Not too long ago I was assigned to a troubleshooting and remediation project for a hospital here in the SF bay area. The problem, after much troubleshooting and lab recreations, was determined to be due to an unique issue with client roaming and authentication. During the course of troubleshooting my coworker and myself often found ourselves explaining 802.1X and 802.11i to others working on the troubleshooting effort, or requesting technical updates. So based on that experience, I started thinking this might a be a good topic to cover here.
Let’s review the some of typical components of the enterprise wireless security model.
What is 802.1X?
802.1X is not a protocol, but rather a framework for a “port-based” access control method. 802.1X was initially created for use in switches, hence the port-based terminology, which really doesn’t fit too well in wireless since users don’t connect to a port. In the end it’s meant to be a logical concept in the 802.11 world. 802.1X was adopted for wireless networks with the creation of 802.11i to provide authenticated access to wireless networks. At a high level. the framework allows for a client that has connected to the WLAN to remain in a blocked port status until it has been authenticated by a AAA server. Essentially the only traffic allow through this virtual blocked port is EAP traffic, things like HTTP would be dropped.
What is EAP?
EAP (Extensible Authentication Protocol) is the authentication method used by 802.1X. It can take on various forms, such as PEAP, EAP-TLS, EAP-FAST, to name a few. There is one thing to remember when determining what EAP type to use in your network, is that it is dependent upon what your client and AAA server supports. This is it, your AP or AP/Controller hardware or code version will play no part in version is supported. Unless your AP/controller is acting as the AAA server, but I’ll stay away from that in this post. I think this can be a point of confusion for people who haven’t read much or anything about EAP methods. So, if some one asks what version of EAP the AP will support, all you need to do is ask them, what does their Client and AAA server support.
What is 802.11i?
Simply put, 802.11i is an amendment to the original 802.11 standard to address the well documented security short comings of WEP. It incorporates WPA as a part of the 802.11i amendment and adds the fully approved WPA2 with AES encryption method. 802.11i introduces the concept of a Robust Security Network (RSN) with the Four-way handshake and the Group key Handshake.
Read More »
Tags: 802.11, 802.11i, 802.1x, AAA server, access point, access points, EAP, EAP-FAST, EAP-TLS, engineer, engineers, PEAP, wi-fi, wifi, wireless, wireless controller, wireless LAN, wlan, WLC
As organizations look to improve operations through centralized control, they often need to take into account what would happen if an area of the network fails. In many cases, having a centralized controller-based wireless architecture in organizations with multiple branch offices has prompted the question, “What happens if the WAN is slow, or even worse, goes down?”
Many organizations have been reluctant to implement a centralized wireless controller located in the data center or private cloud due to this concern. Without centralized control, these organizations have two deployment strategies available to them:
- Implement wireless controllers at each branch site. This approach is perfectly fine for an organization with many Access Points per branch, or those that require high throughput for applications such as Video. However, many branches only require a few Access Points per location or require simple applications such as bar-code scanning and printing. For these organizations, local controllers become less cost effective, with the capital expense becoming prohibitive.
- Implement access points running in autonomous mode. This approach eliminates the benefits of having any kind of centralized control such as the ability to centrally configure wireless policy and security setting on access points, WIPS capabilities and advanced mobility services like CleanAir, leaving the branch vulnerable and opening the corporate network to attacks.
Read More »
Tags: access point, AP, WAN, wi-fi, wifi, wireless, wireless controller, wlan
When Cisco conducted an industry survey a few months back, the research revealed that 61% of employees believe they don’t need to be in an office to be productive – and two-thirds of employees place a higher value on workplace flexibility than salary. Attitudes toward working remotely have certainly shifted over recent years, as working from home is no longer seen as a privilege – it’s expected.
But for just about any employee who has ever needed to work from home, getting a home office wireless network up and running can be time consuming, even if you already have an existing home network. By the time you change network profiles, start VPN clients, and deal with security concerns, not to mention time spent on the phone with the corporate IT helpdesk, you can easily spend a good chunk of your day setting up and configuring your wireless network.
But once again, Cisco can help.
Cisco announced today new OfficeExtend wireless solutions designed toward making the whole teleworking process painless for both the remote worker and the IT manager back at the corporate office. With the new OfficeExtend wireless solutions from Cisco, not only can you have home network profiles for personal use, but as an additional feature, the very same corporate WLAN profiles and security that you using at the office can now be replicated at home. And better yet, the new wireless solutions require no intervention from end users by allowing IT departments to remotely manage home access points alongside the rest of their corporate infrastructure. Read More »
Tags: 802.11n, access point, Aironet, AP, Cisco, Cisco 2500 Series, Cisco Aironet 600, Cisco Catalyst 6500, Cisco ClientLink, Cisco Connected World Report, Cisco ISR G2 Services-Ready Engine, Cisco VideoStream, Cisco Wireless Business Unit, Cisco Wireless Services Module, cleanair, controller, dual radio, Hotspot, mobility, OfficeExtend, service providers, videoscape, wi-fi, wireless, wireless controller, WiSM2, WNBU