SWAN Infrastructure Authentication

The first phase of deploying a SWAN-enabled WLAN network is to enable infrastructure authentication between WDS client APs and the WDS server. The requirement for infrastructure authentication is to securely authenticate each WDS client AP (as well as each WLSE) to the WDS server and secure the communication between the WDS client APs and the WDS server. This also allows the WDS server to easily identify the authorized APs in a SWAN-enabled network.

Figure 9-3 illustrates the infrastructure authentication message exchange between WDS client APs, the WDS server, and the RADIUS server. The communication link between WLSE and the WDS server is also authenticated and authorized using infrastructure authentication. As shown in Figure 9-3, the WDS client AP(s) and WLSE authenticate via the WDS server to the RADIUS server. This is enabled using EAP authentication between the WDS clients and the WDS server using a user ID and password credentials. It is recommended that you create a unique user ID and password per WDS client AP (and also per WLSE) on the RADIUS server to authenticate with the WDS server. After the WDS client (WDS client AP or the WLSE) is authenticated, a key known as the Context Transfer Key (CTK) is derived simultaneously by the WDS client and the RADIUS server. At the end of successful EAP authentication, the RADIUS server securely communicates the CTK to the WDS server. Using this shared key (CTK) as the master key, encryption keys for WLCCP traffic are derived and periodically refreshed to secure the control traffic between the WDS client and the WDS server.

Autodiscovery of authorized APs can be executed on the WLSE using the WDS server, where the WDS server communicates information regarding authorized APs to the WLSE. In this scenario, the Cisco Discovery Protocol (CDP) is not needed, and WLCCP is used to discover and monitor authorized APs throughout the SWAN-enabled WLAN network.

Chapter 12, "WLAN Security Configuration Guidelines and Examples," discusses configuration required on the WDS clients (WDS client APs and the WLSE), the WDS server, and the RADIUS server to enable infrastructure authentication for both SWAN nonswitching deployment mode and the SWAN central switching deployment mode.