1. Home
  2. Networking
  3. Wireless lan security

WLAN Deployment Modes and Security Features

Cisco wireless LAN solution can be deployed in different modes to facilitate large, medium, or small branch offices and remote networks. Three basic WLAN deployment modes are available:

  • Standalone AP deployment mode? In this deployment mode, the AP provides full 802.11 functionality (acting as an 802.11 infrastructure device) along with security, QoS, and Layer 2 mobility.

  • SWAN nonswitching deployment mode? In this SWAN deployment mode, the AP provides full 802.11 functionality along with QoS functionality. Several security functions, including Layer 2 Fast Secure Roaming, local 802.1x authentication service, and radio management functions, are centralized at the WDS server level.

  • SWAN central switching deployment mode? In this SWAN deployment mode, the AP provides full 802.11 functionality along with QoS functionality. Both data (802.11 user traffic) and control traffic (Wireless LAN Control Context Protocol [WLCCP] traffic) are aggregated and forwarded through the central switch, such as the Catalyst 6500, equipped with a WLAN services module. The central switch is enabled with a WDS server to provide 802.11 user data aggregation, end-to-end security, Layer 2 fast secure roaming, Layer 3 roaming, WDS scalability, centralized management (including RF management), and QoS functions. The 802.11 user traffic is encapsulated using the generic routing encapsulation (GRE) protocol and is tunneled from the APs to the central switch.

The standalone AP mode is the traditional deployment mode that has been used and will be used in WLAN networks. Hot-spot WLAN networks are likely to use standalone AP deployment mode if the service provider chooses not to deploy the WDS (nonswitching) mode. SWAN nonswitching deployment mode, in which the WDS server typically runs on an AP or a router, can be deployed in small, medium, and branch office networks and in specific hot-spot deployments (for example, in a coffee shop WLAN deployment). Figure 9-1 illustrates the SWAN nonswitching deployment mode in a small, medium, or branch office scenario.

Figure 9-1. SWAN Nonswitching Deployment Mode


In Figure 9-1, an AP or a router can be used as the WDS server to aggregate all control messages. Fast secure roaming services using the Cisco Centralized Key Management (CCKM) protocol can be deployed for Cisco and CCX clients in this deployment mode. WDS server enables fast secure roaming using the CCKM protocol for EAP/802.1x clients (both Cisco and CCX) associated with Cisco APs. Fast secure roaming services for EAP/802.1x clients are explained in detail later in this chapter. Radio monitoring (RM) services are also enabled using this deployment mode. When RM services are enabled, Cisco APs, Cisco clients, and CCX clients collect RF network information and forward it to the WDS server. Fast secure roaming and RM functions are enabled between the WDS client APs and the WDS server using the WLCCP protocol. Finally, fast secure roaming using CCKM and RM functions is not supported for third-party (that is, non-Cisco and non-CCX) clients.

Central switching deployment mode is a newly introduced wired/wireless integration capability on the Cisco Catalyst series switches. Figure 9-2 illustrates a sample deployment topology for the central switching solution. As shown in the figure, the APs can be placed multiple IP hops away from the central switch. GRE tunneling architecture (specifically mGRE tunnel architecture) aggregates the wireless user traffic and transports the user traffic to the central switch. WDS services are enabled on the central switch, where all control traffic is aggregated from the WDS client APs. This single point of ingress provides the capability to apply various security and QoS policies on the central switch. It is recommended that you integrate the central switching mode for WLAN/wired LAN integration at the distribution layer level, but it alternatively can be located in the data center. Finally, note that switching infrastructure between the AP and the central switch is transparent as far as WLAN traffic aggregation and does not need to have WDS services enabled.

Figure 9-2. SWAN Central Switching Deployment Mode


It should be noted that mGRE architecture creates a Layer 3 overlay network on top of the existing building access layer. That is, no configuration change is required to integrate the central switching solution to provide the wireless/wired integration capabilities. However, you could choose to implement an isolated VLAN for wireless users (at each floor level) as a security best practice. The following traffic types are tunneled or natively bridged by the AP:

  • IP unicast and multicast WLAN user traffic is GRE tunneled upstream/downstream between the AP and the switch.

    Note

    You are encouraged to check the latest SWAN documentation on the Cisco website for details on how IP unicast, multicast, and broadcast messages are handled in the SWAN central switching deployment mode.


  • IP broadcast WLAN user traffic can be tunneled upstream and downstream between the AP and the central switch except for Address Resolution Protocol (ARP) messages. Note that IP broadcast tunneling is disabled by default.

    - ARP queries will not be forwarded to the central switch; the AP will perform proxy ARP using the MAC address of the central switch.

    - Certain client implementations use ARP to check whether a given IP address is in use by other hosts, in which case the ARP messages contain targetIP = srcIP. The AP will forward such ARP requests to the central switch for processing.

  • Non-IP traffic is not tunneled between the AP and the central switch; rather, non-IP traffic will be locally bridged by the AP via the native infrastructure (for example, the access layer level switch).

  • Control (WLCCP) traffic will not be tunneled and is bridged (using the AP's native VLAN if 802.1Q trunking is enabled) by the AP via the native infrastructure (for example, the access layer level switch).

It should be noted that all EAP/802.1x authentication messages, RM messages (such as radio measurements), successful 802.11 associations, and other control messages are forwarded to the WDS server running on the central switch via WLCCP. As a deployment requirement, each AP (referred to as WDS client AP) should be configured with the WDS authentication credential. After the WDS client AP is authenticated to the WDS server, the control path is secured (using RC4 encryption and HMAC-MD5 data integrity protection) between the WDS client AP and the WDS server. The WLCCP traffic is sent using the native (management) VLAN of the AP (when VLAN trunking is enabled). The control (WLCCP) traffic is always bridged by the AP and is forwarded to the central switch via the native infrastructure.

Using the central switching integration mode, multiple layers of security can be enforced in which the first layer of security is at the AP level, the second layer of security is at the central switch level, and the third layer of security can be implemented using additional services that are available on the central switch.

Table 9-1 lists the security features that are available in each deployment mode. It should be noted that centralized configuration and software management for APs, bridges, fault monitoring, and trending and reporting functions are grouped as centralized network management.

Table 9-1. Security Feature Support for WLAN Deployment Modes
 

Standalone AP Mode

SWAN Nonswitching Deployment Mode

SWAN Central Switching Deployment Mode

802.1x/EAP user authentication

Yes

Yes

Yes

WEP, WPA, AES support (data confidentiality)

Yes

Yes

Yes

Multiple VLANs (user groups) support

Yes

Yes

Yes

Layer 2/Layer 3/Layer 4 security filters (AP level)

Yes

Yes

Yes

Admin authentication (TACACS+ or RADIUS)

Yes

Yes

Yes

SSH support on the AP

Yes

Yes

Yes

Local 802.1x RADIUS authentication service

Yes

Yes

Yes

Centralized network management via WLSE

Yes

Yes

Yes

Centralized security policy monitoring via WLSE

Yes

Yes

Yes

Infrastructure authentication

No

Yes

Yes

Layer-2 802.1x fast secure roaming (CCKM)

No

Yes

Yes

Rogue AP detection and suppression via WLSE

No

Yes

Yes

Non-802.11 interference detection

No

Yes

Yes

Integrated and standalone (scan-only) wireless IDS modes

No

Yes

Yes

WDS-based user tracking via WLSE

No

Yes

Yes

Layer 3 fast secure roaming and Layer 3 roaming (CCKM-enabled and non-CCKM)

No

No

Yes

Centralized WLAN user data aggregation on the switch (such as single-point of ingress using mGRE tunnels)

No

No

Yes

Centralized security management on the switch (Layer 3/Layer 4 ACLs, rate limiting, and so on)

No

No

Yes
    		Chapter 1. Securing WLANs Overview
    		Chapter 2. Basic Security Mechanics and Mechanisms
    		Chapter 3. WLAN Standards
    		Chapter 4. WLAN Fundamentals
    		Chapter 5. WLAN Basic Authentication and Privacy Methods
    		Chapter 6. Wireless Vulnerabilities
    		Chapter 7. EAP Authentication Protocols for WLANs
    		Chapter 8. WLAN Encryption and Data Integrity Protocols
    		Chapter 9. SWAN: End-to-End Security Deployment
    		Overview of SWAN Security Features
    		WLAN Deployment Modes and Security Features
    		SWAN Infrastructure Authentication
    		Radio Management and Wireless Intrusion Detection
    		SWAN Fast Secure Roaming (CCKM)
    		Local 802.1x RADIUS Authentication Service
    		Summary
    		Chapter 10. Design Guidelines for Secure WLAN
    		Chapter 11. Operational and Design Considerations for Secure WLANs
    		Chapter 12. WLAN Security Configuration Guidelines and Examples
    		Chapter 13. WLAN Deployment Examples
    		Appendix A. Resources and References