1© 2000, Cisco Systems, Inc.
Wireless LAN Roadmap:Performance and
Hardware Features
1
Cisco Aironet 340 Series Wireless Cisco Aironet 340 Series Wireless LAN SolutionLAN Solution
• PC Card/PCI Client Adapters
• Access Points
• Line-of-Sight Bridge Products
• Antennas & Accessories
The Cisco Aironet 340 Series of 802.11b compliant high speed wireless solutions offers the best performance, manageability, scalability and security for both
in-building and building to building wireless applications
Editors’ Choice: Wireless LANs(PC Magazine, March 20000)
”Cisco Aironet Beats Rivals--With Ease”(Network Computing, Editors’ Choice July 2000)
WLAN Vision:WLAN Vision:Client OptionsClient Options
• Workgroup Bridges
– Plug and play wireless for single or multiple clients
• USB
– Easy to install NIC alternative
• Multi-function and embedded client devices
– In partnership with Xircom
• Client Drivers/Services
– Macintosh/Linux drivers
– Automated country radio localization
– Improved diagnostics tools
WLAN Vision: Performance WLAN Vision: Performance
IEEE 802.11a/b
Ratified
Radio
Network
Speed
1999 2000 2001
100 Mbps
Superset
5 GHz
6-54 Mbps
.11a Std
22 Mbps
.11b Ext.
900 MHz
11Mbps
2.4 GHz
802.11b Standard
Small, Medium and Large Enterprises High power and
performance
Telecommuter Cost and Manageability
2002
WLAN Vision:WLAN Vision:Infrastructure OptionsInfrastructure Options
W/C
Cisco Access Point 925
In-line pwrcapable switch
• Office applications
–Simplify and reduce installations costs
•In-line power
• Warehouse (extreme applications)
–Extended temperature
Telecommuter Base StationTelecommuter Base Station
• 802.11 compliant
• Fully managed
• Simplified configuration
• Embedded Modem and Ethernet
Designed for the WLAN TelecommuterDesigned for the WLAN Telecommuter
7© 2000, Cisco Systems, Inc.
Wireless LANsServices Directions
7
Cisco’s Services VisionCisco’s Services Vision
• Security
–Centralized device authentication
–Future flexible user authentication services
• Management
–Enhanced auto-configuration and enforcement for client/infrastructure
• Policy
–Enhanced PCF services for enterprise quality QoS
• Mobility
–Scale L2/L3 roaming services
Cisco Access Point 925
Security ServicesSecurity Services
• Current capabilities–No Encryption
–40-Bit Encryption
–128-Bit Encryption
–Hardware based encryption•Negligible performance impact (<3%)
–Mac-based exclusion filtering
• Encryption Choices (defined at Access Point)–No Encryption
–Allow client to specify (optional)
–Forced (Required)
Security Directions SummarySecurity Directions Summary
• Utilize HW-based 802.11 encryption
– Best price/performance
– Minimizes impact on client and network
• 1st phase (Committed): Device authentication
– Cell phone security analogy
– Supports all client device types
• 2nd phase: User authentication (in development)
– Universal user authentication through 802.1x Extensible Authentication Protocols (EAP)
Security Directions Summary Security Directions Summary (cont.)(cont.)
• Centralized Authentication
–Phase1: Enhanced RADIUS servers
•CiscoSecure Authentication Server
•Directory services integration through LDAP/X.500
–Phase 2: EAP support Kerberos & PKI support
• Dynamic Key Generation/Distribution
–Unique 128 bit key per user per session
–Roaming Pre-authentication
Centralized User-Based Centralized User-Based AuthenticationAuthentication
AuthenticatorAuthenticator(e.g. Access (e.g. Access
Point, Catalyst Point, Catalyst Switch)Switch)SupplicantSupplicant
Semi-Public Semi-Public Network /Network /Enterprise EdgeEnterprise Edge
AuthenticationAuthenticationServer such as Server such as ACS2000 v2.6ACS2000 v2.6
RADIUS
EAP Over Wireless/LAN
EAP Over Wireless/LAN
(EAPOW/EAPOL)
(EAPOW/EAPOL)
EAP Over
EAP Over
RADIUSRADIUS
Extended Enterprise(Branch Office, Home, etc.)
EnterpriseIntranet
Dynamic WEP Key ManagementDynamic WEP Key Management
EAPOL-Start
EAP-Request/IdentityEAP-Response/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Challenge
EAP-Response (credential) Radius-Access-Request
EAP-Success
Access blocked
Radius-Access-Accept
RADIUSEAPOW
802.11802.11 Associate
Access allowedEAPW-Key (WEP)
Laptop computer
RADIUS
Fast Ethernet
Services in DevelopmentServices in Development
• Rogue AP detection requirement
– Only IT installed/configured devices deliver infrastructure access
– Authenticated clients learn trusted APs in area
– Untrusted APs are detected, reported and, if possible, isolated and shut down
•Investigating best way to control non-Cisco APs
AP Authentication
Wireless QoS VisionWireless QoS Vision
• SpectraLink Voice Prioritization (SVP)
–Prioritizes IP voice traffic in AP queue
–User configurable beacon period helps determine voice quality
Committed ServicesCommitted Services
Wireless QoS Vision (cont.)Wireless QoS Vision (cont.)
• Extend existing 802.11 QoS services
–Utilize and enhance Point Coordination Function (PCF)
•Standards-based
•Backwards compatibility, investment protection
•Time-to-market
• Integration with existing IETF & IEEE standards•Integrated Services over Specific Link Layers (ISSLL)
•802.1(p) priorities
Services in ProcessServices in Process
Proposal for Enhanced Wireless Proposal for Enhanced Wireless QoSQoS
• Better to approach it as an integrated system•Address queue management in the infrastructure devices
– Contention-free period can only be sustained if the queues on the access point or stations are adequately managed
•Address medium access limitations to ensure access
– Chicken-egg problem; polling to manage medium access – potential contention to get on polling list
•Address unlicensed band regulations
– Some regulatory domains do not allow constant occupancy by one device
•Maximize investment protection
– While also acknowledging that some legacy devices may require an enhanced DCF
• Systems always spend some time in the DCF
Wireless QoS SummaryWireless QoS Summary
• Simple but efficient
–Easy to implement
–Good support for legacy stations
–Inline with what is standardized by other workgroups and standardization bodies
• Simulations will prove concept
• Some ‘loose-ends’ need to be worked out
Additional Network Services: Additional Network Services: Load BalancingLoad Balancing
• AP’s configured for load sharing use different RF channels in coverage area
• Policy based on number of users, bit error rate, or signal strength
Channel 1
Channel 6
Additional Network Services: Hot Additional Network Services: Hot StandbyStandby
• AP’s co-located for hot standby use SAME RF channel in coverage area
• Standby AP acts as probe for monitoring and management
Active Standby
Channel X
Channel X
Summary: Vision for Mobile Summary: Vision for Mobile ConnectivityConnectivity
Channels
Products
Solutions
Partners
• Offer key services to accommodate wireless data, voice and video that is:
–Secure
–Manageable
–Scalable
–Delivers improved Price/Performance
• Preserve customers investment in existing WLAN infrastructure
• Partner to enhance wireless hardware and software solutions for customers
802.1802.1X Security ArchitectureX Security Architecture
Controlled port:Data traffic
Open port: Authentication traffic
User Client/Supplicant
Authentication ServerAuthentication
Client/Control Point
Pieces of the system.
EAP ArchitectureEAP Architecture
EAPEAPLayerLayer
MethodMethodLayerLayer
EAPEAPEAPEAP
TLSTLSTLSTLS
MediaMediaLayerLayer
NDISNDIS
APIsAPIs
EAP EAP
APIsAPIs
PPPPPP 802.3802.3 802.5802.5 802.11802.11
IKEIKEIKEIKEGSS_APIGSS_APIGSS_APIGSS_API
802.1802.1X Security ServicesX Security Services
Supplicant Authentication ServerAuthentication client/control point
Cisco/Microsoft
Cisco/Microsoft, etc.Cisco
Device Mini-certificate (MD5/PAP-CHAP)
Future 802.11 supplicant for Win2K/WinCE 3.0(User authentication options)
Radius server available from Cisco
Future enhanced servers available from others
Non-IP communications until device authenticated
Authentication ProcessAuthentication Process
Normal Data
Authentication traffic
Wireless laptop Radius ServerAccess Point
Authentication traffic Radius traffic
Wireless client assoc. at 802.11 layer. Data blocked by AP.
Access Point blocks everything except authentication traffic.
The authentication traffic is allowed to flow. The Access point relays authentication traffic.
Authentication Process cont.Authentication Process cont.
Normal Data
Authentication traffic
Wireless laptop Radius ServerAccess Point
Radius traffic
Wireless client mutually authenticates with Radius Server
Client receives grant WEP key.
Client stack is initiated. DHCP request and subsequent traffic is encrypted with session key
Authentication traffic
Radius server authenticates client and creates a WEP key.
AP receives grant and key. Key is installed in data base and normal data is forwarded to client
Authentication Process cont.Authentication Process cont.
Normal Data
Authentication traffic
Wireless laptop Access Point
802.11 traffic IP traffic
Wireless client and AP use WEP key. AP allows traffic to flow.
AP pre-authenticates client for intra subnet roaming
Secure traffic. No performance impact
EnterpriseIntranet
Future User Authentication for Future User Authentication for non- EAP/802.1x Clientsnon- EAP/802.1x Clients
• Options under consideration
–Device level authentication w/passwords
•Create APIs to pass username and password to LEAP
• For generic support, statically assign username and password into card.
–This becomes device security.
Pre-Authentication for RoamingPre-Authentication for Roaming
APs multicast keys of authenticated clients as part of Inter Access Point Protocol (IAPP)
Pre-authentication m-casts encrypted
APs cache pre-authenticated clients (1000s of entries).
Pre-Authentication and RoamingPre-Authentication and Roaming
Roam from AP1 to AP2
AP2
AP1
Disassociation
Pre-auth
When roam occurs, AP1 sends a disassociation notice.
AP2 associates client, cached key and retrieves queued data from AP1.