After reading this chapter, you should understand the following key concepts:

  • Three WLAN deployment modes are available using Cisco products: standalone AP mode, SWAN nonswitching deployment mode, and SWAN central switching deployment mode. SWAN deployment modes enable services such as fast secure roaming (both Layer 2 and Layer 3) for 802.1x users, radio management functions, security policy monitoring, and overall multilayer security defense implementation.

  • Infrastructure authentication is required in a SWAN-enabled network to secure the communication link between each WDS client AP and the WDS server.

  • Radio monitoring functions are enabled using integrated or standalone AP-based scanning and optional client scanning using Cisco and CCX clients.

  • Key RM security functions to deploy are rogue AP detection and suppression, non-802.11 interference detection (to detect possible RF DoS attacks), and WDS-based client tracking.

  • Fast secure roaming is provided to expedite roaming for 802.1x clients. This is critical for latency-sensitive applications such as VoIP when using WPA (or 802.1x with dynamic WEP) as the security mechanism.

  • The local RADIUS authentication service is provided for the branch/remote office scenarios when the primary RADIUS server (located at corporate HQ) becomes unavailable (for example, due to WAN link failure). You can deploy the local 802.1x RADIUS service on a standalone AP, WDS client AP, or preferably the WDS server.