure was used as the primary server for EAP-FAST authentication, whereas the central NOC was used as the redundant fall-back server. The Cisco Secure ACS RADIUS server was configured to relay the EAP-FAST authentication request to the Microsoft AD infrastructure.

A third VLAN/SSID called "VoIP" was created to facilitate Cisco 7920 wireless VoIP handsets. This wireless/wired VLAN was given voice QoS along with access to CallManager and VoIP voice gateway. Cisco 7920 VoIP handsets were deployed with LEAP authentication, CCKM, and WPA-TKIP to enable fast secure roaming on the VoIP VLAN. A separate VoIP account was provisioned per user on the Microsoft AD infrastructure, along with strong password policy with a minimum 10-character password using a combination of alphanumeric and nonalphanumeric characters.

On the "EAPandWPA" wireless VLAN, fast secure roaming was configured (CCKM was enabled) for PDAs (Windows CE?based) and Windows XP?based mobile laptop devices using EAP-FAST authentication with WPA-TKIP for data confidentiality. When EAP-FAST and LEAP users roam from AP to AP, the roaming process is expedited using the fast secure roaming services available via WDS. This ensures that stateful communication is maintained for mobile devices and jitter and latency are controlled for VoIP devices.

Finally, a fourth VLAN was created as the management VLAN for the APs. The management VLAN was not mapped to the radio interface, and access was restricted via the AP's Ethernet interface with the use of Layer 3 and Layer 4 ACLs on the distribution switch. ACLs were used to limit access to the AP's management VLAN to only allow RADIUS and management traffic between the AP and the management (RADIUS server and WLSE) devices.

A pair of Catalyst 6500 switches equipped with WLSMs and supervisor 720 modules was deployed at the data center level to groom all WLAN user traffic and to enable scalable WDS services for the entire WLAN network. Appropriate security policies for each user/device group were applied at the WLAN traffic aggregation switch level. (Layer 3/Layer 4 ACLs were implemented on the mGRE tunnel interfaces on the Catalyst 6500 supervisor.) In addition to using the WDS to facilitate fast secure roaming via CCKM, RF management (including rogue AP detection and suppression) was enabled via WDS to facilitate RF monitoring at each facility.