CCDA 640-864 Summary Notes – Chapter 5 – Day 11

Exam Topic 2 – Part 2: Cisco Unified Wireless Network (UWN) Architecture

LWAPP Discovery of WLC

LWAPP Image procedure:

CAPWAP Image procedure:

• CAPWAP AP sends a CAPWAP discovery request
• WLC responds withCAPWAP response within 60 seconds
  • WLC selection is configurable onWLC. AP selects according to the following order
    • Primary sysName (preconfigured)
    • Second sysName (preconfigured)
    • Tertiary sysName (preconfigured)
    • Master controller
    • WLC with greatest capacity for AP associations
  • If no response within 60 sec, AP uses LWAPP discovery
  • If no response within 60 seconds, step 1 is repeated
• AP sends CAPWAP response + derives encryption key
• Selects WLC and sends join request

WLAN Authentication

• Clients associate with AP
• Clients authenticate with authentication server (in wired net)
  • WLC sets up an EAP/ RADIUS tunnel with the authentication server

Authentication Options

EAP-Transport Layer Security (EAP-TLS)

• IETF Open Standard
• Rarely deployed
• Uses PKI with TLS and digital certificates to secure communication to the RADIUS server

Protected Extensible Authentication Protocol (PEAP)

• Open standard proposed by Cisco, Microsoft and RSA Security
• Most commonly deployed: PEAP/MSCHAPv2
• Similar to EAP-TTLS but requires a server side PKI cert to form a TLS tunnel
• PEAP-GTC delivers more generic authentication to a number of databases eg Novell Directory Services (NDS)

EAP-Tunneled TLS (EAP-TTLS)

• Developed by Funk Software and Certicom
• Widely supported across platforms
• Requires PKI certificate only on authentication server

Cisco Lightweight Extensible Authentication Protocol (LEAP)

• Cisco proprietary
• Supported in Cisco Certified Extensions (CCX) program
• Vulnerable to dictionary attacks

EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)

• Proposed by Cisco to fix LEAP weaknesses
• Uses Protected Access Credential (PAC)
• Server certificates are optional
• Phases :
  • Phase 0 (Optional): PAC can be provisioned manually or dynamically
  • Phase 1: Client and AAA server use PAC to form TLS tunnel
  • Phase 2: Client sends info over tunnel

WLAN Controller Components

WLANs

• Have unique SSIDs
• Each has an interface in the WLC
• Each has parameters such as:
  • radio policies
  • QoS

Ports

• Physical connection to switch or router
• Default: 802.1q trunk port
• Can be combined into a single port-channel using link aggregation (LAG)
• Some WLC have a service port – out of band management

WLC Interfaces

• Logical connection mapping to a VLAN on wired network
• Each has a unique IP, gateway, port, VLAn tag and DHCP server

WLC Interface Types

Management interface

• Mandatory Interface
• Configured at setup
• Statically configured
• Usedfor
  • in-band management
  • Connectivity to AAA
  • L2 discovery and association

Service-port interface

• Optional Interface
• Configured at setup
• Statically configured
• Out of band management

AP manager interface

• Mandatory Interface except on 5508
• Configured at setup
• Statically configured
• Used for:
  • L3 discovery and association
• Has source IP of statically configured AP

Dynamic interface

• Dynamically configured (like VLAn)
• Used for WLAN client data

Virtual interface

• Mandatory Interface
• Configured at setup
• Statically configured
• Used for
  • L3 authentication
  • DHCP Relay support
  • Mobility management

• WLC supports only 1 LAG per controller. When enabled, all the physical ports except the service port are in the bundle
• WLC with LAG can only have 1 neighbour device

Roaming and Mobility Groups

Roaming:

• The ability to access network resources from common areas and in areas where it is difficult to run cabling
• Roaming occurs when the wireless client changes association from one AP to another
• Types:
  • intracontroller
  • intercontroller
    • L2
    • L3

Intracontroller Roaming:

• Client moves from AP to AP connected in the same WLC
• WLC updates the client’s database with the new associated AP but does not change client IP
• (optional) Client can be reauthenticated
• establishes new security association
• Client database remains on same WLC

Layer 2 Intercontroller Roaming

• Client moves from one AP to another AP in different WLC but same subnet
• No IP address change for client
• Client database is moved from WLC1 to 2
• Client is reauthenticated
• New security session

Layer 3 Intercontroller Roaming

• Client moves from one AP to another AP in different WLC  in different subnet
• Traffic is bridged to a different subnet
• Client associates to AP2, WLC2 changes mobility messages with WLC1
• Original client database is not moved between WLCs
• WLC1 marks the client with an *anchor* entry in database, copies it to WLC2 who marks it as a *foreign* entry
• Client maintains original IP
• Client reauthenticated
• New security session

Mobility Groups

• WLCs peer with each other so as to support roaming
• WLCs dynamically exchange mobility messages
• Data is tunneled via EtherIP between anchor and foreign AP
• Used for controller redundancy
• Max 24 WLCs
• Max APs depends on max of each WLC
• Mobility list – group of controllers configured on a single controller that specifies members in different mobility groups
• Controllers can communicate between mobility groups
• Clients can roam between APs in different mobility groups if WLC is included in each others mobility list
• Max WLC in mobility list 72 (v5.1) and 48 (v5.0)
• Messages between controllers are exchanged in
  • UDP port 16666 for unencrypted
  • UDP port 16667 for encrypted
• APs learn IP addresses of other members in mobility group after CAPWAP join process

(Recommended)

• Minimize intercontroller roaming in network
• < 10ms RTT latency etween controllers
• L2 is more efficient than L3 roaming because L3 roaming uses asymetric communication
• To speed up and secure roaming use\
  • Proactive key caching (PKC) or
  • Cisco Compatible Extensions (CCKM) Version 4