Overview of SWAN Security Features

Cisco SWAN solution provides several security features to enable end-to-end security implementation capabilities. These features are as follows:

  • Infrastructure and client EAP/802.1x authentication

  • Fast Secure Roaming (both Layer 2 and Layer 3) using Cisco Centralized Key Management (CCKM)

  • Radio management (RM) functions such as standalone or integrated wireless IDS mode for access points (APs), client-based scanning (Cisco/CCX clients), rogue AP detection and suppression, non-802.11 interference detection, and location management services (including user tracking)

  • Local 802.1x RADIUS authentication service

  • Security policy monitoring

  • Centralized WLAN user data aggregation (via the SWAN central switching mode)

Infrastructure and client EAP/802.1x authentication, Fast Secure Roaming, and radio management functions are bundled as wireless domain services (WDS). Thus, the WDS is used to centralize control functions in a SWAN-enabled wireless and wired network. Using centralization of control functions via WDS, WLAN user mobility is expedited using the Fast Secure Roaming feature, and radio management functions are scaled and easily managed. An AP can function as a WDS server, a WDS client, or both. Alternatively, the WDS services can be run on a Catalyst switch or on a router, in which case the switch or router acts as the WDS server in a SWAN-enabled network. WDS services were introduced in AP IOS release 12.2(11)JA and above.

Infrastructure authentication is used to authenticate WDS client APs to the WDS server. During this process, a shared encryption key is derived via EAP authentication to secure traffic between the WDS client AP and the WDS server. To enable infrastructure authentication, EAP authentication credentials need to be configured on each WDS client AP. Each WDS client AP will authenticate with the RADIUS server through the WDS server to secure the link between itself and the WDS server.

Local 802.1x RADIUS authentication can be enabled on the WDS server or on a WDS client AP at a remote (branch) location to enable fallback RADIUS services. Radio management functions are enabled on the WDS server and WDS client APs, in addition to Cisco and CCX clients, to measure and report radio measurements. It is optional to use Cisco and CCX clients for radio measurements, but it is recommended as a best practice if possible. Using these radio measurements, rogue AP detection/suppression, non-802.11 interference detection, and client tracking features are enabled.

CiscoWorks WLSE provides centralized wireless management functions, including network management, radio management, and security policy monitoring functions, in a SWAN-enabled wireless and wired network. Security policy monitoring can be enabled on the WLSE to monitor for consistent application of security policies across all deployed and managed APs. Alerts are generated for violations such as Service Set Identifiers (SSID), broadcasts, 802.1x EAP settings, and wired equivalent privacy (WEP). Alerts can be delivered by e-mail, syslog, or SNMP trap notifications. Finally, WLSE can be used to monitor for response time (and availability) of RADIUS servers (including Cisco secure access control servers [ACS]). Cisco EAP (LEAP), Protected EAP (PEAP), Flexible Authentication via Secure Tunneling EAP protocol (EAP-FAST), and generic RADIUS authentication types are supported.

SWAN central switching mode enables multiple-layer security defense for WLAN deployment, Layer 3 fast secure roaming, and centralized policy control via the WLAN traffic aggregation switch. SWAN central switching mode is discussed in detail in the next section.