Beruflich Dokumente
Kultur Dokumente
Wireless Networks
HP ExpertOne
Rev. 14.21
Course #: 00886659
Part #: 00886659S11404
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Implementing HP MSM
Wireless Networks
HP ExpertOne
Rev. 14.21
Course #: 00886659
Part #: 00886659S11404
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The information contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements accompanying
such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
This is an HP copyrighted work that may not be reproduced without the written permission of
HP. You may not use these materials to deliver training to any person outside of your
organization without the written permission of HP.
Printed in United States of America
Implementing HP MSM Wireless Networks, Rev. 14.21
Learner guide volume 1
April 2014
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Contents
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
ii
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Contents
Rev. 14.21
iii
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
iv
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Contents
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Contents
TKIP key distribution: two-way handshake for group key .................................. 4-35
WPA2 (802.11i).......................................................................................... 4-36
Strong encryption .......................................................................... 4-36
Encryption-based integrity ............................................................... 4-36
Authentication ............................................................................... 4-37
Requirements................................................................................. 4-37
CCMP/AES ............................................................................................... 4-38
CCMP/AES (cont.) ..................................................................................... 4-39
AES counter mode encryption ......................................................... 4-39
MIC for data integrity..................................................................... 4-40
Hole 196 ...................................................................................... 4-40
WPA/WPA2 compatibility .......................................................................... 4-42
Dynamic WEP ............................................................................................ 4-43
Activity: Advantages of using WPA2 ............................................................. 4-45
Configure 802.1X on the MSM Controller ...................................................... 4-46
Configuration decisions .................................................................. 4-46
Best practices ................................................................................ 4-47
Bind the VSC to an AP group ....................................................................... 4-49
Lab Activity 4.1 .......................................................................................... 4-50
Lab Activity 4.1 debrief................................................................................. 4-51
Discussion topics ........................................................................................ 4-52
WPA/WPA2- PSK (personal mode) ............................................................... 4-53
Failed WPA/WPA2-PSK handshake .............................................................. 4-54
Activity: Advantages and disadvantages of using WPA/WPA2-PSK .................. 4-55
Discussion topics ........................................................................................ 4-56
Web-Auth overview .................................................................................... 4-57
Activity: Advantages and disadvantages of using Web-Auth ............................ 4-58
Advantages of Web-Auth................................................................ 4-58
Disadvantages of Web-auth ............................................................ 4-58
Discussion topics ........................................................................................ 4-60
MAC-Auth overview ..................................................................................... 4-61
Local MAC-Auth ......................................................................................... 4-62
RADIUS MAC-Auth ..................................................................................... 4-63
Activity: Advantages and disadvantages of using MAC-Auth ............................ 4-64
Configuring MAC-Auth on the MSM Controllers ............................................. 4-66
Lab Activity 4.2 ...........................................................................................4-67
Lab Activity 4.2 debrief ............................................................................... 4-68
Discussion topics ........................................................................................ 4-69
Static WEP .................................................................................................4-70
Encryption .................................................................................... 4-70
Authentication ............................................................................... 4-70
Shared-key WEP.......................................................................................... 4-71
Shared-key authentication process..................................................... 4-71
Vulnerability of shared-key WEP ...................................................... 4-72
Open-key WEP ...........................................................................................4-73
Rev. 14.21
vii
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
viii
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Course overview
The Implementing HP MSM Wireless Networks course is designed to help network
administrators learn how to implement HP MultiService Mobility (MSM) wireless
solutions. In this course, you will learn about the 802.11 standard, which governs how
Access Points (APs) establish wireless networks and stations associate with those APs.
You will also learn about coverage and capacity and the factors that affect both, and
you will examine the security options for wireless networks.
In addition to learning about the standards and technologies that provide the
foundation for wireless networks, you will learn about the HP MSM products,
including MSM Controllers and APs. Specifically, you will learn how to complete the
initial setup and configure Virtual Service Communities (VSCs) that support user
groups such as employees and guests. (As you will learn in this course, a VSC is a
group of configuration settings that define key operating characteristics for the APs
and controller. These settings include those typically defined for a WLAN, such as
the Service Set Identifier [SSID] and related security settings as well as other settings
such as: Quality of Service [QoS] settings, DHCP server settings, advanced security
settings such as wireless security filters, and many others.)
You will also learn about the many options the MSM Controllers provide for public or
guest networks and begin to practice implementing them. And you will determine
how to configure MSM APs and MSM Controllers to forward users traffic as required
by the company.
In addition, you will learn how to configure:
Course objectives
After completing this course, you should be able to:
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Introduction2
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Course Introduction
Course agenda
Day 1
Day 2
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Day 3
Module 6: VLANs
Day 4
Supplement
At the end of the Learner Guide volume 2 you will find supplemental information on the MSM
6.0 software release. This content will not be covered in the HP2-Z32 exam. It is included so
you have specific information about the latest major MSM software release.
Introduction4
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Course Introduction
Figure Intro-2: HP ASE - FlexNetwork Architect V2 and HP ASE - FlexNetwork Integrator certification
Rev. 14.21
Introduction5
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Module 1
Objectives
This module introduces the HP mobility products, including MultiService Mobility
(MSM) Controllers and access points (APs). It also outlines the wireless LAN (WLAN)
architectures these products support.
After you complete this module, you should be able to:
Rev. 14.21
11
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Product overview
Wireless technologies offer both networking and end-user flexibility. For example, with
wireless networks, you can more easily reconfigure office space because you do not
need to install or move existing wiring. Wireless technologies also help employees and
guests be productive no matter where they work.
HP offers two types of devices for establishing a wireless network:
12
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Discussion Discussion
topics topics
HP MSM Controllers
HP APs
Security and management
WLAN architectures
Figure 1-2: Discussion topics
Rev. 14.21
Rev. 12.31
13
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP MSM Controllers
MSM Controllers enable you to centrally manage and control HPs intelligent MSM
APs. For large, geographically distributed WLANs, controllers eliminate the timeconsuming process of separately configuring and managing numerous APs. Instead,
you can use a single management interface to configure and manage an entire group
of APs.
In addition, MSM Controllers allow you to automate software-updates, and configure a
consistent set of services and policiesincluding quality-of-service (QoS) and security
policiesacross the entire WLAN.
HP offers four MSM controllers:
HP MSM720
HP MSM760
HP MSM775 zl
As shown in the figure above, the MSM720 and MSM760 are appliances, while the
MSM775 zl is a module that is installed into an HP 5400 zl or 8200 zl Series Switch.
You can install up to four MSM775 zl Controllers in one 5412 zl or 8212 zl switch. You
can also install up to four MSM775 zl controllers in one 5406 zl switch; however, to
operate at up to 50 C, only three modules, in the left side of the chassis, are
supported. (Check the installation guide for more details.)
The MSM760 have two RJ-45 10/100/1000 ports, which can be used to connect
them to the network. Similarly, the MSM775 zl has two 10 GbE internal ports, which
connect it to the switch backplane. On these controllers, one port is designated as the
LAN port, and one port is designated as the Internet port. The MSM720, on the other
hand, has four RJ-45 10/100/1000 BASE-T ports and two RJ-45 10/100/1000
dual-personality ports. You will learn how to connect and configure these ports in
Module 2.
14
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
MSM720
10
250
MSM760
40
MSM775 zl
40
Rev. 14.21
15
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
In addition to offering flexible licensing options for controlled APs, HP allows you to
purchase controllers based on the features that you need.
The MSM720 and MSM760 are available as access controllers. Access controllers
allow you to manage controlled APs and offer a core set of features. Further
elaborated in the next few pages, the core features include, among others:
Some companies need to add advanced features to the core set. The advanced
mobility features, supported by Mobility or Premium Mobility controllers include:
Fast roamingAs you will learn later in this course, the most secure way to
protect access to a wireless or wired network is 802.1X authentication. On a
wireless network, you must also add WiFi Protected Access (WPA) or WPA2 to
encrypt the transmissions and protect them from eavesdropping.
Although 802.1X provides the tightest security, it has one downside: it slows down
the roaming process when users must roam from one AP to another. Fast roaming
reduces the latency of roaming for 802.1X.
16
Layer 3 roamingStations can roam between two APs that support the same SSID
(WLAN). Layer 3 roaming becomes necessary if a station moves between two
APs that support the same SSID but bridge the wireless traffic onto different VLANs
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
(or subnetworks) on the wired network. You will learn more about Layer 3
roaming later in this course.
Ability to control exactly where traffic is bridged onto the wired networkSome
companies need more flexibility in how traffic is bridged onto the wired network.
For example, they may want to ensure that users traffic is place in certain VLANs
but those VLANs have not been extended across the network. Rather than
reconfiguring the network, those companies may want their wireless solution to
handle the way traffic is distributed onto the wired network.
The premium capabilities, which the Premium Mobility controllers add to the core and
mobility features listed above, include:
Large number of SSIDsSome companies may need a high number of SSIDs (or
WLANs). Premium Mobility controllers support up to 64 Virtual Service
Communities (VSCs). You will learn more about VSCs on the following page.
TeamingThis license also allows companies to combine controllers in teams,
which provide:
HP offers several mobility and premium mobility controllers, which provide the
functionality to fulfill these requirements:
775775The next few pages describe the features provided by access, mobility, and
premium mobility controllers.
Rev. 14.21
17
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Overview
of access
controllers
key features
features
Overview of
access
controllers
key
Centralized management of APs
DHCP server
QoS solutions
7
Rev. 12.31
The MSM720 and MSM760 access controllers can manage different number of APs,
but they all support the same key featuresmany of which are listed below.
18
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Rev. 14.21
19
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Overview
of access
controllers
security features
Overview of
access
controllers
security
features
RADIUS authentication (through internal or external RADIUS server)
Microsoft AD authentication
Secure management access
Firewall
ACLs and security filters
NAT
Rev. 12.31
The controllers also provide comprehensive security, including, but not limited to, the
following features:
110
Internal
External
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Figure 1-7: Overview of mobility and premium mobility controllers key features
The mobility and premium mobility controllers provide all the features that the access
controllers offer plus the following:
Fast roamingThis feature speeds up the roaming process for stations that
authenticate to VSCs secured by 802.1X with WPA/WPA2. You will learn more
about the specific actions APs and the controllers take to accelerate this roaming
later in this course.
Mobility traffic manager (MTM)MTM gives you complete control over where
each users traffic is distributed into the Ethernet network. It also supports Layer 3
roaming.
MTM assigns each user to a home network based on a variety of settings,
including identity-based policies. It then helps the MSM APs determine whether
the users traffic can be distributed locally or whether it must be tunneled to the
controller.
Thus, this feature delivers complete flexibility and efficiency to the architecture.
Users can connect wherever they need to connect yet always retain a consistent IP
address in their assigned home networks. For efficiency, APs forward traffic locally
when they can, butwhen necessarythey tunnel the traffic to the controller for
distribution. All this occurs seamlessly with users only aware that they can connect
wirelessly and receive access to the resources that they need.
For example, in the following figure, User As home network is Network 1. User A
can connect to any AP, and the users traffic is always forwarded on the correct
network. The APs in the left of the figure can forward the users traffic locally while
the APs on the right tunnel the traffic to the controller. But, in either, case the MSM
solution connects the user to the correct home network. In addition, if the user
Rev. 14.21
111
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
roams from one AP to another, MTM ensures that the user remains connected to
the home network.
Figure 1-8: Overview of mobility and premium mobility controllers key features
MTM is not covered in this course. If you want to know more about this feature,
attend the Master Accredited Solution Expert course, HP Enterprise Wireless
Networks.
Premium mobility controllers also offer:
112
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Below you will find descriptions of four organizations that need an MSM Controller to
manage a certain number of APs. Use what you have learned about the MSM
Controllers to recommend an MSM Controller, based on the information that is
provided. Sometimes more than one solution might fit the needs; what is most
important is that you can make a reasonable selection that you can justify.
1.
A business estimates that it will need at least 12 APs on each floor of its five-floor
office building to provide adequate wireless coverage. The senior IT manager
wants to eliminate a single source of failure and ensure that the wireless network
is always available. The business is using HP switches, including the 3500-48GPoE+, 5412 zl, 6600-24G, and 8212 zl switches. Which HP MSM Controller(s)
would you recommend for this organizations wireless solution? Why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
113
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
2.
The IT manager for a medical office building estimates that she will need at least
10 APs on each floor of a five-floor office building to provide adequate wireless
coverage. The office building is currently using the following HP switches: 580048G with 2 slots, 5500-24G, and 10508 switches. Which MSM Controller would
you recommend for this medical office building? Why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
A medium-sized business plans to have 200 employees working in a large, onefloor warehouse. Because the business wants the flexibility to reconfigure this
space as needed, the IT manager plans to provide these employees with wireless
access, so the wireless network must be reliable. The business estimates that it will
need 30 APs to provide adequate coverage. Which HP MSM Controller(s) would
best meet this businesss needs? Why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
114
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Discussion Discussion
topics topics
HP MSM Controllers
HP APs
AP operating modes
HP APs
HP MSM AP models: 802.11n
HP MSM AP models: 802.11a/b/g
Other AP models
HP M111 Client Bridge Series
HP MSM317 Access Device
Activity: Name the models
Rev. 14.21
Rev. 12.31
115
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
AP operating
AP operating
modes modes
Typically, 12APsRev.operate
in one of two modes:
12.31
Autonomous
Controlled
As the name suggests, autonomous mode means that you manage the AP as a
standalone AP. That is, you access the APs management interface (whether Web
browser interface or command line interface) and configure the settings needed for
just that AP. Autonomous mode is generally used for small companies or branch offices
that need just a few APs or do not have any immediate plans to expand the wireless
network to include more APs.
Autonomous APs might also work well for companies who need a few APs that provide
network coverage outdoors such as in a retail environment or at an airport. HP
provides ruggedized APs, as you will learn later in this module.
When APs operate in controlled mode, you use a controllers management interface to
centrally configure and manage the APs. By automating AP configuration and
management, controlled mode simplifies the process of applying a consistent set of
security and quality-of-service policies across WLANs. Controlled mode also reduces
deployment and management costs.
The MSM APs can operate in either autonomous or controlled mode. By default, the
MSM APs operate in controlled mode, but you can access an APs Web browser
interface to switch its operating mode to autonomous mode. (The MSM317 is the one
exception to this rule. It does not include a web-based management interface of its
own because it operates only in controlled mode.) When you are ready to expand
your wireless network and add a controller, you can easily purchase a controller and
configure your APs to operate in controlled mode.
116
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Because the MSM APs operate in controlled mode by default, they must discover an
MSM Controller. You have a number of options for AP discovery, as you will learn
later in this course. For example, if both the APs and MSM Controller are on the same
subnet, they will automatically discover the controller. Once the APs discover the
controller, the controller immediately provisions the APs with a software version that
matches its own and sends the APs the appropriate configuration settings.
Rev. 14.21
117
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP APs
HP APs
Indoor and outdoor 802.11n APs
Indoor 802.11a/b/g AP
Other APs
13
Rev. 12.31
HP provides a variety of MSM APs, each of which offers a unique set of features. Basic
categories include:
The MSM AP model numbers indicate which 802.11 standards each AP supports and
how many radios it has:
If the model number begins with a four (4), the MSM AP supports 802.11n (as
well as a/b/g)
If the AP model number begins with a three (3), the MSM AP supports
802.11a/b/g.
The second digit in the MSM AP model number indicates how many radios the model
provides. The third digit indicates whether the AP provides sensor capabilities for
working with RF Manager, HPs wireless IDS/IPS. A 0 indicates no sensor capabilities
and a 5 indicates the ability to act as a sensor.
For example, the MSM310 supports 802.11a/b/g and has one radio.
The higher-end 4xx models make an exception to the rule about the second digit. The
HP 425, MSM430, MSM460, and MSM466 all have two radios. However, they
support additional spatial streams and the higher 802.11n data rates.
Like MSM Controllers, MSM APs have a great deal in common. All bring intelligence to
the network edge, offer multiple network services and high performance, and enforce
security. They also support plug-and-play deployment (automatic configuration) and work
in controlled mode with MSM Controllers.
In addition, most MSM APs work in autonomous mode (without a controller).
118
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
These Wi-Fi Alliance certified 802.11 a/b/g/n APs provide the following capabilities:
Radio:
Security:
EAP-SIM
EAP-FAST
EAP-TTLS
EAP-TLS
PEAP
Note
You will learn more about 802.1X and these different types of EAP later in this
course.
Rev. 14.21
119
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
MAC-Auth
Web-Auth
Encryption:
120
Lifetime warranty for indoor HP 425, MSM430, MSM460, MSM466 and a 1year warranty for outdoor models (check the HP networking support web site for
details about what the warranty covers)
QoS:
WMM
802.1p
SVP
DiffServ
VSCsMSM 802.11n APs support up to 16 VSCs. You can configure each VSC
separately to support a variety of QoS and security profilesincluding policies
based on the Wi-Fi Multimedia (WMM) specification and 802.11e standard. (You
can configure the VSC on a controller if the AP is running in controlled mode or
on the AP itself if it is running in autonomous mode.)
VoIPThe APs support a maximum of 12 active VoIP calls on 802.11a/b/g/n.
DiagnosticsHPs MSM 802.11n APs log client events such as authentications and
DHCP events. The APs also include a packet capture tool for Ethernet and 802.11
interfaces, and a data-rate matrix.
Multiple-input multiple output (MIMO)The MSM410 supports two spatial
streams and MIMOone of the technologies that helps 802.11n deliver higher
performance than other 802.11 standards. The HP425 and MSM430 also offers
two spatial streams and 3x3 MIMO. Finally, the MSM460 and MSM466 support
three spatial streams and 3x3 MIMO. Three spatial stream MIMO allows for 450
Mbps of signaling per radio, which in turn represents a performance increase of
more than 50 percent over APs using two spatial stream technology. You will learn
more about MIMO and spatial streams later in this course.
BeamformingThe HP 425, MSM 430, MSM460, and MSM466 support
beamforming, which, if the client also supports the feature, can focus the signal
between the AP and client. Thus this feature can provide better coverage for given
areas and enhance performance at given distances from APs.
Band steeringThe HP 425, MSM 430, MSM460, and MSM466 also support
band steering, which steers wireless clients to the 5 GHz bandthe band that
provides superior performance for 802.11n. In addition the MSM466 is capable
of running both radios in the 5 GHz band for even better performance.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Radios
Port
Antennas
Power
Plenum rating
HP 425
Dual (a/n
+ b/g/n)
One RJ-45
10/100/
1000
802.3af PoE
Yes
MSM430
Dual (a/n
+ b/g/n)
One RJ-45
10/100/
1000
802.3af PoE
Yes
MSM460
Dual (a/n
+ b/g/n)
One RJ-45
10/100/
1000
802.3af PoE
Yes
MSM466
Dual
(a/b/g/n)
One RJ-45
10/100/
1000
802.3af PoE
Yes
Radios
Port
Antennas
Power
Operating
temperatures
MSM466-R
Dual
(a/b/g/n
run both
radios at 5
GHz for
optimal
performance)
One RJ-45
10/100/
1000
PoE or
PoE+
-40 degrees C to 55
degrees C (-40
degrees F to 131
degrees F)
For -20 degrees C,
802.3at (PoE+)
required for
embedded heater
For a list of HP external antennas that each AP supports, visit the HP networking web
site at:
http://www.hp.com/networking
Rev. 14.21
121
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
122
Select ACS, which allows each radio to select a channel with the least
interference on power-up and continuously improve channel selection based
on background interference
SecurityThese APs support 802.1X authentication with EAP-SIM, EAP-FAST, EAPTLS, EAP-TTLS, and PEAP. They also support MAC-Auth and Web-Auth. To protect
wireless transmissions, they support industry-standard wireless encryption
standards including WPA2 and WPA and the legacy WEP.
QoS:
WMM
802.1p
SVP
DiffServ
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Lifetime warrantyHP provides a warranty for these APs for as long as you own
the product, with next-business-day advance replacement (available in most
countries). For the software, HP generally provides a 1-year warranty. You should
refer to the HP networking support site for details and up-to-date information.
VSCsMSM 802.11n APs support up to 16 VSCs. You can configure each VSC
separately to support a variety of QoS and security profilesincluding policies
based on the Wi-Fi Multimedia (WMM) specification and 802.11e standard. (You
can configure the VSC on a controller if the AP is running in controlled mode or
on the AP itself if it is running in autonomous mode.)
VoIPThe APs support a maximum of 12 active VoIP calls on 802.11a/b/g/n.
Two RJ-45 10/100 portsThe MSM310 can bridge traffic between its two ports,
so customers can connect one port as the uplink port and use the second port to
connect a wired device.
Radios
Ports
Antennas
Power
Plenum
MSM310
Single
(a/b/g)
Two RJ-45
10/100
PoE or power
supply*
Yes
Rev. 14.21
123
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Other AP models
Other AP models
MSM110
MSM313
Rev. 12.31
HP M110
You can configure this entry-level access device to operate as an access point, a
wireless distribution system (WDS) bridge, or a full-spectrum 802.11 WLAN monitor.
The M110 operates in autonomous mode and supports up to two VSCs, each with
independent VLAN and wireless security profiles. It is plenum-rated and powered by a
PoE source. The M110 access point is Wi-Fi Certified for WPA2, WPA, and WEP
security and has hardware-assisted Advanced Encryption Standard (AES) and RC4
encryption.
This device provides the following features
124
PoE support
QoS:
802.1p prioritization
WMM
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Security:
Authentication:
MAC-Auth
Encryption:
WPA2 (AES)
WPA
WEP
Plenum rated
Centrally manageable
HP MSM313
Nicknamed hotspot in a box, the HP MSM313 is designed to simplify the task of
setting up a wireless network for small companies that need a guest access solution in
addition to wireless access for employees. These devices allow you to implement
centralized access control for guests and to control what these users can access
through the wireless network. You can handle employee access differently, allowing
these users to access network resources.
This device provides the following features:
Integrated DHCP server (default) or client (APs are configured as clients by default)
Security:
Rev. 14.21
Authentication
MAC-Auth
Web-Auth
Encryption
WPA/WPA2
WEP
125
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
126
QoS:
WMM
SVP
802.1p
DiffServ
PoE support
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
HP M111 Client
Bridge
HP M1
11 Client Series
Bridge Series
17
Rev. 12.31
HP also provides a solution for organizations that want to connect legacy Ethernet or
serial devices to their WLANs. For example, an organization might want to connect a
fax machine to its WLAN so wireless users can send faxes.
Instead of upgrading its legacy fax machine, this organization can connect it to the
HP M111 Client Bridge, which provides a wireless signal that allows access via the
WLAN.
This device provides the following features:
Rev. 14.21
Support for a wide range of wired devices (DECnet, IPX, AppleTalk, and others)
An 802.1X supplicant
127
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP MSM317
Access Device
HP MSM317 Access Device
18
Rev. 12.31
As mentioned earlier, the MSM317 operates only in controlled mode. This device
requires one of the MSM Controllers for both configuration and operation. It integrates
an AP with four managed 10/100 Ethernet switch ports and includes a pass-through
port for digital phone service. Ideal for small businesses with little or no networking
experience and for businesses that want to provide wireless services in discrete areas,
such as hotel rooms, the MSM317 fits within the space of a standard electrical wall
outlet. AP features include:
You can configure one of this APs Ethernet ports as an 802.3af-compliant PoE port for
wired devices such as IP telephones and security cameras. Each MSM317 provides up
to 440 square feet (41 square meters) of WLAN coveragecontingent on proper
deployment, free of obstacles placed directly in front of the device.
Note
You do not have to install AP licenses to manage MSM317 APs. The controllers
can manage any number of MSM317 APs, as long as the controllers do not
exceed their maximum number of controlled-APs.
128
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Activity:
Name
the models
Activity: Name
the
models
Which MSM 802.11a/b/g and 802.11n models fit in each category?
Outdoor
Single radios
Dual radios
?
Figure 1-18: Activity: Name the models
In this activity, you will complete the following table using information provided in this
module. Your facilitator may ask you to work individually or in a group. One of the
dual-radio APs is provided for you.
Be prepared to share your results with the class.
19
Outdoor
Rev. 12.31
_________
Rev. 14.21
Single radios
Dual radios
_________
_________
_________
_________
_________
_________
__MSM466__
_________
_________
_________
129
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion topics
Discussion topics
HP MSM Controllers
HP APs
HP RF Manager
HP MSM415
HP IMC and WSM
WLAN architectures
Figure 1-19: Discussion topics
130
Rev. 12.31
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
HP RF Manager HP RF Manager
Wireless IDS/IPS
Works with sensors to detect vulnerabilities and attacks
Rev. 12.31
The HP RF Manager Controller works with HP MSM415 and HP AirProtect 5750 and
SS-300 security sensors to detect and prevent wireless intrusions and threatssuch as
threats from rogue APs, denial-of-service (DoS) attacks, and WEP-cracking attacks.
This device analyzes the wireless traffic samples its sensors collect to:
Rev. 14.21
131
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP MSM415
HP MSM415
802.11 a/b/g/n radio
Scans wireless network, looking for suspicious behavior
Rev. 12.31
132
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
WLAN configuration
Wireless topology management
Rev. 12.31
The final component of the HP mobility solutions is the solution that helps you deploy
and manage them more efficiently.
HP Intelligent Management Center (IMC) provides centralized management for a
companys complete networking solution, from switches and routers to MSM
Controllers and APs. IMC even supports thousands of other vendor products so that
companies with heterogeneous environments can manage all of their solutions from a
single interface.
Wireless Services Manager (WMS), one of several modules that can enhance IMCs
capabilities, delivers unified wired and wireless management. As of version 5.1, IMC
and WSM can manage both autonomous MSM APs and APs that are part of a
controlled MSM solution. Management capabilities include:
Rev. 14.21
WLAN configuration
AP group management
133
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless statistics
Client association monitoring
Other reports
24
Rev. 12.31
HP WSM collects statistics from across all managed wireless devices, consolidating
and analyzing them so that you can discover at a glance vital information about your
network.
Some of the information collected includes:
These examples illustrate just some of the tasks that WSM helps you to perform and
just some of the information that it places at your fingertips.
134
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Discussion Discussion
topics topics
HP MSM Controllers
HP APs
Lab Activity 1
You will now consider the WLAN architectures that MSM Controllers support.
25
Rev. 14.21
Rev. 12.31
135
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Activity: the
Explore
the architecturalpossibilities
possibilities
Activity: Explore
architectural
Meet in groups
Answer the questions
26
Rev. 12.31
The next several slides detail several types of architecture, which provide different
possibilities for how users authenticate and how their traffic is bridged from the
wireless network to the wired. After you learn about these architectures, you can
compare and contrast them using the question below.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
Through what device (or devices) do you manage APs in this architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
136
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
3.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
Which devices are involved in forwarding wireless users traffic onto the wired
network?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
137
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
6.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
Through what device (or devices) do you manage APs in this architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
138
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
3.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
Which devices are involved in forwarding wireless users traffic onto the wired
network?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
139
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
6.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
140
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
architecture
CentralizedCentralized
WLAN WLAN
architecture
The controller manages all traffic.
All traffic travels through the
controller
27
Rev. 12.31
Rev. 14.21
141
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
142
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
architectures
Optimized Optimized
WLAN WLAN
architecture
Rev. 12.31
Use APs to enforce user authentication to an external server and to bridge users
wireless traffic directly onto the wired network
Use the controller to enforce user authentication (to a local database or an
external server), but allow APs to forward authenticated users wireless traffic
directly onto the wired network
Use the controller to handle both users authentication and the forwarding of all
wireless user traffic onto the corporate LAN
Distributed forwarding
As you will see when you begin implementing VSCs in the labs for this course, you
can configure how traffic is handled for each VSC. That is, one VSC might be
configured with centralized access control, which means the AP forwards all
authentication and wireless users traffic to the controller. For another VSC, the AP may
handle authentication requests and forward traffic directly onto the wired network.
Rev. 14.21
143
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
For all architectures, management traffic flows between the controlled AP and the
controller. How the APs and controller handle user traffic, as well as traffic related to
authenticating users, relates to the type of VSC.
144
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Lab Activity 1
Lab Activity 1
In this lab, you will begin to set up the wired network that you will use in this lab. You
will also reset the MSM Controllers so that you can begin configuring them in the next
Rev. 12.31
29
lab.
Rev. 14.21
145
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Key insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
146
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Mobility Solutions
Summary
This module introduced MSM Controllers and APs.
Flexible licensing options that enable you to add APs and features as
needed
With the exception of the M110 and the MSM317, these APs can operate in
autonomous or controlled mode.
The MSM Controllers and APs support an optimized WLAN architecture. You can
configure how authentication and wireless traffic is handled for each VSC, selecting
one of the following options:
Rev. 14.21
Distributed forwarding
147
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Learning check
Answer the following questions:
1.
MSM410
b.
MSM466
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
148
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Objectives
This module explains how traffic flows through an HP MSM Controller, providing
guidelines and best practices for deploying the controller in a variety of
environments. After completing this module, you should be able to:
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion topics
To deploy an MSM Controller properly, you must plan how to connect the controller
to other network infrastructure devices. Which MSM720 ports should you connect?
On other MSM Controllers, should you connect the LAN port, the Internet port, or
both? Should the port connect to a switch port that has an untagged VLAN
assignment, or should you send traffic that is tagged for particular VLANs to the
controller? On the controller side, how do you map IP addresses to VLANs and
VLANs to ports?
To answer these questions and create the best plan for a particular deployment, you
must understand the controller ports and network. In particular, you require a good
understanding of how the controller processes incoming traffic depending on the port
and VLAN on which it arrives. The first section of this module provides some answers;
you will continue to expand your understanding of controller ports and networks as
you learn about more features of the controllers throughout this course.
22
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
MSM760 MSM710,
or MSM775
zland
ports
MSM760,
MSM765 zl ports
Two ports
Internet
LAN
Routed
Different subnets
23
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The LAN port has an IP address of 192.168.1.1/24. The Internet port uses DHCP. If it
receives a default gateway with the DHCP settings, it adds the gateway as a default
route in its global table. You can also configure a static IP address on the (untagged)
Internet port interface, or disable its IP settings entirely. The (untagged) LAN port
interface always requires a static IP address.
For these default profiles, match the IP settings for the connected switch ports
untagged VLAN. For example, if the Internet port requires an IP address in the VLAN
50 subnet, connect the Internet port to a switch port that is untagged for VLAN 50.
WARNING
Never assign an IP address in the same subnet to two different MSM Controller
IP interfaces. Doing so creates a routing loop that might lock you out of the
controller and cause other issues.
The controller associates the default profiles with specific functions, which are
described in a schematic just a bit later. For this reason, you cannot delete these
profiles nor remove them from the controller ports.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
24
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
MSM775 zlMSM765
internalzl internal
ports ports
Rev. 12.31
The HP zl switch can then receive traffic from the MSM775 zl Internet port on VLAN
11 and switch that traffic to any of its other ports in that VLAN. The switch can also
receive the traffic on its own VLAN 11 IP interface, if it has one.
The MSM775 zl and zl switch internal ports are permanently connected. As you
investigate standard MSM solution deployments, you will learn that in some
circumstances, you only want to use one of the ports. To simulate disconnecting an
MSM775 zls Internet port, you disable the <slot>1 interface.
Rev. 14.21
25
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
However, the situation is a bit more complicated for an MSM775 zls LAN port. In
addition to carrying network traffic to the controllers LAN port, the <slot>2 port
carries Services Management Agent (SMA) communications between the MSM775
zl module and the switch. These communications enable the switch to detect the
modules status and to support the controllers CLI, which you access by entering
services <slot> name msm775-application from the switchs global configuration
mode.
The communications also deliver the clock to the MSM775 zl. When configuring the
MSM775 zl, you will notice that the settings in its Controller >> Management >
System time window are disabled. You should make sure that the switch
administrator sets the clock on the switch, preferably to a Simple Network Time
Protocol (SNTP) server.
For all of these reasons, you must never disable the <slot>2 port. Keep this rule in
mind as you learn about deploying the MSM Controllers. You might decide to adjust
your plan to incorporate the LAN port. The figure shows an example in which the
controller has IP interfaces for profiles mapped to the LAN port. The connected switch
port carries tagged traffic to these interfaces. The port does not carry untagged
traffic, so the untagged LAN port network, although not the LAN port itself, is
effectively disconnected. If you do decide to use an Internet-port-only deployment, in
which the LAN port does not receive either untagged or tagged traffic, you will need
to isolate the <slot>2 port in an unused VLAN rather than disable the port.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
26
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
MSM Controller
schematic
MSM Controller
schematic
Rev. 12.31
With this general background in controller ports, you can move on to examining how
the controller passes traffic received on its default (untagged) interfaces to its internal
functions. You will examine the schematic above from various angles throughout this
course as you turn your attention to one function or another.
For now, you must understand that the untagged interfaces have specific functions:
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
28
The controller can pass traffic from either untagged interface to its management
functions. (The next slides explain how to enable these functions on interfaces.)
This traffic does not interact with the access controller, router, bandwidth
controller, NAT, or firewall. In other words, it is separate and secured from the
client traffic passing through the controller.
Similarly, the controller can pass traffic from the management tunnel established
with an AP to its AP Controllerprovided that AP discovery is enabled on the
interface. Again, the AP management traffic is separate and secured from other
traffic, such as that from access-controlled clients or mobility clients.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Figure 2-5: Exploring how the MSM Controller handles incoming traffic
Rev. 12.31
You will now verify that you understand the schematic, by beginning to explore
various types of traffic that might arrive on a controllers ports.
First, you will examine how the controller handles traffic that is destined to its own IP
address on one of its interfaces. This traffic might be related to several different
functions including AP management or management of the controller itself. You will
examine this traffic on the next several slides.
Controllers may also receive traffic from or to access-controlled clients. This type of
traffic might be received on any controller interface. To understand how the controller
handles this traffic, you must understand VSCs, client data tunnels, and various
security mechanisms. Therefore, you will wait until Module 5: Guest Solutions for
an in-depth look. However, because the controllers (untagged) LAN port network
can immediately start associating traffic with the default access-controlled VSC, you
will consider this type of traffic briefly in this module.
Note
The MSM Controller can also receive and handle tunneled traffic from mobility
clients. The Mobility Traffic Manager (MTM) feature is discussed in the HP
Enterprise Wireless Networks course.
Rev. 14.21
29
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The controller recognizes that the traffic is destined for the Web browser interface by
the TCP port. By default, the well-known HTTP and HTTPS ports (80 and 443,
respectively) map to the Web browser interface. When the controller receives traffic
destined to one of its IP addresses on one of these TCP ports, it checks whether
management is permitted on the interface on which the traffic has arrived. If so, the
controller displays the Web browser interface login page, first redirecting HTTP traffic
to HTTPS for extra security.
You configure the permitted interface list, as well as other settings related to the Web
browser interface, in the controllers Controller >> Management > Management tool
window. By default, access is allowed on both the (untagged) Internet port and LAN
port interfaces.
You can also specify a list of allowed source addresses for the HTTP or HTTPS
requests; if the list is empty, the controller allows any IP address. However, as soon
as you add one IP address to the list, only IP addresses in the list can reach the
controllers Web browser interface.
In addition to adjusting the interfaces on which management is allowed and the
permitted source IP addresses, you can configure the TCP ports that map to the Web
browser interface. For example, you could change the HTTP and HTTPS ports to
8010 and 8020. Then you would have to browse to http://<controller IP
address>:8010 or https://<controller IP address>:8020 to access the Web browser
interface.
210
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Finally, remember that the controller only provides routing for other devices when the
traffic is destined to or received from an access-controlled client (passes through the
Access Controller engine). Therefore, the HTTP or HTTPS request for the controllers
Web browser interface must arrive on the IP interface with the address to which the
request is destined. A management station can reside on a different VLAN from the
controllers management interface, but another device must route the traffic to the
correct subnet for the controller interface.
On the other hand, the controller does perform routing for its own traffic. Therefore,
you must verify that the controller has a route back to any subnet from which you
want to access it. Typically, a default route works, but you can define multiple static
routes on the controller.
Note
You can specify a separate management IP address for the untagged LAN port
network (or Access network) interface. In this case, the controller will route any
traffic received on that interface to the management address.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
211
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The table below lists the applications supported on the controllers IP interfaces and
the default protocols and ports associated with them. It also indicates whether you
can change the ports, whether you can choose the IP interfaces on which the traffic is
permitted, and whether you can choose the permitted source IP addresses.
Web browser
interface
(Management
tool)
Default
protocol and
port
Default permitted
IP interfaces
Configurable
TCP or UDP
port?
Configurable
interfaces?
Configurable
source IP
addresses?
MSM720: Access
Yes
Yes
Yes
Yes
Yes
Yes
No
Configurable
through the
Management
tool interfaces
(the same
interfaces are
permitted for
SSH)
No
TCP 80
(redirected to
443)
TCP 443
SNMP
UDP 161
SSH
212
TCP 22
network and
Internet network
Other controllers:
LAN port network
and Internet port
network
MSM720: Access
network
Other controllers:
LAN port network
MSM720: Access
network and
Internet network
Other controllers:
LAN port network
and Internet port
network
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Application
SOAP
Default
protocol and
port
TCP 448
Default permitted
IP interfaces
Configurable
TCP or UDP
port?
Configurable
interfaces?
Configurable
source IP
addresses?
MSM720: Access
Yes
Yes
Yes
No
Yes
No
No
No
No
Configurable
through the
discovery
interface (APs
are always
managed on
the interface
on which they
are
discovered)
No
Yes
Yes
No (any
permitted)
Yes
AP discovery
UDP 38212
AP management
TCP or UDP
1194
Management
with HP MM
network
Other controllers:
LAN port network
MSM720: Access
network
Other controllers:
LAN port,
including any IP
interfaces on the
LAN port
Any interface
Any interface
HTTP:
TCP 8080
HTTPS:
TCP 8090
access-controlled
clients
If NOC-based
authentication is
enabled, Internet
port
GRE
IP protocol 47
Any interface
IPsec
ESP or AH
None configured by
default
Rev. 14.21
Accepted from
configured peer
Accepted from
configured peer
213
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
10
Rev. 12.31
The controller is a network infrastructure device that can process and forward traffic
that is not specifically destined to it. Specifically, the controller includes a Layer 3
router as you saw within earlier schematics.
However, you must understand that the controller does not function as a simple
router. That is, you cannot simply direct traffic to the controller and expect the
controller to route the traffic. Instead, the controllers routing functions relate to how it
forwards client traffic that it receives and maps to an access-controlled VSC.
You will study how the controller maps incoming traffic to access-controlled VSCs in
detail in Module 5: Guest Solutions. For now, you simply need to understand that
an MSM760 or MSM775 zl, by default, considers any traffic that arrives untagged
on its LAN port as part of the default VSC. Thus it considers any devices on those
networks as access-controlled clients, which need to authenticate.
As it attempts to capture and control traffic mapped to this VSC, the controller
exhibits the following behavior:
214
If you enable the DHCP server on the LAN port, the controller responds to all
untagged DHCP discovery requests received on the LAN port. The controller
assigns its own LAN port IP address to clients as their DNS server and typically
as the default gateway. Therefore, any clients that receive the controllers DHCP
offer begin directing DNS requests and traffic that needs routing to it.
The controller responds to DNS requests that are directed to it, of course. It can
also intercept requests that are directed to other DNS servers (if DNS
interception is enabled on it).
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Rev. 14.21
215
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
11
For several reasons that you will examine throughout this course, you might require
more IP interfaces than the default two. You might also require VLAN interfaces
without IP interfaces. The slide illustrates how you use network profiles to create
additional VLANs and IP interfaces on the physical controller ports.
Network profiles
An MSM Controller maintains a list of network profiles, each of which has a name
and an optional VLAN ID. You can create new network profiles in the Controller >>
Network > Network profiles window. However, a network profile does not have any
effect until you apply it. The controllers support multiple functions for their network
profiles, including assignment to APs to control how the APs forward traffic. But for
this module, you will focus on profiles that are mapped to the controllers own ports.
216
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Although the VLAN ID is optional, you can only assign profiles with VLAN IDs to a
controller port. A port can only support one untagged profile, and the default,
permanently assigned profiles already fulfill that role. For this reason, the new profiles
that you assign to an MSM760 or MSM775 zl port always send and receive tagged
traffic. The connected switch port, of course, must support the VLAN as a tagged
VLAN.
Remember: the physical ports are routed ports. You cannot assign the same network
profile to both ports. In addition, although you can configure the same VLAN ID in
two profiles and assign them to different ports, you must understand what this means.
The MSM Controller does not switch traffic in that VLAN between the ports. Instead,
you should only set up the ports this way if the VLAN is truly associated with a
different subnet on each device connected to the two ports.
Rev. 14.21
You can configure a default gateway IP address in the IP interface settings. If the
interface uses DHCP, it can also receive a default gateway IP address. However,
this gateway is not added as the next hop for a default route in the controllers
global list. Instead it is used for a special function about which you will learn in
Module 5: Guest Solutions. If you want to create a route through the IP
interface, you must define it globally in the Controller >> Network > IP routes
window.
The bandwidth controller only applies to interfaces that are associated with the
physical Internet port.
217
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Note
You do not have to create an IP interface for every profile mapped to a controller
port. You will learn about some functions for VLANs without IP interfaces in later
modules.
You might hear about non-default IP interfaces associated with controller ports
referred to as tagged VLAN interfaces. On the MSM760 or MSM775 zl Controller,
this term is accurate. However, as you will see, on the MSM720, this rule does not
hold true. To eliminate confusion, this course will refer to the profiles as non-default IP
interfaces.
218
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Rev. 14.21
The controller can pass traffic from any IP interface to its management functions.
However, you must enable these functions on the IP interface separately. For
example, you create a network profile named Management with VLAN ID 10,
map it to the LAN port, and create an IP interface for it (IP address
10.1.10.1/24). You must enable the management tool on this interface, if you
want to be able to contact the controllers Web browser interface at 10.1.10.1.
Similarly, you must enable SNMP on the interface to manage the controller in
that way on this address.
The controller can receive traffic from APs on any IP interface. For this function,
you enable the feature on a physical port, and the controller allows the function
on any IP interface configured on that port.
Just like the (untagged) Internet port network, the non-default IP interfaces do not
map to the Access Controllerunless special tunneling is involved as you will
learn later.
However, the controller can route traffic to and from access-controlled clients and
any IP interface (no matter which physical port supports the interface).
Remember: the controller does not route traffic for non-access-controlled devices.
For example, you have defined an IP interface for the Management (VLAN 10)
profile as described above. If you want other devices to reach this address, the
subnet must also exist in the LAN or on the router to which the controller
connectsjust like the subnets for the controllers untagged IP interfaces must
exist. You cannot expect the controller to route this traffic from one of its
interfaces to another.
219
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
MSM720 ports
MSM720 ports
MSM720 ports act like switch ports.
You can:
Aggregate ports (static trunk and active LACP)
Assign network profiles as untagged and tagged to multiple ports or trunks
The MSM720 has six ports instead of the two ports of the other MSM Controllers.
Four of these ports are RJ-45 10/100/1000 Mbps ports while two are dualpersonality RJ-45 10/100/1000 Mbps or GbE fiber ports.
The MSM720 ports act less like router ports, as do the other controllers ports, and
more like routing switch ports. You can create tagged and untagged VLAN
assignments on these ports much as you would switch ports. You can also combine
the ports into link aggregation groups, or trunks, using static mode or active LACP.
Then you can apply VLAN assignments to the trunks.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
220
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
MSM720 networks
MSM720 networks
Rev. 12.31
Like other controllers, the MSM720 uses global network profiles. However, every
profile that is mapped to a port requires a VLAN ID. When you assign the profile to
a port, you select whether the associated VLAN is tagged or untagged on that port.
If tagged, the controller includes a VLAN tag when it needs to send a frame on that
VLAN and that port. Equally, the controller uses a VLAN tag in traffic received on the
port to map the traffic to the VLAN. It only accepts tagged traffic for which the ID is
configured as a tagged VLAN on the port.
If untagged, the controller sends traffic in that VLAN and on that port as untagged,
and it assigns any traffic that is received on that port without a tag to that VLAN.
Although the controller does not use the VLAN ID in sending and receiving traffic on
that particular port, it does use the ID internally to determine how to switch traffic
from one port to another.
The MSM720 has two network profiles at factory defaults. Called the Access network
and the Internet network, these profiles roughly correspond to other controllers LAN
port network (untagged) and Internet port network (untagged) profiles, respectively.
However, the profiles have associated VLAN IDs, the Access networks default ID
being 1 and the Internet networks being 10.
The figure illustrates the relationship between these profiles and the MSM720s ports
at factory defaults. The Access network is assigned untagged to the four RJ-45
10/100/1000 Mbps ports, ports 1 to 4. The Internet network is assigned untagged
to the two dual-personality ports, ports 5 and 6.
You can edit the default profiles, giving them, for example, different VLAN IDs.
However, you cannot delete them.
Rev. 14.21
221
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The default profiles have functions similar to the untagged profiles on other MSM
Controllers ports. For example, traffic associated with the Access networkwhether
that network is tagged or untagged on a portis always treated like untagged traffic
on another controllers LAN port. If you do not want any traffic treated in this way,
you can always assign a different profile to the ports and remove the Access network
profile.
As on other controllers, you can create additional profiles and assign them to ports.
However, you can assign these profiles as either tagged or untagged. Of course,
each port can have only one untagged assignment, so assigning a new network
profile to a port as untagged would remove the existing untagged network profile.
After you assign a profile to a port, you can create IP interfaces for that profile in the
same manner as for other controllers. The figure below shows an example.
Other controller
(untagged) LAN port network
(untagged) Internet port
network
Non-default profiles assigned to
one port onlyAlways tagged
222
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Activity: Exploring
how how
the the
MSM
Controller
Activity: Exploring
controller
handles handles
incomingtraffic
wired traffic
(untunneled)
incoming wired
(untunneled)
How does the controller handle the packet?
MSM760
DHCP requests
MSM760
HTTP requests
MSM720
DHCP requests
MSM720
HTTP requests
1
Responds
3
Ignores
________
7
Ignores
________
9
Sends
to Access
________
Controller
2
Ignores
________
4
Sends
to Access
________
Controller
8
Responds
________
10
Responds
________
________
5
Ignores
________
6
Responds
________
Figure 2-14:
Activity:
Exploring how the MSM Controller handles incoming wired traffic (untunneled)
Rev. 12.31
14
You will now examine two scenarios and determine how the MSM Controller in each
scenario handles several packets. For this activity, you are exploring how the
controller operates when you have configured IP addresses, enabled DHCP services,
and set a management interface. However, you have not configured your own VSCs,
changed settings on the default VSC, or deployed APs. In other words, these packets
arrive on the controllers interfaces from the Ethernet network without any special
tunneling from an AP.
This activity helps you to understand what to expect when you connect the controller
to the networkso that you can plan the proper ways to connect the controller and
configure these features.
As you answer questions for the scenarios, you can fill them in the figure above.
MSM760 Controller
The following figure indicates the VLAN and IP settings for an MSM760 Controllers
LAN port at the top; it also shows the controllers IP route. The bottom section of the
figure shows the untagged VLAN assignment on the connected switch port. The
switchs routes are shown below.
Rev. 14.21
223
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Figure 2-15: Network settings on the MSM760 LAN port and connected switch port
224
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
DHCP requests
As you see in the above figure, DHCP is enabled on the server. Consider to which
DHCP requests the controller responds.
1.
_______________________________________________________________________
2.
A DHCP discovery broadcast arrives on the LAN port in a frame tagged for
VLAN 10. Does the controller respond?
_______________________________________________________________________
HTTP requests
Next explain how the controller handles each HTTP packet as it arrives on the
indicated port.
Note
Some packets arrive on IP interface but are not destined for that interfaces IP
address. These packets arrived there because the encapsulating frame had the
controllers MAC address; that is, the packet was directed to the controller
interface for routing.
3.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
226
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Figure 2-17: Network settings on the MSM760 LAN port and connected switch port
6.
VLAN tag: 10
Rev. 14.21
227
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
MSM720 Controller
The figure indicates the VLAN and IP settings for an MSM720 Controller port 1 at
the top and the corresponding VLAN assignments on the connected switch port. The
MSM720 supports the same DHCP settings and management tool settings as
indicated in Figure 2-16 (replace LAN port with Access network).
As indicated earlier, besides these settings, the controller is using default ones.
Figure 2-18: Network settings on the MSM720 port 1 and connected switch port
DHCP requests
First consider to which DHCP requests the controller responds.
7.
_______________________________________________________________________
8.
_______________________________________________________________________
228
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HTTP requests
Next explain how the controller handles each HTTP packet as it arrives on the
indicated port.
9.
VLAN tag: 3
Rev. 14.21
229
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
AP deployment
Figure 2-19: DHCP settings on the MSM760
The next section takes you through the initial setup process, providing guidelines and
best practices.
21
230
Rev. 12.31
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
You should typically obtain direct access to the MSM Controller and configure its IP
settings before you connect the controller to the network. You might also disable the
default VSC to ensure that it does not start controlling clients until you have
configured the correct settings for your environment. Finally, after you have connected
the controller to the network and verified that you can reach its Web browser
management interface, you should restrict management to the correct interface.
The next slides cover22 this
process in more detail.
Rev. 12.31
Rev. 14.21
231
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Planning the
MSM
connection
Planning
the Controllers
controllers connection
Select an IP interface (and port) on which to manage the controller:
Typical: Internet
Before you
Rev. 12.31 the initial setup process, however, you need to plan the final
23 begin
connection. First, you must select on IP interface on which to manage the controller.
At the factory default settings, you have two MSM Controller interfaces from which to
choose:
232
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
233
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
For all the reasons discussed in the section above, pay attention to the untagged
traffic carried between the LAN port and the connected device. Unless you have a
specific reason to connect the (untagged) LAN port interface, do not allow untagged
traffic on the connection. Although you might have disabled the features that can
cause problems, there is no need to introduce a chance for error.
Note
It is possible to manage the controller on the (untagged) LAN port or Access
network interface. However, it is not generally recommended; you must plan
carefully to ensure that the solution functions as you desire and that you do not
introduce security or connectivity issues. You will understand better why as you
learn more about access-controlled solutions.
Two ports
When the controller is mainly managing APs, which are forwarding traffic locally, a
single port can support the necessary traffic. Sometimes, however, the controller
needs to handle a great deal of traffic from access-controlled clients. Module 5:
Guest Solutions, which introduces access-controlled solutions, and Module 6:
VLANs will explain when you might want to add a second port and additional
VLANs and IP interfaces to your solution.
MSM720
For the MSM720, also, the Internet network is generally preferred to the Access
network for management. But, on this controller, you can choose precisely which
network profile to assign to each port. Therefore, you can assign the Internet network
to whichever port or ports you want to connect to the network.
If you choose to use more than one port, simply make sure that you have not
introduced a loop.
Later, just as on other controllers, you can decide whether you need to connect
additional ports and add more VLANs and IP interfaces.
234
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
You are now ready to obtain initial access to the MSM Controller. At this point, you
might not connect the port that you plan to connect in the end.
Direct connection
Generally, it is recommended that you establish a direct connection between a
management station and the controller. You can then use the controllers Web
browser interface or CLI to configure the controllers IP and management settings
before you ever connect the controller to the network. This option usually provides the
simplest setup but does require you to have physical access to the controller.
You can establish the direct connection with either an Ethernet cable, in which case
you use either the Web browser interface to complete the initial setup, or with a
serial cable, in which case you use the CLI. The Web browser interface generally
provides the simplest option. However, for the MSM775 zl, you must use the CLI to
assign the initial IP settings.
Connect the management station to the MSM760s LAN port. Or connect the
management station to the MSM720s port 1, 2, 3, or 4.
2.
Configure the management station with these IP settings on its Ethernet NIC:
Also make sure that the management station does not have any other Ethernet or
wireless NICs that are enabled and connected.
Rev. 14.21
235
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
3.
4.
Accept the certificate error and login with the default credentials:
5.
Username = admin
Password = admin
You are prompted to complete several initial tasks such as accepting the EULA
agreement, changing the password, and setting the country code. You will
practice completing this step in Lab Activity 2.1.
The next slides describe how to complete the initial setup and then connect the
controller in its final location.
Replace <slot> with the letter of the slot in which you installed the MSM775 zl.
Note
This step is not required. However, it helps to prevent issues if you later need to
enable DHCP services on the controller.
2.
For the MSM775 zl, you must access the CLI through the HP zl switch CLI.
Establish a console, Telnet, or SSH connection with the switch, depending
on how the switch is configured. Then enter this command from the switchs
configuration mode context:
236
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
3.
Accept the EULA agreement. (You must press a key to move through the pages
and then enter YES.)
The next slides explain how to complete the initial setup. You can also refer to the
MSM 7xx Controllers guides at the HP Networking web site.
Alternative strategies
C
Indirect Ethernet
connection
Indirect Ethernet
connection and no DHCP
You can choose two less commonly used, but valid, strategies for obtaining initial
access to the MSM Controller.
1.
If the controller will always use DHCP to obtain the IP address on which you
manage it, it is recommended that the DHCP server administrator reserves a
fixed DHCP address for it. The DHCP server administrator must use the
controllers MAC address to reserve the address.
2.
3.
Rev. 14.21
Install the controller in its final location. Connect the MSM760 Internet port to
the prepared switch port. Or connect the MSM720s port 5 or 6 to the switch
port.
237
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
4.
Find the controllers DHCP address. If the DHCP administrator reserved a fixed
IP address for the controller, as recommended, you should already know the
address.
5.
On a management station that can reach the management VLAN, open a Web
browser and navigate to the controllers IP address.
You can then complete the rest of the process detailed in the following slides,
skipping the step on connecting the controller to the network.
You might use this option when the controller needs to be installed first, and you must
then complete its initial configuration without having physical access to it. Because
this option introduces more possibilities for misconfiguration, it is recommended that
you avoid it when possible, instead pre-configuring the controller through a direct
connection as described earlier. However, if you keep in mind what you have
learned about the controllers behavior and take care to keep the controllers DHCP
services disabled during the initial setup, you can follow these steps:
1.
Connect the controller LAN port and your management station to ports that are
untagged for the same VLAN.
If possible, you could to take extra care to isolate the controller during the initial
setup by creating a new VLAN for these connections.
2.
Configure the management station with these IP settings on its Ethernet NIC:
Also make sure that the management station does not have any other Ethernet or
wireless NICs that are enabled and connected.
238
3.
4.
Accept the certificate error and login with the default credentials:
Username = admin
Password = admin
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Configuring
IP and IPother
initial
Configuring
and other
initialsettings
settings
Specify IP settings for the controller management interface.
Create a default route.
For a non-default IP interface, create a route rather than specify the interface gateway.
You are now ready to configure the controllers IP address on the selected IP
interface. You must also configure a default route through this interface.
Other guidelines include making sure that the appropriate management protocols
are enabled on the interface. For now, you are mainly concerned with the Web
browser interface (management tool), but later you will learn how to enable
protocols like SOAP. You should also set the controllers DNS server and simple
network time protocol (SNTP) server. (The MSM775 zl, however, receives its clock
from the HP zl switch.)
25
Rev. 12.31
The sections below provide detailed guidelines for configuring the IP settings and
default route.
The (untagged) Internet port interfaceYou must configure the proper IP settings
on the Internet port interface. You can set the address statically, or you can
configure DHCP settings. When you use this option, you do not specify the
VLAN ID anywhere on the controller. The connected switch ports untagged
VLAN assignment determines the ID.
With this option, you can use the Configure initial controller settings workflow to
establish the IP settings. This workflow lets you configure several settings and
does not apply them until the end of the workflow, preventing issues with losing
access to the interface as you change the IP settings.
Rev. 14.21
Create a network profile with the proper VLAN ID (Controller >> Network >
Network profile window).
239
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
b.
Map the profile to either the Internet port or the LAN port. (Controller >>
Network > VLANs window).
Some administrators prefer to use only the Internet port to make it easier to
follow the guideline about isolating the (untagged) LAN port interface,
unless specifically required. However, you can certainly assign the VLAN to
the LAN port; simply make sure that the connected switch port carries
tagged traffic.
c.
d.
MSM720
Valid options for an MSM720s management interface include:
The Internet networkYou can use the default Internet network profile to
manage the controller. This option is generally recommended since it requires
less setup. In addition, you can use the initial configuration wizard to configure
the IP settings at the same time as other initial settings.
Either during the wizard or on your own, you must complete these tasks:
a.
Edit the Internet network profile to use the proper VLAN ID.
b.
c.
Adjust the ports to which the Internet network profile is applied as necessary
to meet the requirements of the network infrastructure. You can apply the
profile as tagged or untagged.
Caution
Avoid changing the untagged VLAN assignment for the port on which you are
reaching the controller. Otherwise, you will lose access to the Web browser
interface. You can adjust this ports VLANs after you finish the initial setup and
confirm access on the other interface.
A new network profileIf you have different plans for the default Internet
network profile, you can create a new profile. Follow these steps:
a.
240
Create a network profile with the proper VLAN ID (Controller >> Network >
Network profiles window).
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
b.
Map the profile to the appropriate ports (Controller >> Network > VLANs
window).
Caution
Again, avoid changing the untagged assignment for your current port.
c.
You should be in the global configuration mode context of the controller CLI:
2.
ip interface wan
ip address mode [static | dhcp]
ip address <IP address/prefix length>
Enter this command only if you chose static for the mode.
end
Rev. 14.21
241
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
If you will manage the controller on a VLAN that is tagged on either the
LAN or Internet port:
network-profile <name>
You can use any name that you want.
vlan
vlan <ID>
end
interface ethernet [port-1 | port-2]
Use port-1 to map the VLAN to the LAN port; use port-2 to map the VLAN
to the Internet port.
interface vlan <name>
ip address mode [static | dhcp]
ip address <IP address/prefix length>
Enter this command only if you chose static for the mode.
end
end
3.
4.
You do not need to complete this step if the controller receives a DHCP address
on its Internet port network. However, you do if the controller has a static IP
address or if it receives a DHCP address on a VLAN.
242
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Temporarily
disabling
the the
default
(optional)
Temporarily
disabling
default VSC
VSC (optional)
Prevent the controller and APs from
supporting the default VSC until
you are ready:
Disable access control.
Disable virtual AP.
Rev. 12.31
If you deploy the MSM Controller and APs before configuring the companys VSCs,
you should be aware that the controller supports the default VSC by default. Either
configure the controller, its VSCs, and the network infrastructure with the desired
settings before deploying the MSM solution or disable the VSC until you are ready
for it. This will help to prevent misconfigurations, in which the controller begins
implementing access control on the wrong VLAN, as well as to prevent discovered
APs from advertising the SSID prematurely.
To disable the default VSC from the controllers Web browser interface, follow these
guidelines:
1.
2.
3.
4.
Rev. 14.21
243
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
You can now install the MSM Controller, following the instructions in its Installation
and Getting Started Guide, and connect it to the network. At this point, the controller
only requires a connection on one interface.
244
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
For example, you have configured a network profile with VLAN ID 20 and
mapped it to an MSM760s LAN port. You plan to connect this port to interface
A1 on an HP switch that runs ProVision software. Assuming that this port is
currently an untagged member of VLAN 1, enter these commands in the switch
CLI:
Switch(config)# vlan 20 tagged a1
Switch(config)# no vlan 1 untagged a1
Activity
Examine the scenarios described below and also illustrated in the figure on the
previous page. Make a plan:
Scenario 1
You have configured an MSM720 with IP address 10.1.1.2/24 on its Internet network,
which is mapped to the default ports, 5 and 6, as an untagged VLAN. You changed
the VLAN ID for this network to 11. You also created a default route to 10.1.1.1.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
245
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Scenario 2
On an MSM775 zl, you have created a new network profile named Management
and set the VLAN ID to 11. You mapped this profile to the controllers LAN port and
created an IP interface with IP address 10.1.1.2/24 for it. You also created a default
route to 10.1.1.1.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Scenario 3
You have configured an MSM760 with IP address 10.1.1.2/24 on its (untagged)
Internet port interface. You also created a default route to 10.1.1.1. The subnet
10.1.1.0/24 corresponds to VLAN 11.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
246
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Restricting management
to thetocorrect
Restricting management
the correctinterface
interface
Access the controller on the IP address configured to manage it.
Disable management on other interfaces.
You can now access the MSM Controllers Web browser interface at the controllers
final management IP address. Reconnect your management station to the network,
remembering to return its IP settings to ones that are valid on the network (generally,
receiving a DHCP address). Browse to the MSM Controllers management IP address
and confirm that
you can reach the Web browser interface and successfully log in.
Rev. 12.31
28
Once you have confirmed management access, you can restrict management access
on other interfacesand generally should, for the sake of security. In the Web
browser interface, navigate to Controller >> Management > Management tool.
Clear the check box for LAN port or for Access network and for any other interface
that you have not selected for management.
Rev. 14.21
247
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Lab ActivityLab2.1
Activity 2.1
Deploy the MSM controller and complete initial configuration.
Rev. 12.31
You will now practice obtaining initial access to an MSM760 Premium Mobility
Controller, establishing the controllers management IP settings, and connecting the
controller to the network.
Consult your Lab Activity Guide for instructions for performing this activity.
248
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Key Insights
Use the space below to record your thoughts about various deployment strategies
that you explored during Lab Activity 2.1.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
249
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion Discussion
topics topics
HP MSM Controller ports and networks
Initial setup
AP deployment
31
Next, you will explore strategies for deploying MSM APs and having them become
discovered and controlled by an MSM Controller.
250
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Planning the
AP deployment
Planning
the AP deployment
To which VLANs and subnets will APs connect?
How will you assign IP addresses to the MSM APs?
Can you configure the APs VLANs on the controller, or do you need to set
up Layer 3 discovery?
Should the controller accept all MSM APs that discover it, or do you want
to enforce authentication?
Figure 2-30: Planning the AP deployment
You must consider several questions as you plan the AP deployment. Considerations
include the VLAN and subnet to which the APs connect, as well as how the APs
receive IP addresses in those subnets. In some cases, APs can discover the controller
automatically, and, in others, you need to set up a mechanism for delivering the
controllers IP address to the APs.
You will now consider several solutions that provide valid answers to these questions.
32
Rev. 14.21
Rev. 12.31
251
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
AP deployment solutions
Solution 1Dedicated AP VLAN
(Layer 2 discovery)
Solution 3
Dedicated
AP VLANs
(Layer 3
discovery)
33
Rev. 12.31
252
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Solution 1: Deploying
APs in a dedicated VLAN
Solution 1Deploying APs in a dedicated VLAN
1
Dedicated AP VLAN
Recommended
to separate
controlled AP
communications
from network
traffic
34
Rev. 12.31
When possible, you should create a VLAN that is dedicated to the MSM APs. This
strategy helps you to match particular IP addresses to a controlled MSM APs. It also
allows you to isolate the MSM APs management traffic from other network traffic.
The figure illustrates an example network in which VLAN 10 has been added for the
APs. The VLAN is assigned to APs ports as an untagged VLAN. (APs also support
tagged VLANs, but for now you are examining the simplest deployment.) The
network administrator extends the new VLAN to the core and also sets up the
associated IP subnet on the core switch.
At this point, the figure only illustrates the topology changes required to deploy the
APs. The controller should also support the new VLAN so that APs can discover the
controller at Layer 2, the simpler option and one supported in this environment.
However, the manner in which you add that VLAN to the controller depends on how
the APs will receive their IP addresses.
Note
For reasons such as this, it is best to plan the AP deployment before configuring
the controllers IP settings and deploying it. In this module, you have focused on
the task of deploying the controller and deploying APs separately. However, in
the end, you must consider both tasks together.
Rev. 14.21
253
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
35
Rev. 12.31
DHCP usually provides the most convenient mechanism for assigning IP addresses to
MSM APs, particularly when you have many APs to deploy. Either a network DHCP
server or the MSM Controller itself can assign the addresses. However, the network
DHCP server is the typical choice.
254
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The company receives DHCP addresses from a device outside of its control (such
as an ISP router).
The company has a complicated or time-consuming procedure for adding new
scopes to the DHCP server.
In this case, you must configure the controllers LAN port with an IP address in the
subnet reserved for the APs, and APs must reside in a single subnet. The controller
LAN port must connect to a switch port that has an untagged VLAN assignment in
the APs VLAN. For an MSM720, you configure the IP address on the Access
network. You can assign this profile to one or more controller ports as tagged or
untagged, matching the VLAN assignments on the connected switch ports.
Remember to isolate the controller LAN port (or Access network) and the APs from
the rest of the network. In other words, do not add other endpoints and servers to the
VLAN.
Note
Later, if the company requires an access-controlled VSC, you should remember to
set up the solution so that the controller assigns guests IP addresses in a different
subnet. Otherwise, guests might use up the APs addresses.
Rev. 14.21
255
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
2Deploying
APsan
in an
existing VLAN
Solution 2:Solution
Deploying
APs in
existing
VLAN
2
Existing VLAN
Less recommended
but allows quick
AP deployment
when a DHCP
scope already
exists for the VLAN
36
Rev. 12.31
Some companies do not want you to change the network infrastructure by adding a
new VLAN for the APs. In this case, you must determine which VLAN or VLANs can
handle the AP and controller communications most securely. For example, you might
use the same subnet on which other network infrastructure devices have their IP
addresses, as illustrated in the figure. You must then verify that the selected VLAN is
available on the edge switches to which APs connect and configure the AP ports
appropriately.
Similarly, you should assign the VLAN to the switch port connected to the MSM
Controller porttypically, the Internet port, as you learned earlier.
If the network DHCP server already has a scope for this VLAN, it can use the existing
scope to assign APs their IP addresses. Do not enable the controller DHCP server on
a VLAN that already has DHCP services.
If the VLAN is not DHCP enabled, use one of the strategies outlined on the previous
slide to provide APs with their addresses. If at all possible, the network DHCP server
administrator should add a scope.
Note
Although you could enable DHCP services on the controller untagged LAN port
or Access network interface, this method is not generally recommended. It is
better to isolate this port and use it for access-controlled guests. For example, if
the company later decides to add network DHCP services to this VLAN without
informing you, conflicts could arise.
In a variation on this strategy, you could deploy the APs on a new subnet reserved
for them, following the guidelines outlined for Solution 1. However, you configure the
MSM Controllers management IP address on the same subnet.
256
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Layer 2 AP
discovery
Layer
2 AP discovery
Make sure step 2 succeeds by enabling discovery on the correct interface.
37
Rev. 12.31
You now have at your disposal several strategies for deploying APs and ensuring that
they receive IP addresses. You can now turn to the process by which the AP discovers
the MSM Controller and the controller begins to manage the AP. In the deployments
that you have examined, this process occurs automatically with just one setting that
you might need to configure.
An MSM AP, assuming that it is operating at factory default settings, boots in
controlled mode. The AP first attempts to obtain an IP address using DHCP, which,
assuming that you configured the solution according to the guidelines, it obtains.
After obtaining the IP settings, the AP begins the Layer 2 discovery process:
1.
2.
Rev. 14.21
257
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Because you often connect only the Internet port, enabling discovery on the
Internet interface is an important step.
On the MSM720, discovery is enabled by default on the Access network. You
can enable discovery on other network profiles associated with IP interfaces.
Once the controller has processed the discovery request, it sets the APs status to
Pending; the AP is discovered but not yet controlled. The controller also adds
the AP to its list of Discovered APs if this is the first time that it has detected the
AP.
3.
258
4.
5.
6.
Controller checks the APs softwareThe controller changes the APs status to
Verifying capabilities and sends a request for the APs software version.
7.
Controller updates the APs softwareThis step only occurs if the AP responds
with a different version from the controllers.
a.
The controller changes the APs status to Updating software and informs
the AP that it must update its software.
b.
The AP downloads the software from the controller, installs the software,
and reboots.
c.
8.
9.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Description
Synchronized APs are controlled, have been configured,
and their configuration is up-to-date. A synchronized AP is
always detected and configured.
A detected AP has contacted the controller with a discovery
message and the controller can reach it. However, the AP
and controller might or might not have established a
management tunnel, and the AP might or might not have
been configured by the controller.
The controller stores a configuration for Configured APs.
However, the AP might or might not be currently detected
and synchronized with that configuration.
Detected
Configured
Description
The AP is attempting to
establish wired connectivity.
Rev. 14.21
The AP is attempting to
establish a local mesh link
to a master node.
Step in the
discovery process
Pre-discovery (initial
connection process)
Pre-discovery
(initial connection
process)
Or post-discovery
mesh establishment
Pre-discovery (initial
connection process)
Diagnostic in the
Controller Web
browser interface
Not shown
Not shown
Or synchronized
Not shown
Pre-discovery (initial
connection process)
Not shown
259
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
AP LED behavior
260
Description
The AP has found a
controller and is
attempting to establish a
secure management tunnel
with it.
The AP has received a
discovery reply from two
or more controllers with
the same priority setting. It
is unable to connect with
either controller until the
conflict is resolved
Step in the
discovery process
Diagnostic in the
Controller Web
browser interface
Step 3
Establishing tunnel
Step 2
Waiting for
acceptance
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
AP management
AP management
The controller stores a configuration for each AP.
38
Rev. 12.31
Here you see in more detail how the MSM Controller constructs the configuration that
it applies to a controlled AP. Some of the more advanced AP deployment options,
which are covered in the next section, require you to configure settings on the APs. A
basic understanding of how the controller manages AP configurations will help.
AP configuration settings
The MSM Controller stores a configuration for each controlled AP, tracking the AP by
MAC address. The APs configuration includes three basic types of settings:
Rev. 14.21
Settings that determine how the AP behaves if it cannot reach the controller
STP settings for APs, such as MSM317s, with more than one Ethernet port
Multicast settings (IGMP snooping helps the APs forward multicasts more
efficiently and is enabled by default)
Sensor settings (some APs can act as sensors and work with HP RF
Manager, a wireless Intrusion Detection System/Intrusion Prevention System
[IDS/IPS]; sensors are covered at the MASE-level)
Local network settings (these settings are used for Mobility Traffic Manager
[MTM], which is covered at the MASE-level)
261
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Provisioning settings, which help the APs to connect to the network and become
controlled
Often APs do not require provisioning settings because the default plug-and-play
deployment works for themas you have seen in the two deployment solutions
outlined in this section. Sometimes, however, the environment demands
provisioning, as you will see in the next section.
Note also, that you must specifically enable the controller to replace APs
provisioning settings.
AP configuration levels
The figure illustrates how the controller obtains the settings for each component of the
AP configuration. You can configure the AP and provisioning settings at three levels:
Controlled APs
This level always applies to all controlled APs.
AP group
You create the groups; initially, the only group is Default Group. Each AP
belongs to one and only one group. When unknown APs are first discovered,
they belong to the Default Group.
AP
You can configure individual settings for controlled APs as required.
All default settings are configured at the Controlled APs level and inherited at the
group and individual AP levels. That is, if you change a setting at the Controlled APs
level, it extends down the hierarchy to each group and AP.
To configure a setting at the group level, you break the inheritance (as you will see in
the lab, you simply clear a check box labeled Inherited). You can then change any
of the settings for which you broke the inheritance. Similarly, you can break the
inheritance between the group and AP settings.
The settings at the lower level always take precedence.
262
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The figure illustrates these rules in a simplified manner. It shows three parameters, A,
B, and C. These parameters represent radio settings, local mesh profiles, and a
country code. You can configure more settings than those; they were simply selected
as examples. These parameters have particular settings at the Controlled APs level,
which are represented as A1, B1, and C1. For example, Radio 1 for MSM460s radios
might be set to transmit power 16, all local mesh profiles might be set to disabled,
and the country code might be United States.
An APs groupthe Default Group would be the group that you configure to affect
APs when they first become controlledinherits the settings. However, the group
breaks the inheritance for the radio settings and applies a new setting, A2. For
example, the group might specify that the MSM460 Radio 1 uses transmit power 18
and channel 36.
An AP within the group inherits the AP group settings, but breaks inheritance for
another setting of settingsfor example, the administrator configures and enables
one of the local mesh profiles. The APs final configuration includes the radio settings
configured at the AP group level, the local mesh profiles configured at the individual
AP level, and the country code configured at the Controlled APs level. The controller
applies those settings when it updates the APs configuration.
The AP-relevant VSC settings always derive from the global VSC profiles. Only VSCs
bound to the AP affect the APs configuration, and the VSC binding also specifies
which AP radios support the VSC. VSC bindings differ from other AP settings in that
you must bind VSCs at the group level.
AP configuration synchronization
The controller updates the AP configuration when:
As you make changes in the controller interface, APs continue to implement their
current configuration without interruption. However, the controller tracks configuration
changes that affect each AP. When an AP is not implementing the most current
configuration, the APs status becomes unsynchronized. This simply means that the
AP is implementing a previous configuration. You can finish configuring a complete
feature and, only when you are ready, synchronize the AP and let it begin
implementing the new feature.
It is very important to remember to resynchronize APs whenever you want to apply
your configuration changes. As you will observe, the controller Web browser
interface helps you to remember by pointing out unsynchronized APs in several ways.
You will practice synchronizing APs in the lab.
Rev. 14.21
263
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Lab ActivityLab2.2
Activity 2.2
Deploy, discover, and begin to manage the MSM APs.
Rev. 12.31
You will now practice deploying MSM APs that discover the controller at Layer 2. You
will also set up AP groups for your APs and assign discovered APs to them.
Consult your Lab Activity Guide for instructions for this activity.
264
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Rev. 14.21
265
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
41
Rev. 12.31
In the network environments that you have examined so far, you can extend a single
VLAN for the APs throughout the site. In other environments, you need to deploy APs
across Layer 3 boundaries. For example, you might deploy an MSM Controller at the
network core and APs at several branch offices. In this case, you would need to
create a different VLAN and subnet for the APs in each segment.
Note
Just as with Layer 2 discovery solutions, you can deploy the APs in an existing
VLAN instead of a new VLANalthough a VLAN reserved for the APs is
recommended. This choice affects the changes required in the network
infrastructure but does not affect the Layer 3 discovery solution.
266
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
42
3B Static assignments
Rev. 12.31
Static assignment
You can assign APs their IP addresses statically. This approach provides a way for
APs to obtain IP addresses when a network DHCP server cannot provide them nor
can the MSM Controllerbecause the APs connect on multiple VLANs not supported
on the controller.
Rev. 14.21
267
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
268
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Layer 3 AP discovery
Layer 3 AP discovery
Solution 3 requires Layer 3 discovery:
Delivers the controllers IP address to the AP:
Choose an IP address that the AP can reach
Make sure discovery is enabled on the interface
When you deploy APs across Layer 3 boundaries, you cannot configure an IP
interface on the MSM Controller for each APs VLAN. Thus the controller cannot
receive and respond to at least some of the APs discovery broadcasts. In these
Rev. 12.31
43
cases, you must set
up
one of three forms of Layer 3 discovery:
DHCP
DNS
Static (preprovisioning)
A DNS server address (recommended but only required for DNS discovery)
Note
All three methods allow APs to learn the IP addresses for multiple controllers, as
you will learn. However, this section focuses on using these methods with a single
controller. You will look at strategies for enabling APs to discover more than one
controller in Module 7: Teaming.
The APs default router must be able to reach the controller IP address that you
specify in the discovery settings. The controller must also support discovery on the
interface.
Rev. 14.21
269
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Note
Remember that traffic directed to an MSM Controller IP address must arrive on
the interface associated with that address. The controller will not receive a packet
on one interface and route it to its own address on another interface.
Similarly, the MSM Controller requires a route back to the APsor its default router
must be able to reach the APs subnet. If the APs can reach the controller, but the
controller cannot reach the APs, you will see the APs appear and disappear in the
Web browser interface. You should verify connectivity by pinging the APs or their
default gateway.
APs could actually discover the controller on one IP address and the controller route
traffic back to them on another interface. However, this is not a recommended set up.
For example, if discovery were enabled on one interface but not the other, the
controller and AP would not be able to establish a management tunnel. If the
controller has more than one IP address, configure the APs to discover the controller
on the interface on which the controller reaches the APs.
270
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Option in pool =
Controller addresses
44
Rev. 12.31
APs can receive controllers IP addresses with their DHCP settings. APs that use DHCP
always request option 43, a vendor-specific option that specifies controllers IP
address. If the APs do not receive this option, they simply apply the other settings
and attempt to discover the controller in a different way. To implement DHCP Layer 3
discovery, simply configure the APs DHCP scope with option 43.
In more detail, the DHCP administrator follows this process:
1.
Optionally, create the DHCP vendor class, which uses ASCII format. The ASCII
string is Colubris-AP.
The DHCP server uses the vendor class to determine whether to send the option
to clients, only sending it if the client requests the Colubris-AP option. Therefore,
you would need to create this class if other devices, such as VoIP phones, are
also using the scope and also use option 43. The server can then send the
correct option to each type of client.
2.
3.
Rev. 14.21
Create an option for the vendor class or, if you did not create the option, for
option 43. The option has these settings:
Option nameYou can choose any name that you want for the option.
CodeThe code is 1.
Add the option to the APs pool or scope. When adding the option, define one
or more IP addresses at which the APs can contact an MSM Controller.
271
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
272
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Layer 3 AP discovery
Layer 3 AP discovery:
DNS
DNS
The DNS server requires an entry that resolves the controller hostname.
45
Rev. 12.31
To implement this method, the AP sends a DNS request to its DNS server for the
controllers hostname.
By default, MSM APs use cnsrv1, cnsrv2, cnsrv3, cnsrv4, cnsrv5, and cnsrv6 for the
controller hostnames. The network DNS server administrator should configure an
entry that maps one of these hostnames to the controller IP address that you want the
APs to discover.
You might not have a choice in the hostname for the MSM Controller. In this case,
rather than have APs use the default hostnames, you can preprovision the APs with
the proper hostname or hostnames.
The DNS discovery method requires the company to have its own DNS server and
the DNS server administrator to create a DNS entry for the controller. However,
creating such an entry can be relatively easy and might be required for another
purpose in any case. As another advantage of this method, you might be able to
implement it without preprovisioning APsbut only if the company is willing to use
the default hostnames for the controllers.
When prompted by your facilitator, complete the table.
Rev. 14.21
273
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Layer 3 AP discovery
Layer 3 discovery:
Static
Static
46
Rev. 12.31
You learned that you can provision APs with connectivity settings such as static IP
addresses. You can also provision the APs with their discovery settings, which are the
IP addresses or hostnames that the APs use for Layer 3 discovery. If you specify IP
addresses in the discovery settings, the APs are ready for Layer 3 discovery after
provisioning. APs provisioned with hostnames require a DNS server that can resolve
those hostnames to valid controller IP addresses, as you learned on the previous
slide.
This Layer 3 discovery method is generally recommended only as a last resort when
the company does not have a DNS or DHCP server that you can configure instead.
For example, in some environments, an ISP might provide these services.
Potential disadvantages with this method include:
274
You must statically provision the APs with the controllers IP address initially, and,
if you ever want to update the address, you must statically provision them again.
Once you have provisioned an AP with a static controller address or addresses,
the AP continues to uses that setting rather than try another method. Therefore, if
an error occurs, the AP might not ever become managed. You must manually
reset the AP following the procedure in the APs Installation and Getting Started
Guide. This troubleshooting procedure might be beyond the resources of the
staff at APs site.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Rev. 14.21
275
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Provisioning
APs APs
Provisioning
Controller-based provisioning (typically preferred):
1.
2.
3.
4.
5.
Connectivity
Enable controlled AP provisioning.
Resynchronize the APs.
Install the APs in their final locations.
You have learned several reasons for preprovisioning an AP; that is, for establishing
settings on the AP before installing the AP in its final location. These reasons are:
Rev. 12.31
The AP needs a non-default hostname for the MSM Controller to implement DNS
Layer 3 discovery.
The AP needs an IP address for the MSM Controller to implement Layer 3
discovery.
2.
Create an isolated VLAN that consists of only the controller LAN port (or the
MSM720 Access network) and APs. For example, you could connect the
controller LAN port and multiple MSM APs to a switch without any
configuration.
b.
Enable the DHCP server on the controller. At this point, the controller is
using its default IP address on its LAN port and assigning IP addresses in
this subnet. You can leave these default settings because the APs will only
use these IP addresses temporarily.
c.
Use discovery settings to set the controller hostname or IP address for Layer
3 discovery.
You can configure the discovery settings at the Controlled AP level. Or, if
APs at different sites require different settings, you can assign APs to groups
and then configure the settings at the group level.
276
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Important
The windows for both the discovery settings and the connectivity settings feature
a check box at the top. This check box determines whether the settings
configured in the window are applied or not. Be careful to select the check box;
otherwise, APs will not implement the provisioned configurations.
3.
You must enable controlled AP provisioning for these settings to apply. The Web
browser interface will warn you if you forget this step.
4.
5.
After the APs synchronize, you can deploy them in their final locations, and the
controller will discover them again.
Make sure that the controller does not have an IP address on the same
VLAN. After the AP discovers the controller and establishes a management
tunnel, you can no longer connect to the AP itself.
Note
You can return an AP to factory default settings in the controller interface or
manually, following the directions in the APs Installation and Getting Started
Guide. You can then connect to the APs provisioning page.
Rev. 14.21
2.
Determine the APs IP address. Open a Web browser and navigate to that
address.
3.
Log in to the interface using the default credentials (admin and admin).
277
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
4.
You can convert an AP to autonomous mode in this interface. You can also
provision a controlled mode APs connectivity settings, discovery settings, or
both.
Follow similar guidelines for configuring the settings at this level as for
configuring them on the controller. Remember to select the check box at the top
of the window to apply the settings.
5.
The AP will begin to implement the provisioned settings after it reboots. It will
then discover the controller. Before you initiate this process, double-check the
controller configuration.
If the controller is configured to replace APs provisioned settings with its own, it
will apply whatever settings are configured for the Default Group to the AP when
the AP becomes controlled. The next time that the AP reboots, the AP will
implement those settings. Be careful not to erase the APs pre-provisioned
connectivity or discovery settings unintentionally. Doing so could cause you to
lose contact with the AP, perhaps forcing you to perform a manual reset and
provision the AP again.
6.
278
When you are certain that the settings on both the AP and the controller are as
you desire, reboot the AP. It should obtain an IP address and discover the
controller.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Provisioning
APs with
settings
Provisioning
APsother
with other
settings
Acting as an 802.1X supplicant
Helps to protect the network against rogue endpoints or APs
MSM APs can connect to tagged ports instead of untagged ports. In some cases,
you might want to use this ability. First, if the AP is deployed in a public place, the
measure might act as a deterrent against casual users who might try to connect to its
port. Of course, true security would involve implementing 802.1X on the switch port,
and MSM APs support this capability as well. In the AP connectivity settings, you
simply select the 802.1X check box and assign the APs the correct EAP method and
credentials.
The primary benefit of deploying APs on tagged VLANs, therefore, is gaining more
Rev. 12.31
48
precise control
over the APs connection.
As part of its plug-and-play features, you can connect an MSM AP that has no prior
configuration to a switch port that is tagged rather than untagged for the VLAN in
which Layer 2 discovery is possible. The APs attempt to receive an IP address will
fail. The AP will then begin sending DHCP discovery broadcasts tagged for VLAN 1.
If the process times out again, the AP will send broadcasts in VLAN 2, and so forth.
The AP continues until it receives an address and then begins the discovery process.
This behavior can help the AP become discovered in some environments where you
have little knowledge or control of the infrastructure.
However, in a well-designed solution, you typically want to control APs precise
VLAN. In addition, this behavior can cause issues if a brief interruption in network
services causes an AP to lose its IP address. The APs DHCP requests time out, so the
AP begins to send tagged messages. The AP might receive an IP address in a user
VLAN, or it might continue to try tagged VLANs after network services have been
restored.
Deploying APs in a tagged VLAN helps you to avoid such unexpected behavior.
To deploy APs on tagged VLANs, first discover the APs on untagged VLANs. Then
assign the APs their VLAN ID in their provisioning connectivity settings. (Of course, if
you had to preprovision APs for another reason, you could apply the VLAN ID at the
same time.) You can quickly provision many APs with the correct VLAN ID by
applying the setting to the controlled APs or AP group level.
In more detail, follow this process:
Rev. 14.21
1.
2.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
3.
After APs are discovered, divide them into groups. Try to create groups such that
every AP in the group is in the same VLAN.
4.
Provision APs at the AP group level with the tagged VLAN assignments. Make
sure that controlled AP provisioning is enabled.
5.
Resynchronize the APs. You will not see the resynchronization process complete
because APs can no longer reach the controller.
6.
7.
At this point, the MSM APs will only send out DHCP requests on the tagged VLAN,
so you can be certain that it always remains on its own VLAN even if its DHCP
requests time out. However, if you choose this solution, make sure that the tag is
correct. To remove the incorrect tag, you must somehow connect the AP to the
controller on the tagged VLAN or reset the AP manually.
280
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Lab ActivityLab
2.3
Activity 2.3
Enable MSM APs to discover the controller at Layer 3.
49
Rev. 12.31
You will now practice more advanced deployment options for MSM APs, focusing on
Layer 3 discovery options.
Consult your Lab Activity Guide for instructions for this activity.
Rev. 14.21
281
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
282
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
51
Rev. 12.31
You can now bring together all that you have learned throughout this module.
You have learned how to create VLANs and IP interfaces assigned to MSM
Controller ports, whether an MSM720s routing switch ports or other controllers
router ports. You have also learned about how the controller handles traffic based on
the interface on which it arrives. With this knowledge as a foundation, you examined
strategies for deploying the MSM Controller and for deploying APs.
As part of these strategies, you learned about planning VLANs on which to deploy
APs. It is generally recommended that you dedicate new VLANs for your APs.
However, you might choose to deploy APs on an existing VLAN when you want to
manage them on the same VLAN as wired infrastructure devices or when you find it
difficult to make changes to the network infrastructure.
You also learned about configuring VLANs and IP interfaces on the MSM Controller
ports for two functions:
Rev. 14.21
283
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Often, when a company uses Layer 3 discovery for some APs, it prefers to
use the same method for all APs. The flowcharts on the next pages assume
that all APs are discovered at either Layer 2 or Layer 3. However, you can
also easily combine the solutions.
You can sometimes use the same interfaces for both functions, and sometimes your
choices in one area will affect your choices in another. The figure on the following
page provides some guidelines for choosing VLANs depending on:
Whether you want to manage the controller and APs on the same VLAN
284
Whether some APs must be deployed across a Layer 3 boundary from the
controller
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Rev. 14.21
285
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
After choosing VLANs for these functions, you must plan how to configure network
profiles on the controller so that the controller supports the proper AP
discovery/management and controller management interface. As the figure on the
previous page shows, you might use the same interface for all functions or create
new interfaces.
The flowchart on the following page provides some guidelines for selecting network
profiles to use for the IP interfaces on MSM760 and MSM775 zl Controllers. The
ovals indicate suggestions designed for a simple setup, favoring an Internet port only
deployment. For example, they mostly suggest that you configure the controller
management interface on the Internet port network so that you can use the wizard for
quick setup. The bottom of the flow chart lists alternatives, which you could certainly
choose instead.
286
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
R
e
m
e
m
b
e
r
t
h
e
g
u
i
d
e
l
i
n
e
s
f
o
r
c
o
n
n
e
c
t
i
n
g
t
h
e
c
Rev. 14.21
287
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Connect only the controller ports that are required. Often, this means that you
only connect the Internet port.
The exception is that you must always enable the internal <slot>2 port that
connects to the MSM775 zl LAN port. However, you can isolate the untagged
LAN port interface by assigning <slot>2 an unused ID for the untagged VLAN.
At this point, you should only be using the controllers untagged LAN port
interface if you need to assign APs IP addresses with the controller DHCP server.
In this case, specify the APs VLAN as the untagged VLAN on the switch port
connected to the controller LAN port. Make sure that other endpoints are not
using this VLAN to connect.
The final flowchart (on the following page) provides similar guidelines for matching a
selected VLAN to a network on the MSM720, whether one of the default network
profiles or a new profile associated with an IP interface. For example, if the flowchart
suggests that you use the Internet network for the controller management VLAN, set
the VLAN ID for this network profile to the VLAN ID that you selected for this purpose
earlier. (Remember that on MSM720s, you must set the VLAN ID for network profiles
that are assigned to ports, whether they are assigned as tagged or untagged
VLANs.)
For the MSM720s, you have complete control over which profiles you assign to each
port as tagged or untagged, so the flowchart does not suggest how to make these
assignments. Simply make sure that:
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Summary
MSM Controller ports and networks
Best practices for controller deployment
52
Rev. 12.31
T
h
r
o
u
g
h
o
u
t
t
Rev. 14.21
289
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
is module, you have studied and practiced methods for obtaining initial access to the
MSM Controller, configuring its final management settings, and connecting it to the
network. Similarly, you have practiced several ways to deploy APs, including ones
that require Layer 3 discovery. Your knowledge of the controller ports and networks
helped you to follow best practices during these tasks just as it will as you continue to
implement more features in your MSM solution.
290
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Learning check
For the learning check for this module, you will now practice using the flowcharts to
plan solutions.
Scenario 1
You are deploying an MSM775 zl Premium Mobility Controller and forty MSM APs
at a customer site, which uses VLAN 2 as the server VLAN, VLAN 20 for users, and
VLAN 11 for switch management. The company will add a dedicated VLAN for the
APs, VLAN 10, with a new subnet, 10.1.10.0/24; the VLAN which will extend
throughout the site, and the routing switch will act as the default gateway. The
company has a DHCP server, and the server administrator is adding a scope for the
APs. The company staff wants to manage the MSM Controller on the same subnet on
which the controller manages the APs.
Use the first flowchart to select VLAN IDs.
1.
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
Next use the second flowchart to find suggested network profiles for the controller
ports. You might use the same profile for more than one purpose.
4.
_______________________________________________________________________
5.
What is the suggested network profile on the controller for the controller
management interface? If the profile is a non-default one, note the VLAN ID.
_______________________________________________________________________
Finally, follow the guidelines that you have learned throughout this course for
choosing how the controller connects to the switch.
Rev. 14.21
291
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
6.
What is the VLAN configuration for the switch ports that connect to the
MSM775 zls internal ports?
_______________________________________________________________________
_______________________________________________________________________
Scenario 2
You are deploying an MSM720 Access Controller and 15 MSM APs at a customer
site, which uses VLAN 2 as the server VLAN, VLAN 20 for users, and VLAN 11 for
switch management. The company wants to deploy the APs on an existing VLAN and
manage the controller on the same VLAN. The controller connects to an HP IRF
group on a link aggregation (trunk) that consists of ports 1 and 2.
You must deploy another five APs at a remote site, which reaches the main site over a
routed connection. Again, the company does not want to add a VLAN for the APs,
the will connect on the remote sites VLAN 30.
The company has a DHCP server, which already provides IP addresses on all VLANs.
Use the first flowchart to select VLAN IDs.
1.
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
Next use the third flowchart to find suggested network profiles to use. You might use
the same profile for more than one purpose.
4.
_______________________________________________________________________
_______________________________________________________________________
292
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
5.
What is the suggested network profile on the controller for the controller
management interface? What is the ID for this profile?
_______________________________________________________________________
_______________________________________________________________________
6.
How will your assign the network profile or profiles to the MSM720 ports 1 and
2? (More than one choice might be valid.)
_______________________________________________________________________
Finally, follow the guidelines that you have learned throughout this course for
choosing how the controller connects to the switch.
7.
What is the VLAN configuration for the link aggregation group that connects to
the MSM720 ports 1 and 2?
_______________________________________________________________________
Scenario 3
You are deploying an MSM760 Access Controller and 40 MSM APs at a customer
site, which uses VLAN 1 for servers and users and VLAN 2 for switch management.
The company wants to manage the controller in the switches subnet but deploy the
APs on a reserved VLAN, VLAN 3. The new VLAN will extend throughout the site.
The company DHCP server cannot be configured with a new scope for the APs IP
addresses, but you want a quick deployment for the APs.
Use the first flowchart to select VLAN IDs.
1.
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
Next use the second flowchart to find suggested network profiles for the controller
ports. You might use the same profile for more than one purpose.
Rev. 14.21
293
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
4.
_______________________________________________________________________
_______________________________________________________________________
5.
What is the suggested network profile on the controller for the controller
management interface? If the profile is a non-default one, note the VLAN ID.
_______________________________________________________________________
Finally, follow the guidelines that you have learned throughout this course for
choosing how the controller connects to the switch.
6.
_______________________________________________________________________
_______________________________________________________________________
7.
_______________________________________________________________________
_______________________________________________________________________
294
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Module 3
Objectives
This module describes the 802.11 standards and the properties of radios as they
relate to wireless communications.
After completing this module, you should be able to:
Given a customers requirements for a wireless LAN (WLAN), select the 802.11
mode (a/b/g/n) that best meets those requirements
Explain the factors, such as Effective Isotropic Radiated Power (EIRP) and
receiver sensitivity, that affect coverage and capacity
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
31
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion Discussion
topics topics
802.11 standard
Wireless cells
802.11a/b/g/n
Channels in 2.4 and 5 GHz band
802.11h
802.11n enhancements
802.11n backward compatibility
CTS-to-self
RTS/CTS
Radio properties
Antennas
Roaming
Figure 3-1: Discussion topics
3
Rev. 12.31
You will first learn about the 802.11 standard, which governs how wireless devices
detect, associate, and communicate with each another.
32
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Wireless cell
Wireless cell
Area in which the AP and stations can communicate
CSMA/CA
Rev. 12.31
The coverage area in which the AP and stations can communicate with each other is
called a wireless cell. To communicate, a station must be able to detect the APs
signal, and the AP must be able to detect the stations signal. Therefore, an APs
exact coverage area might be different for each station, depending on each ones
capabilities.
All the devices within a given cell share the same mediumthe air through which the
radio signals travelbut only one signal can be transmitted at a time on the same
channel, or collisions and data loss occur. When only one user is in a cell, that user
has on-demand access to the medium. When many users are in a cell, they must
compete for airtime, which means decreased network performance.
To prevent loss of data due to simultaneous transmissions, the 802.11 standard
dictate that all wireless communications be half-duplexonly one end of the link may
transmit or receive at a time. Further, the stations use carrier sense multiple access
with collision avoidance (CSMA/CA). Before a station can transmit data, it must first
listen to determine if another station is sending data. If no other station is
transmitting, the station can begin sending its data. If another station is already
transmitting data, however, the original station must wait the amount of time specified
in the slot time parameter before trying to send a frame. (The slot time is a parameter
you can configure on the AP). Although these guidelines allow devices to share the
same medium, they limit the throughput each
The 802.11 standard also requires certain non-negotiable overheaddata required
by the wireless system but which does not form part of the relevant frame payload.
For example, a device must send an ACK frame each time it receives a frame intact.
In addition, the 802.11 header is longer than an Ethernet header; each header may
include destination, origin, and transmitter addresses, initialization vectors (IVs) for
encryption keys, and other Layer 1 and Layer 2 data.
Rev. 14.21
33
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Although individual overhead requirements may seem small, the cumulative effect
over large networks with many users is substantial. For example, in practice,
throughput may be half the theoretical value, and that is in the best of circumstances.
34
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
802.11 a/b/g/n
802.11 a/b/g/n
review review
Frequency band
Which
Which
Transmission speed
As a networking professional, you are familiar with 802.11 a/b/g/n. Take a few
minutes to review the frequency band in which each of these 802.11 modes operates
and recall each ones advertised transmission speed.
1.
5
Rev. 12.31
Which
802.1
1 modes operate in the 5 GHz range?
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
4.
Record the advertised transmission rate for each 802.11 mode below.
802.11a ________________________________________________________________
802.11b ________________________________________________________________
802.11g ________________________________________________________________
802.11n ________________________________________________________________
Rev. 14.21
35
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
5.
What are common sources of interference in the 2.4 GHz range? (Refer to the
Supplemental Information about 802.11 a/b/g/n section at the end of the
module for more information.)
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
In this module, you will examine the difference between the advertised transmission
rate and the actual transmission rates. That is, you will consider the factors that affect
transmission rates.
First, however, you will consider channels and identify the channels that are nonoverlapping, thereby decreasing interference.
36
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Rev. 12.31
The 2.4 GHz band is divided into 14 channels beginning at 2.412. The first 13
channels are spaced 5 MHz apart. That is, the center frequency of channel 1 is
2.412 GHz; the center frequency of channel 2 is 2.417 GHz, and so forth. Channel
14, designed specifically for Japan, has its center frequency at 2.484 GHz, 12 MHz
from channel 13s.
Of the 14 channels, Europe, Latin America, and Asia Pacific support 1 through 13,
while North America allows only channels up to 11. Japan supports all 14.
You should understand the spectral placement of 2.4 GHz channels, realizing that
signals spread up to 22 MHz from the center frequency. Because channels are
spaced only 5 MHz apart, channels overlap up to 5 channels on each side.
Dividing the spectrum into channels allows wireless APs in the same area to operate
without interfering with each other: radios are simply tuned to transmit on frequencies
that do not overlap one another at the boundaries. Because different regulatory
agencies permit different channels, the non-overlapping channels you can use will
vary, depending on your country.
As shown in the slide, wireless designers in North America typically work with
channels 1, 6, and 11 to avoid interference from overlapping channels. Wireless
designers in other regions can also use those three channels or channels 1, 7, and
13.
As long as you use non-overlapping channels, you can place your APs in close
proximity to each other and not worry about interference.
Rev. 14.21
37
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
CommonlyCommonly
used channels
in the in5 the
GHz
band
used channels
5 GHz
band
Rev. 12.31
The 802.11a standard provides more non-overlapping channels and more channels
overall than 802.11b/g. The 5 GHz frequency band is more tightly regulated than
the 2.4 GHz bandprimarily because military radar devices operate in this same
frequency band. As a result, the allowed channels vary, depending on the country
where you are implementing the wireless network.
802.11a channels are spaced every 20 MHz because a single 802.11a standard
encompasses four channel numbers. For example, as the illustration shows, the center
frequency of channel 36 is 20 MHz below the center frequency of channel 40 (5.20
GHz). (Note that the illustration shows only some of the 802.11a channels.)
38
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
802.11h
802.11h
Defines two specifications for regulatory compliance:
Dynamic
Transmit
Rev. 12.31
Because military radar devices and satellites operate in the 5 GHz frequency band,
it is more tightly regulated than the 2.4 GHz band. To prevent 802.11 devices from
interfering with military radar or satellites, the 802.11 standard was amended to
include 802.11h.
This amendment defines two mechanisms for meeting regulations:
DFS
To prevent APs from interfering with military radar, DFS is designed to help APs
detect radar and then select its channel dynamically.
Soliciting Reports
When advertising its presence, the AP also advertises its support for DFS. After
connecting to the AP, a station must send the AP the channels it supports. This
information helps the AP to choose the best channel if it must change channels.
At any time, the AP can request that a station monitor various channels for
interference and send information about interference to the AP. This information helps
the AP to determine when it must change channels.
Rev. 14.21
39
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Changing Channels
If a stations report indicates that the wireless network is experiencing undue
interference, the AP decides to change the channel. Before changing the channel, the
AP first informs all connected stations of the change and when it will take place. The
AP can also suppress transmissions until the change is final.
TPC
TPC minimizes a wireless networks interference with satellite communications by
allowing you to configure a maximum transmit power for your network. This
maximum is regulated by the AP, which not only complies with the limit but also
forces stations to transmit at or below this maximum.
In addition to enforcing regulatory compliance, TPC helps conserve powera
particularly useful feature for laptops and other stations that have a limited battery
power. The AP monitors the network to ensure that power usage remains just over the
level to maintain adequate signal strength. If the current signal strength falls below
the fade margin (a signal strength slightly above that at which the signal is lost),
stations can raise their power as far as necessary up to the allowed maximum.
Optional activity
Your facilitator may ask you to explore which channels are available in the 5 GHz
range in your country and, of these channels, which are affected by DFS. Turn on
your lab equipment or access the remote labs; then complete the following steps:
1.
Log in to the MSM Controllers Web browser interface, using the following
credentials:
Username: admin
Password: password
(The default password is admin. You changed it in the Module 2Lab 1.)
2.
Navigate to Controlled APs > <Group Name> > <AP Name> >> Configuration >
Radio. (Select an AP that can operate in the 5 GHz range.)
3.
4.
5.
Select the drop-down menu for Channel. List some of the channels that are
marked with an asterisk (*). These are the channels that support DFS.
_______________________________________________________________________
_______________________________________________________________________
310
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6.
Navigate to Controlled APs > <Group Name> >> Configuration > Country.
7.
8.
If you are using a remote lab environment, the country code is probably the
United States. Select the country in which you reside.
9.
Click Save.
10. Navigate to Controlled APs > <Group Name> > <AP Name> >> Configuration >
Radio. (Select an AP that can operate in the 5 GHz range.)
11. Select the radio that supports the 5 GHz rage.
12. Select the drop-down menu for Channel. Have the number of available channels
changed? Are the DFS channels different?
_______________________________________________________________________
_______________________________________________________________________
13. Return the country code to its original setting.
Rev. 14.21
a.
Navigate to Controlled APs > <Group Name> >> Configuration > Country.
b.
311
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11n enhancements
802.11n enhancements
Dual-band standard
Channel bonding
MIMO
Band steering
Beamforming
Figure 3-7: 802.11n enhancements
312
Channel bonding
MIMO
Band steering
Beam forming
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
With 802.11n you can combine two adjacent 20 MHz channels into a single 40
MHz channel. Bandwidth for a particular WLAN is more than doubled because the
10
Rev.
12.31
guard band
between
the two 20 MHz channels can be removed when they are
bonded. (The guard band is used to prevent interference between channels.)
Channel bonding is typically used in the 5 GHz frequency band because it has more
non-overlapping channels. Because the 2.4 GHz frequency band has only three nonoverlapping 20 MHz channels, bonding two 20 MHz channels leaves only one nonoverlapping channel.
Rev. 14.21
313
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11n:and
MIMO
and spatial
streaming
802.11n: MIMO
spatial
streaming
11
Rev. 12.31
Another reason 802.11n can achieve such high transmission rates is its multiple-input,
multiple-output (MIMO) antenna design. MIMO algorithms in a radio chipset send
data out over two to four antennas. Signals from each transmitter can reach the
target receiver via a unique path.
MIMO devices can have two to four transmitters and one to four receivers. For
example, if a device has two transmitters and one receiver, it would be described as
having a 2 x (by) 1 configuration. If a device had three transmitters and three
receivers, it would have a 3 x 3 configuration.
Because APs send data to multiple wireless stations, they typically have three or four
transmitters. Wireless stations, on the other hand, usually receive more data than they
send and thus have a 2 x 3 configuration.
802.11n can use MIMO for several purposes. One important purpose is spatial
multiplexingthat is, sending multiple data streams in the same channel to multiply
the throughput of radio. In Module 1, you learned that HP offers MSM APs that
support two or even three spatial streams. Other factors being equal, a radio
operating with two spatial streams transmits at twice the data rate of a radio using a
single spatial stream. Similarly, three spatial streams triple the data rate.
Spatial multiplexing works best if the paths are spatially distinct, resulting in received
signals that are uncorrelated. Thus, while traditional 802.11 networks degrade in the
presence of multipatha propagation phenomenon by which multiple radio signals
reach receiving antennas by bouncing off of objects along the waymultipath helps
decorrelate the 802.11n channels, enhancing the operation of spatial multiplexing.
The signals are recombined on the receiving side by the MIMO algorithms
dramatically improving wireless performance and reliability.
314
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Traditionally, when reflections combine, they distort the signal at the receiver. The
MIMO receivers, however, consistently process each multipath component, thereby
eliminating the mixture of out-of-phase components that would normally result in
signal distortion.
Rev. 14.21
315
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11n: beamforming
transmit beamforming
802.11n: transmit
Increases throughput by improving the quality of the signal
sent to stations
Receive
Use
Another use for MIMO is beam forming, which is designed to optimize the quality of
the wireless signal for each individual station.
The HP MSM430,
MSM460, and MSM466 support a standards-based
12
Rev. 12.31
implementation of transmit beamforming (which is also called chip-based
beamforming).
With transmit beamforming, the AP radio sends multiple data streams of the same
data from an array of transmitter antennas. However, it adjusts the magnitude and
phase for each transmitter. The AP calculates these adjustments such that, after
following the different paths to the receiver, each signal adds to each other,
increasing the clarity of the signal. Thus, beamforming can increase range; a station
can detect the APs signal further from the AP. Because the quality of the signal also
determines which data rate a station can use, beam forming can also improve
throughput. At the same distance from the AP, the station can transmit and receive
data at a higher rate.
The AP determines how to phase shift the data correctly for a specific receiver using
sounding packets. The AP sends a signal to the station (Where are you?) and
listens for a response (Im right here).
The MSM APs support explicit beamforming. With explicit beamforming, the
transmitter (in this case, the AP) receives direct feedback from the receiverthe
stationand uses this feedback to maximize the phase alignment of signals and their
reflections. The station that is receiving the signal must support beamforming.
Because the station has an open channel to the AP, the station can provide feedback
about how well it is receiving signals (signal path, phase shift, and so on). In this
way, the AP can more quickly and accurately assess the optimal beam to use.
316
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Because beamforming requires multiple transmitters that send the same data, those
transmitters cannot be used for different spatial streams at the same time. Therefore,
an MSM430, MSM460, or MSM466 radio can send data over up to two spatial
streams with beamforming (or up to three spatial streams without beamforming). If
range is an issue, the APs can transmit over one or two spatial streams, with
beamforming taking place on the other antenna. In environments where the AP is
running three spatial streams, stations that are closer to the AP can achieve higher
throughput rates without beamforming.
Rev. 14.21
317
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11n: band
steering
802.11n:
band steering
Encourages stations to use 5 GHz:
AP
When
a station tries to associate with the AP on the 2.4 GHz band, the
AP:
Waits 200ms before responding to a probe request
Denies stations first association request
After
the station is associated with the AP, it does not respond to the
stations probe requests on the 2.4 GHz.
Figure 3-11: 802.11n: band steering
Reduce the number of stations using the more crowded 2.4 GHz band
Ensure that stations are using the band recommended for 802.11n5 GHz
13
Rev. 12.31
To support band steering, APs must have two radios, which support 802.11n. The
MSM430, MSM460, and MSM466 all support band steering.
When you enable band steering, the MSM APs try to encourage stations that support
both 2.4 and 5 GHz to move to the 5 GHz band, as follows:
The AP waits 200ms before responding to the first probe request sent by a
station using the 2.4 GHz band.
If the AP detects that the station is capable of transmitting at 5 GHz, the AP
refuses the first association request sent by the station (which is using the 2.4
GHz band).
Keep in mind that the APs can only encourage the stations to use the 5 GHz band.
The stations control if they actually use the 5 GHz.
After the station has moved to the 5 GHz band and associated with the AP, the AP
will not respond to any 2.4 GHz probes from the station as long as the stations
signal strength at 5 GHz is greater than -80 dBm. If the clients signal strength falls
below -80 dBm, however, the AP will respond to 2.4 GHz probes from the station
without delay.
To support band steering, the VSC must be bound to the MSM430, MSM460, and
MSM466. One radio must be configured for 2.4 GHz operation and the other for 5
GHz operation.
If the radio configured for 5 GHz operation reaches its maximum number of
supported clients, the AP will temporarily stop using band steering.
318
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
802.11n backward
compatibility
802.11n backward
compatibility
Pure mode
Legacy
Compatibility modes
802.11n/a
mode
802.11n/g
802.11n/b/g
When you implement an 802.11n network, you must determine how the AP will
support legacy devices. Because 802.11 a/b/g stations cannot hear 802.11n
stations, these legacy stations may transmit at the same time 802.11n stations are
transmitting.
For the best
performance,
you should use the pure 802.11n mode.
14
Rev. 12.31
Rev. 14.21
Pure 802.11n modeUse this mode if you do not want legacy stations using the
same frequency band set for 802.11n AP. When an MSM AP implements this
mode for an APs radio, legacy stations cannot associate with that radio. The
MSM APs still direct stations to transmit their CTS/Self frames in protected mode;
however, the APs themselves do not do so.
802.11n/a mode, 802.11n/g, or 802.11n/b/gUse one of these modes if you
want the AP to support legacy stations as well as 802.11n stations. The AP
advertises protection in the beacon when legacy clients are associated or
operating on the same channel. Including this notification alerts 802.11n stations
to use protection mechanisms (such as RTS/CTS or CTS-to-self) when sending
802.11n data. These protection mechanisms eliminate disruption that legacy
stations might otherwise cause.
319
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
CTS-to-self CTS-to-self
CTS-to-self protection frames alert legacy stations to
transmissions.
Rev. 12.31
CTS-to-self introduces less overhead, so you should usually choose it unless you have
a reason otherwise (as explained on the next page).
With CTS-to-self, a station that needs to transmit protected data first sends a CTS
frame to its own MAC address. This CTS frame uses modulation understood by the
legacy standard (802.11b or 802.11g). Thus all stations will then wait the amount of
time specified in the CTS frame before once again contending for control of the
medium.
Even if you do not want the radio itself to support legacy clients (you disable the
legacy supported rates), you might still enable protection. This ensures that
neighboring legacy stations outside of your control do not introduce collisions.
320
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
RTS/CTS RTS/CTS
Another protection mechanism
Higher overhead
Solution for hidden node
16
Rev. 12.31
The RTS/CTS mechanism achieves the same goals, but involves more overhead.
Nonetheless, it might be required in some environmentssuch as ones with hidden
node problems.
Hidden node occurs when two stations, which are in range of an AP, are located too
far away from each other to detect each others CTS-to-self frames. This problem can
also occur if a station is located behind a wall. Whatever the cause, the two stations
cannot detect each others CTS frames and transmit simultaneously, causing a
collision at the AP. In the shared wireless medium, the collision causes both stations
to retransmit, resulting in lower throughput.
With RTS/CTS, a station must initiate a transmission by sending an RTS frame to
receiving stationin this case, the AP. The AP responds with a CTS frame, which
signals the sending station that it can begin transmitting its data frame. The CTS
frame also notifies other stations that they cannot transmit for the time period
specified in the CTS frame. While other stations wait for the amount of time specified
in the CTS frame, the station that initiated the RTS/CTS process transmits its data
frame.
Just as for CTS-to-self frames, you must consider whether to use protection for the
RTS/CTS frames. That is, stations and APs might need to send the RTS/CTS frames at
a data rate supported by all stations in the cell (including legacy stations).
Although RTS/CTS eliminates the need for stations to retransmit frames, it imposes its
own overhead on the wireless network. When RTS/CTS is enabled, the throughput
on an 802.11g network might fall below 20 percent of the theoretical maximum
throughput. However, if the collisions and retransmissions have reduced the
maximum throughput even lower, RTS/CTS may affect performance less than the
collisions do.
Rev. 14.21
321
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
322
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Discussion Discussion
topics topics
802.11 standard
Wireless network operating system modes
Radio properties
Antennas
Roaming
17
Rev. 12.31
You will now learn about the guidelines the 802.11 standard provides for using the
wireless medium to establish communications among devices
Rev. 14.21
323
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Activity: Identifying
modes modes
and IDs
Activity: Identifying
and IDs
18
Rev. 12.31
If your facilitator asks you to complete this activity, you will work in a group to
answer one or more of the following questions. You can use the materials in this
section as needed to answer the questions.
1.
What is the difference between infrastructure mode and ad hoc mode? What
kind of danger can ad hoc networks pose for companies?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
324
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
What is in-cell relay mode? What is this feature called on HP MSM APs?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
Draw an ESS and a BSS in the blank space provided below and on the
following page.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
325
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
What is an ESSID?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
326
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Ad hoc mode
Ad hoc mode
Peer-to-peer connection between two or more stations
Rev. 14.21
327
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Infrastructure
Infrastructure
mode mode
AP:
Establishes
Handles
20
Rev. 12.31
Infrastructure mode is the most common deployment for wireless networks. In this
mode, stations do not communicate with an AP. The AP handles all communication
among wireless stations and controls the security and speed parameters for the
network.
In addition to connecting wireless stations to each other, the AP is connected to a
wired network. As the interface between the wired and the wireless network, the AP
receives wireless traffic from stations and forwards it on to the wired network.
Likewise, the AP receives and forwards traffic that is being sent from the wired
network to the wireless stations.
328
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
relay mode
In-cell relayIn-cell
mode
21
Rev. 12.31
In-cell relay mode is more commonly called a wireless bridge or wireless distribution
system (WDS). When functioning in this mode, an AP connects two or more network
segments, which can be different segments of a LAN or unconnected wireless
networks.
In infrastructure mode, APs simply bridge traffic to wireless stations; the wired
network provides the distribution system for transmitting traffic from wireless stations
to its ultimate destination. With in-cell relay mode, the wireless medium becomes a
distribution system as well, operating as if it were a wired infrastructure.
You will learn about the MSM APs wireless bridge feature, which is called wireless
mesh, later in this course.
Rev. 14.21
329
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Any one or more stations and their AP compose a basic service set (BSS). Each BSS
has a unique, 48-bit identifier called the BSSID, which is usually the MAC address of
the APs
wireless
interface (its radio).
22
Rev.
12.31
Every frame transmitted to and from the stations in a BSS contains the BSSID in the
frame header, identifying the frame as belonging to a particular APs coverage area.
The BSSID distinguishes the BSS from others and increases efficiency by allowing the
AP and stations to ignore frames not belonging to their BSS.
When a new station joins a cell, it appends the APs BSSID to all frames as the
receiver address in the 802.11 header.
HP MSM APs logically separate their services. Each radio supports a different BSSID
for each VSC bound to it. For example, when the radios MAC address is
2c:41:38:db:01:00, the BSSID associated with a particular VSC might be
2c:41:38:db:01:01.
330
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
23
Rev. 12.31
Several BSSs, each with its own BSSID specifying the AP, may belong to the same
Extended Service Set (ESS). That is, even though the networks may be spatially
separate, they behave as if they are part of the same network.
This figure illustrates several BSSs composing one ESS. For ease of illustration, the
BSSs are spatially separated, but they need not be. In actual wireless networks, some
overlap is desirable to enable roaming.
Each ESS has a unique, 48-bit identifier called the ESSID, which functions as the
networks name. Although ESSID is more precise, the industry commonly uses the
general term SSID to signify the network name. Because it is the more common term,
this course uses SSID as the identifier for the ESS.
Like the BSSID, the SSID is included in the 802.11 header of every frame transmitted
on a wireless network.
An ESS can also be called a WLAN, which defines various settings for the ESS such
as the SSID and security options. On HP MSM products, you define the WLAN
settings in a VSC, for the most part in the Virtual AP settings. However, you define
the security settings within other sections of the VSC.
Rev. 14.21
331
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
332
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Discussion Discussion
topics topics
802.11 standard
Wireless network operating system modes
802.11 authentication and association
Passive and active scanning on 802.11 networks
Overview of 802.11 authentication and association
802.11 authentication
802.11 association
Review activity
Radio properties
Antennas
Roaming
Figure 3-23: Discussion topics
25
Rev. 12.31
You will now learn about the 802.11 guidelines that determine how a station
associates with an AP.
Rev. 14.21
333
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
26
Rev. 12.31
Before a station can authenticate and associate with an AP, it must know the AP is
within range and what WLAN or WLANs the AP supports. To discover this
information, a station uses one of the following processes:
Passive scanning
In passive scanning, stations listen for beacon frames from APs within range. APs
broadcast beacons at regular intervals. These management frames contain
information to help the station begin the 802.11 authentication and association
process. For example, beacons include information such as the following:
SSID
Timestamps, which allows the station to synch its clock with the APs
Because stations are not transmitting frames for passive scanning, it saves
battery power.
A station can also listen for beacon frames on all supported channels. This type of
passive scanning is called sweeping.
Active scanning
In active scanning (also called probing), stations send probe request frames on
each channel. Stations can send probe request frames to locate a particular
SSID or ask for all supported SSIDs within range.
APs within range operating on that channel send a probe response frame
containing information about their capabilities, data rates, and so on.
334
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Rev. 14.21
335
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
of 802.11 authentication
and
Overview ofOverview
802.1
1
authentication
and
association
association
27
Rev. 12.31
When a station detects that APs are within range and wireless network access is
available, the station begins the process of joining the network.
The station must complete two processes outlined in the 802.11 standard:
802.11 authentication
802.11 association
802.11 authentication
When the 802.11 standard was accepted in 1997, it outlined two different types of
authentication:
Open-system authentication
Shared-key authentication
802.11 association
If the 802.11 authentication is successful, the station associates with the AP.
336
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Supplemental authentication
Because the two 802.11 authentication options cannot adequately secure wireless
networks, additional, or supplemental, authentication methods are required to:
Ensure that only authorized users are allowed to access the network
Rev. 14.21
337
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11 authentication
802.11 authentication
28
Rev. 12.31
Open-system authentication
As the name implies, open-system authentication allows any station to be validated
by the AP. The station is not required to submit any login credentials or secrets to
complete this process successfully.
The station always initiates the open-system authentication process, which consists of
two frames. The station sends the AP an authentication request frame, which
contains its MAC address and a value indicating the open-system authentication
method.
The AP responds with an authentication response frame that contains the result of
the request. Typically, the result is successful authentication, and the station can
move to the next step: association.
At this point in the connection process, the station is authenticated but not yet
associated. It cannot yet send data to the wired network.
Shared-key authentication
Shared-key authentication is the original 802.11 authentication, which is also known
as Wired Equivalent Privacy, or WEP. With shared-key authentication, each device
must have the same key, which enables the device to encrypt and decrypt data
contained in frames. To join the network, a station must prove to the AP that it has
the correct key and should therefore be granted network access.
When shared-key authentication is configured, the station and the AP exchange the
following frames:
1.
338
The station issues an authentication request frame, which contains the stations
MAC address and a value indicating shared-key authentication.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
2.
3.
Using the key it should already possess, the station encrypts the challenge text
from the AP and sends it to the AP.
4.
Using the same key, the AP decrypts the challenge text received from the station.
If the decrypted challenge text matches that sent in the second frame, the
authentication is successful. The AP then sends the final frame in the exchange,
indicating authentication success or failure.
If successful, the station is now authenticated but not yet associated and cannot yet
send data to the wired network. The station can proceed to the 802.11 association
process.
Although the IEEE designed shared-key authentication to provide tight security, it
failed to live up to this promise. WEPs shared-key encryption method was easy to
crack from the beginning, and with widely available freeware circulating on the
Internet, it is even easier to crack today. As a result, IEEE and the Wi-Fi Alliance have
formally disapproved this encryption option, although it remains available as part of
the 802.11 standard to ensure backward compatibility.
In contemporary networks, open-system authentication is the preferred option. You
can then allow stations to associate without imposing any additional authentication
methods, or you can implement some form of supplemental authentication that will
actually secure the wireless communications.
Rev. 14.21
339
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11 association
802.11 association
Rev. 12.31
340
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Review activity
Review activity
Answer questions.
30
Rev. 12.31
Answer the following questions. If you cannot easily answer a question, review the
material in this section to ensure that you thoroughly understand the related concept.
1.
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
341
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
_______________________________________________________________________
342
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Discussion Discussion
topics topics
802.11 standard
Wireless network operating system modes
Antennas
Roaming
Figure 3-29: Discussion topics
31
Rev. 12.31
The next section focuses on specific radio properties that you should understand
when implementing a wireless network.
Rev. 14.21
343
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
and capacity
Coverage Coverage
and capacity
Coverageproviding wireless signal where it is required
Capacityensuring the wireless cell can support the
required throughput
32
Rev. 12.31
When implementing a wireless network, you must consider both coverage and
capacity:
You will now consider the factors that affect both coverage and capacity.
344
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Frequency
Receiver sensitivity
Number of stations
Operating mode
Rev. 12.31
Antenna
Antenna
Transmit power
Receiver sensitivity
In this course, wireless cells are shown as a simple circle, with the radio signal
radiating out equally in all directions from the transmitter. In reality, coverage is not
at all uniform. RF signals attenuate, or weaken, while traveling through the air and
change more drastically as they travel through or bounce off objects. You must
consider many factors when calculating coverage and capacity.
Rev. 14.21
345
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Frequency (channel)
Operating mode
The operating mode can affects capacity because 802.11n provides higher data
rates than 802.11g or 802.11a, which both provide higher data rates than
802.11b. In addition, 802.11n can sometimes improve coverage through features
such as beam forming.
Together these factors affect the areas where a wireless station can communicate
successfully with the APin effect, the coverage. In addition, they affect the SNR for
stations connections to the AP, which in turn determines the data rates that are
available over a particular area. Thus you must consider these factors when planning
adequate capacity for an area.
346
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
MeasuringMeasuring
wireless wireless
power power
Measured in decibels (dBm), which
are related to milliwatts (mW)
logarithmically
Rule of 3s: adding 3 dB doubles the
power
34
Rev. 12.31
Understanding how power is measured in a wireless environment helps you plan the
correct transmit power based on distances between devices and receiver sensitivity.
The standard measurement in wireless communication power is dBm, which stands
for decibels above one milliwatta ratio measuring the power of a wireless signal
relative to watts, a more familiar power measurement.
In other words, 1 mW is the baseline measurement of power in a wireless network
environment and equals 0 dBm. Positive dBm values are greater than 1 mW, and
negative dBm values are less than 1 mW.
Keep in mind that dBm are relative units. As a result, negative dBm values do not
indicate negative power or signal loss; instead, a negative dBm value simply means
decibels below one mW. (For example, radio receiver sensitivity, which is the lowest
power required for the receiver to distinguish the signal, is often expressed as a
negative dBm value.)
Watts and dBm have a logarithmic relationship, as illustrated in the diagram above.
(The precise equation is 1 dBm = 10logmW.)
An increment of 10 dB equates to a tenfold increase in power. Because the baseline
power is 1 mW, 10 dBm is 10 mW (10 times the power of 1 mW), 30 dBm is 1 W
(1000 times the power of 1 mW), and so forth. Remember these rules:
Rev. 14.21
347
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
You might consider memorizing one point in the relationship, such as 1 Watt = 30
dBm, and then using the rule of 10s or the rule of 3s to make rough conversions
without a calculator.
348
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
EIRP
EIRP
w
Total signal strength output by a radio system
Radio system
To begin planning the size of your wireless cells, you use Effective Isotropic Radiated
35
Rev.
12.31
Power (EIRP),
which
is the total signal strength generated by a radio system. The EIRP
derives from the transmitting radios power plus any gain from an antenna. The EIRP
also takes into account any power lost over cables and connectors installed between
the antenna and radio. In other words:
EIRP = Transmit power Transmitter cable loss + Transmitter antenna gain
EIRP is measured in units of decibels over isotropic (dBi), which compares the power
at the point of maximum strength to the power of an isotropic radiator. An isotropic
radiator is a theoretical device emitting energy in all directions equallya spherical
radiation pattern. No antenna is actually an isotropic radiator; for EIRP
measurements, dBi simply provides a basis for consistent comparison between
different radios and antennas.
For example, an AP radio is transmitting at 15 dBm and is connected to a 6.5 dBi
gain antenna. The cable and connector cause a 1 db and .25 dB loss, respectively.
The EIRP is:
15 dBm (1 dB + .25 dB) + 6.5 dBi = 19.75 dBi
You can adjust the EIRP by reducing the transmit power or by adding an external
antenna. Because range depends on many factors, you cannot relate EIRP directly to
an exact range. You can know, however, that adjusting the value changes the relative
cell size. Before examining the effects more precisely, consider the other factors: path
loss and obstacles.
Rev. 14.21
349
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
space
Free spaceFree
path
losspath loss
Path loss measures the signal attenuation between the
transmitter and the receiver:
Frequency
Distance
Medium
36
Lp
= 40.0 + 20 log D
2.4GHz
Lp
= 46.4 + 20 log D
5 GHz
Rev. 12.31
After you calculate EIRP, you must figure out how much the signal degrades between
transmitter and receiver; path loss measures that attenuation.
Path loss is based on three general factors:
Frequency
For example, if the signal must cross a brick wall, it will degrade more than in that
area than it will in an area with no obstacles (free space).
Path loss is calculated based on the following factors:
Distance
Frequency
Free space is literal. This equation does not take any obstructions into account,
even the air. The calculated signal loss originates entirely from the spreading of the
signal through space and is related to the distance between the transmitter and
receiver in terms of wavelength.
The equation uses these variables:
350
F = frequency in GHz
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Make sure to use the correct units; otherwise, the constant 32.4, which takes these
units (as well as constants related to calculating the surface area of a sphere) into
account, is incorrect.
Wireless networks use one of two frequencies, so you can use these simplified
equations:
For example, calculate free space path lost over 2500 meters
Lp = 40 + (20 * log 2500)
Lp = 40 + (20 * 3.4)
Lp = 40 + 68
Lp = 108 dB
Rev. 14.21
351
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
and obstacles
Real-worldReal-world
path losspath
andloss
obstacles
In free space, signal strength falls off as a square of
distance.
Scattering
Distance
exponent: 2
Scattering
The free space equation may give you an accurate picture for path loss if your
company37setsRev.up
operations in the middle of a desert. But the clutter of the real world
12.31
complicates the model.
The free space equation assumes that power falls off as a square of the distance.
Because dBs are logarithmically related to power, this assumption emerges as the 20
coefficient in the equation: 10 * log D2 = 20 * log D.
Obstacles distributed throughout a coverage area tend to increase scattering
exponentially. Because all real-world environments include obstacles, if only the air, a
more realistic path loss equation would use a different exponent than 2 and a
different coefficient than 20.
Scattering Exponent
The following are scattering exponents for some typical environments. Although these
values are only approximations, you can use them to plan more realistic coverage
areas:
Open outdoors spaces2 for short distances; add .5 for each 200 m to take
into account the effects of the air
Indoors with walls (fully divided offices, hospitals, houses, and so forth)
4 or 5
Thus, if your company has a building with fully divided offices, you might use this
equation to calculate path loss:
(32.4 + 20 log F) + (40 log D)
352
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Far from insignificant, the increase in the scattering exponent from 2 to 4 could
decrease range tenfold and coverage area one hundredfold.
Antenna type
You should also consider your type of antenna when determining a realistic path loss
equation. Directional antennas, particularly high-gain directional antennas, usually
experience less scattering than omnidirectional antennas. However, an obstruction
directly in the signal path, particularly an obstruction near the antenna, can have a
great effect on the directionally focused signal.
Finally, remember the world is not tidy, and no model or equation is perfect.
Equations such as these can help you to estimate path loss, but nothing can replace
rigorous testing of the signal throughout the desired coverage area.
Rev. 14.21
353
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Multicast
frames
frames
Broadcast
frames
Supported rates
Unicast
frames
Figure 3-36: Basic and supported rates
The data rate used by stations in the wireless cell determines the theoretical maximum
for capacity. That is, if a station and an AP are communicating at 24 Mbps, the
throughput can be no more than 24 Mbps.
Each 802.11 standard supports multiple data rates. The particular data rate at which
a station 38transmits
is affected by the APs data rate sets:
Rev. 12.31
The basic data rate set includes the rates that a station must support to associate
to the AP. On the MSM APs, you specify the basic rate as the multicast rate in
the radio settings.
The supported data rate set includes any rate that the station can use to send
data after it associates. You specify these rates in the VSCs settings.
A station transmits at the highest data rate that it can support in the APs
supported rate set. (The better the signal, the higher the data rates that the
station can support.) The supported data rate set typically includes more data
rates than the basic set, allowing stations that support faster rates to use them.
Note
If the supported data rate set includes rates that are lower than the basic rates,
stations can use those rates only after they associate. In this way, a station could
move further away from the AP and stay connected.
The table compares data rates to actual throughput. These numbers are provided as
estimates only. Remember also that all stations in the cell must share the throughput.
Therefore, you must adjust your expectations for per-station throughput based on the
number of stations that connect to the AP and the amount of data that they transmit.
354
Data rate
(Mbps)
Approximate
throughput per
cell (Mbps)
1
2
5.5
11
.33 to .5
.66 to 1
1.8 to 2.2
3.6 to 5.5
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
802.11 mode
802.11g
802.11a
Data rate
(Mbps)
Approximate
throughput per
cell (Mbps)
6
9
12
18
24
36
48
54
6
1.5 to 3
2.2 to 4.5
3 to 6
4.5 to 9
6 to 12
9 to 18
12 to 24
14 to 27
2 to 3
9
12
18
24
36
48
54
3 to 4.5
4 to 6
6 to 9
8 to 12
12 to 18
16 to 24
18 to 27
802.11n
One spatial stream
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Rev. 14.21
MCS 0
6.5
7.2
13.5
15
MCS 1
13
14.4
27
30
MCS 2
19.5
21.7
40.5
45
MCS 3
26
28.9
54
60
MCS 4
39
43.3
81
90
MCS 5
52
57.8
108
120
MCS 6
58.5
65
1.6 to 3.2
1.9 to 3.6
3.3 to 6.7
3.8 to 7.5
3.2 to 6.4
3.6 to 7.2
6.5 to 13
7.5 to 15
4.9 to 9.7
5.4 to 11
10 to 20
11 to 22
6.5 to 13
7.2 to 14
14 to 27
15 to 30
10 to 19
11 to 22
20 to 40
22 to 45
13 to 26
15 to 29
22 to 44
30 to 60
15 to 29
16 to 32
355
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11 mode
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Data rate
(Mbps)
121.5
135
MCS 7
65
72.5
135
150
Approximate
throughput per
cell (Mbps)
30 to 60
34 to 67
16 to 32
18 to 36
34 to 67
38 to 75
356
MCS 8
13
14.4
27
30
MCS 9
26
28.9
54
60
MCS 10
39
43.3
81
90
MCS 11
52
57.8
108
120
MCS 12
78
86.7
162
180
MCS 13
104
115.6
216
240
MCS 14
117
130
243
270
MCS 15
130
144.4
270
300
3.2 to 6.4
3.6 to 7.2
6.5 to 13
7.5 to 15
6.5 to 13
7.2 to 14
14 to 27
15 to 30
10 to 19
11 to 22
20 to 40
22 to 45
13 to 26
15 to 29
22 to 44
30 to 60
20 to 39
22 to 43
40 to 81
45 to 90
26 to 52
29 to 58
55 to 110
60 to 120
29 to 58
32 to 65
60 to 120
68 to 130
32 to 65
36 to 72
68 to 130
75 to 150
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
802.11 mode
Data rate
(Mbps)
Approximate
throughput per
cell (Mbps)
Rev. 14.21
MCS 16
19.5
21.6
40.5
45
MCS 17
39
43.4
81
90
MCS 18
58.5
65
121.5
135
MCS 19
78
86.7
162
180
MCS 20
117
130.7
243
270
MCS 21
156
173.3
324
360
MCS 22
175.5
195
364.5
405
MCS 23
195
216.7
405
450
4.9 to 9.7
5.4 to 11
10 to 20
11 to 22
10 to 19
11 to 22
20 to 40
22 to 45
15 to 29
16 to 32
30 to 60
34 to 67
20 to 39
22 to 43
40 to 81
45 to 90
29 to 58
32 to 65
60 to 120
68 to 130
39 to 78
43 to 87
81 to 160
90 to 180
44 to 88
49 to 98
91 to 180
100 to 200
49 to 98
54 to 110
100 to 200
110 to 220
357
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Activity: planning
coverage
and capacity
Activity: Planning
coverage
and capacity
When do you plan small or large
cells?
Why should the cells overlap?
Rev. 12.31
Now that you know how to create larger and smaller cells, you must consider why.
That is, you must begin to understand how changing the size of a cell helps you meet
a companys requirements for the network.
For this activity, your facilitator will assign you to a group and ask you to consider
the following scenarios:
1. A university is planning a wireless network in its library. Students will be using
the following applications: databases, proprietary library application, videostreaming applications, and the Internet. Hundreds of users go to the library to
study, and for the most part, they use their own devices. To summarize, the
library users typically have high-bandwidth requirements, and the library is a
high-user density environment.
Although you will not try to determine the exact size cells should be, consider
which of the following cell designs would probably be better suited for the
universitys library. Why is it better?
358
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2. A large bookstore wants to provide Internet access for its customers. Essentially,
the bookstore management team wants customers to be able to access its Web
site and get more information about books or actually purchase books (both
print and electronic books). Currently, no more than 15 customers sit in the
bookstore caf area at a given time. An additional 10 to 15 customers sit in
chairs provided throughout the bookstore. However, the bookstore management
team believes that when the bookstore offers Internet access, these numbers will
increase. To summarize, bookstore customers will have low bandwidth
requirements. The bookstore will have a low-user density. Even projecting for
future growth, the bookstore management team wants to implement a wireless
network that will support 50 to 60 customers.
Again, you will not determine the exact size cells should be. Given the
bookstores requirements, which of the following cell designs would probably be
better suited for the bookstore? Why?
Rev. 14.21
359
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3. Why do you think wireless cells should overlap?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Conclusion
Plan large or small cells based on your companys needs. Generally, large cells
provide more extensive coverage while small cells provide greater speed within the
limited coverage area. In todays and tomorrows computing environment, where
user density, application complexity, and intolerance for latency can only grow, IT
administrators must carefully weigh range and speed.
Wireless cells must overlap to prevent dead zonesareas where no wireless signal
is available. Overlap also enables stations to roam between cells. For applications
that require low latency (such as VoIP), overlap is particularly important so that
stations can roam smoothly without interrupting service.
360
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Discussion Discussion
topics topics
802.11 standard
Wireless network operating system modes
Antennas
Three-dimensional coverage
Omnidirectional antenna
Directional antenna
Diversity antenna
Yagi antenna
Roaming
40
Rev. 12.31
This section explains how different types of antennas shape the radio signal.
Rev. 14.21
361
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Antennas Antennas
OmnidirectionalHorizontal plane
41
Rev. 12.31
DirectionalHorizontal plane
A wide variety of antennas answer most environmental challenges you will confront
as you build and maintain your wireless network. Antennas carefully deployed to
take full advantage of gain and radiation patterns can increase connection reliability
and extend coverage into specific desired areas, overcoming physical obstacles and
interference.
362
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
The two basic types of antennas are omnidirectional and directional. (Either type can
also be a diversity antenna, which is another type of antenna about which you will
learn later.)
Rev. 14.21
363
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Three-dimensional coverage
Three-dimensional
coverage
Magnetic (H-plane)
Horizontal
Electric (E-plane)
Vertical
Three-dimensional pattern
42
Rev. 12.31
Antenna radiation plots (including those on the previous page) often show only the
horizontal planeas if you were looking down on the antenna and its pattern from
directly above it. In reality, radio signals propagate in three dimensions, so coverage
can be plotted on a vertical plane as well.
A radio wave is electromagnetic radiation. Stated precisely, the E-plane is the plane
in which the electrical component radiates, and the H-plane, the one in which the
magnetic component radiates. The two radiate at ninety-degree angles to each other,
so when the antenna is polarized vertically, the E-plane is oriented vertically and the
H-plane horizontally. This course will assume that you have positioned the antenna in
this way and refer to the E-plane as vertical coverage and the H-plane as horizontal
coverage. You should always be sure to orient your antenna correctly.
The three-dimensional nature of radio signals is important to remember when placing
APs; the signal from an omnidirectional antenna, for example, could interfere with
coverage on another floor of the building.
364
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Omnidirectional
Omnidirectional
antennaantenna
Radiates equally in each horizontal direction
Provides limited vertical coverage that decreases as gain
increases
Horizontal
43
Rev. 12.31
Vertical
Omnidirectional antennas like the one shown here are designed to provide
indiscriminate coverage in all directions horizontally. They also have a limited vertical
radiation pattern and could provide coverage to stations almost directly above and
below the antenna.
The vertical coverage decreases, however, as the gain increases because the signal
is focused more strongly horizontally. (Picture a balloon that is being compressed into
a disk. The larger the disk, the flatter it becomes.) Due to the low angle for vertical
coverage, high-gain omnidirectional antennas risk overshooting nearby stations
mounted beneath the AP.
Rev. 14.21
365
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
DirectionalDirectional
antenna antenna
Directs the signal in a beam
High-gain
Patch
antennas30 to 60 beamwidth
Wide-angle
Rev. 12.31
34 beamwidth on E-plane
As their name implies, directional antennas focus the signal in a single direction;
different varieties have widely varying beamwidth. In the slides on omnidirectional
antennas, you already encountered varying beamwidths for the E-plane. You must
now learn how to talk about beamwidths more precisely. An antennas beamwidth is
measured by the angle between the points at which the power falls to half the
maximum strength. (This angle is sometimes called the 3 dB beamwidth because a
loss in 3 dB correlates to half power.)
Some directional antennas have very narrow beams, and some have beams up to
120 degrees wide. The broader the beam, the smaller the antennas gain will be.
Because directional antennas can be aimed, they are useful for providing coverage
in specific areas and for establishing point-to-point (wireless bridge) connections over
relatively long distances.
Directional antennas fall into several classes:
366
High-gain antennas, designed to direct a very narrowly focused beam (10 to 30degree beamwidth) over a long range
Patch antennas, with a beamwidth between 30 and 60 degrees, suited for filling
in coverage areas
Wide-angle antennas, often combined to provide well-controlled coverage over
wide areas (beamwidth between 60 and 120 degrees)
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Diversity antenna
Diversity antenna
Includes two closely spaced antennas
Uses antenna that provides the best signal for each station
Ideal for cluttered areas
Antenna A
Transceiver A
Antenna B
Transceiver B
Voting processor
45
Rev. 12.31
Rev. 14.21
367
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Yagi antenna
Yagi antenna
Array of antennas
Narrow beamwidth and high-gain
Often used for point-to-point connections
E-plane
H-plane
46
Rev. 12.31
The Yagi antenna (named for one of its developers, Hidetsugu Yagi) is a narrowbeam directional antenna with a relatively high gain. Such an antenna is sometimes
called a Yagi phased array because it is composed of three or more dipole antennas
as conductive elements arrayed on a common boom. Roof-mounted television
antennas are typical examples of a Yagi, but those designed for wireless networks
are much smaller and usually enclosed in a protective case. Because of its narrow
beam, a Yagi is ideal for long-distance point-to-point (or wireless bridge)
connections, though careful aiming is required.
368
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Discussion Discussion
topics topics
802.11 standard
Wireless network operating system modes
47
Rev. 12.31
Rev. 14.21
369
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
does roaming
mean
to company?
your company?
What doesWhat
roaming
mean to
your
Where do users need to roam?
48
Rev. 12.31
What does roaming mean to your company? What behavior do users expect?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Ask your neighbor how his or her company defines roaming. What behavior do the
users expect?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
370
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Once users unhook their stations from the wired network, they expect to be able to
roammoving their station from place to place. If the wireless network does not
support this roaming or if users cannot access the applications they need while they
roam, users might get frustrated and begin calling your companys help desk.
To avoid these kinds of issues, you must determine what users need and expect. You
should also clearly define what users and management mean by roaming. What
is the expected or desired behavior?
Because seamless roaming can mean different things to each user, you need to
carefully define what it means to your company. Specifically, where do users want to
roam? From office to office or building to building?
Do users expect to maintain access to applications as they roam? Or, do they just
want continual network access without the hassle of logging in again when they
reach their destination?
What type of applications are they using? If they are using email, brief interruptions
in the signal wont be noticed. If they are using voice over WLAN, however, they
must have a continuous, uninterrupted signal.
After you understand what users mean by seamless roaming, you need to evaluate
the factors that affect roaming. For example, how do your companys stations and
wireless client handle roaming? How resilient are your applications to latency that
might result from roaming? Can roaming be limited to Layer 2, or RF, roaming? Or,
do users need to roam between subnets, which is called Layer 3, or network,
roaming? And finally, if you are using 802.1X (as you should for the highest levels of
security), how can you mitigate the delay 802.1X authentication incurs during the
roaming process?
Rev. 14.21
371
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
affect roaming
Factors thatFactors
affectthat
roaming
Stations determine when to roam.
Other factors that affect roaming:
Wireless
Layer
2 or 3 roaming
802.1X
49
Rev. 12.31
authentication
The 802.11 standard assigns wireless stations the responsibility of determining when
they should roam to another AP. However, the standard does not mandate the factors
that a station should use to determine whether or not it should roam from one AP to
another. To provide more flexibility, the 802.11 standard allows each vendor to
determine the criteria for when its wireless NICs initiate roaming. These criteria are
programmed as algorithms on the wireless NIC.
Although specific implementations are left to the vendor, roaming decisions are
typically based on factors such as the APs signal strength and missed beacons. For
example, a station will usually roam to another AP under the following circumstances:
The user moves the station; the station either loses the APs signal (moves out of
range) or detects another AP that supports the same SSID but has a stronger
signal.
Interference decreases an APs signal, and the station detects an AP that
supports the same SSID and has a stronger signal.
An AP becomes unavailable, and the station detects another AP that supports
the same SSID.
Roaming to a new AP
After a station associates with an AP, it constantly monitors that APs signal-to-noise
ratio (SNR). The SNR is a comparison between the strength of a radios signal and
the background noise. (For example, if a radios signal strength is -58 dBm and the
background noise is -94 dBm, the SNR is 36 dB.)
The higher the SNR, the clearer the signal, and the easier it is for a station to receive
and use the signal. Conversely, the lower the SNR, the weaker the signal, and the
harder it is for the station to distinguish the signal. The ability to use the signal is also
372
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
dependent upon the sensitivity of the stations radio. The point at which the station
can no longer detect and use the signal is that stations receiver sensitivity threshold.
However, a station should not wait to roam until the absolute minimum threshold is
reached. Instead, vendors typically define a NICs cell search threshold, which is
above the minimum threshold. When the SNR falls below the cell search threshold,
most stations begin to search for another AP. If another AP is within range, a station
begins to compare the SNR of both APs. The point at which the second AP has a
higher SNR is called the delta SNR. If a station detects the delta SNR and the second
AP meets the requirements for roaming, the station begins the reassociation process
to move to another AP.
Rev. 14.21
373
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Layer 2 roaming
Layer 2 roaming
APs support the same:
SSID
and ESS
Security
Subnet
50
and VLAN
Rev. 12.31
Layer 2, or RF, roaming is sometimes called simple roaming because most 802.11compliant APs natively support it. (The 802.11 standard provides general guidelines
for Layer 2 roaming.) The APs can hand off the roaming stations association at the
Data Link Layer; no additional solution is required to enable a station to move from
one AP to another.
If you want users to be able to roam between two APs, you must deploy those APs in
such a way that they support Layer 2 roaming between each other.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
For example, the station shown in the slide moves easily from one AP to another
because both APs support the Faculty SSID and both APs are on the same VLAN, or
subnet.
When you plan your wireless services and deploy APs and RPs, you should
determine the areas in which you want to support roaming. In these areas, you
should ensure that the APs and the RPs support the same SSIDs and the same
subnets. Stations can then roam easily between APs.
Supplemental authentication, such as 802.1X, will slow down the roaming process
because the station must re-authenticate to the new AP. The steps you can take to
mitigate the latency introduced by 802.1X are described later in this module.
Rev. 14.21
375
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Layer 3 roaming
Layer 3 roaming
APs support the same SSID, ESS, and security setting, but
have different subnet and VLAN.
51
Rev. 12.31
Like Layer 2 roaming, Layer 3 roaming requires that the station roam between two
APs that support the same SSID (WLAN). However, Layer 3 roaming becomes
necessary if a station tries to move between two APs that support the same WLAN
but are on different VLANs (or subnets).
When a station successfully authenticates and associates with a WLAN on the first
AP, it typically receives a valid IP address through a Dynamic Host Configuration
Protocol (DHCP) server. (Alternatively, the station could be configured to use a static
IP address that is on the same subnet as the AP.) The AP also puts the station into the
VLAN assigned to that WLAN or into the dynamic VLAN assigned to the user.
If this station then tries to move to another AP on a different subnet, it cannot use the
IP address valid for its association with the first AP. In this case, the handoff between
the two APs must include the Network Layer as well as the Data Link Layer. Because
most APs do not have the capability to handle Layer 3 roaming, the reassociation
fails, and the user loses access to his or her applications. The user will then have to
reinitiate the wireless connection and restart the applications.
376
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Fast roaming
Fast roaming
802.1X with WPA2 is the most secure option, but slows the
roaming process
send encryption keys for clients that might need to roam to other
APs.
When
the client roams, the new AP checks the key instead for enforces
authentication.
Figure 3-50: Fast roaming
Although WPA with 802.1X strengthens security for wireless communications, it has
one drawback: it increases the time required to roam from one AP to another
because the station must reauthenticate with the new AP and agree on encryption
52
Rev.
12.31
keys. In fact,
802.1X
re-authentication is the most time-intensive part of the roaming
process.
To reduce this latency, an MSM Mobility or Premium Mobility Controller applies
opportunistic key caching. When a client sends a disassociation frame to its AP to
signal that is going to roam away from it, the AP sends the clients key (more
precisely, its pairwise master key [PMK], as you will learn in the next module) to
neighboring APs through the backed Ethernet network. The new AP receives the
clients association request. Rather than implement the full 802.1X authentication
process, the AP proceeds directly to a brief handshake in which it verifies that the
client is using the correct PMK. The client must also support opportunistic key caching
so that it keeps the key for the new association.
Opportunistic key caching provides the following benefits to clients that support it:
Note that VSCs that do not implement 802.1X authentication neither supportnor
requireopportunistic key caching for achieving roams under 50 ms. For example,
in a VSC with no authentication and encryption, the client simply needs to associate
to the new AP. For a VSC that enforces WPA/WPA2-PSK, all APs and clients already
know the PMK.
Rev. 14.21
377
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Lab ActivityLab
3 Activity 3
53
Rev. 12.31
In this lab, you will configure the following radio settings on the MSM APs:
378
802.11n-specific settings
Transmit power
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Key Insights
Use the space below to record your thoughts about various deployment strategies
that you explored during Lab Activity 3.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
379
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Summary Summary
You should understand:
802.11
The
Antennas
Roaming
In this module you learned about the main 802.11 standards that determine how
wireless stations associate and communicate with APs. Specifically, you reviewed
802.11 modes802.11 a/b/g/nand learned more about the 802.11n
enhancements that increase speed and reliability. You also learned about 802.11h,
which enables APs and stations to comply with regulations governing the 5 GHz
frequency band. In addition, you reviewed the actual process stations use to
55
Rev. 12.31
complete the 802.11 authentication and association process.
You then examined how antennas shape the RF signal and delved into radio
properties, focusing on how those properties affect coverage and capacity.
Finally, you reviewed how stations determine to roam and examined the different
types of roaming:
380
Layer 2 roaming
Layer 3 roaming
Fast roaming
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
Learning check
Answer the following questions:
1.
What factors affect how far away a client can be from an AP and still connect to
the WLAN?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
381
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Supplemental information
about 802.11 a/b/g/n
382
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
802.11b
Rev. XX
Now that you understand the basic physical properties that are defined in the 802.11
standard, you can see how the specific subsets within the standard have evolved over
the years. The IEEE published the first wireless networking standard, 802.11, in 1997,
but the standard supported transmission rates of only 2 Mbps, making it too slow for
practical application. The 1999 revision, 802.11b, operates in the 2.4 GHz range
and advertises transmission speeds of up to 11 Mbps.
Because 802.11b equipment operates in the 2.4 GHz range, it does not require
special licensing. This is one reason vendors were able to produce and sell APs and
wireless network interface cards (NICs) based on this standard at affordable prices.
As a result, many companies built their first wireless networks using products that
supported 802.11b. Today, however, most companies have updated their wireless
networks to support standards that enable higher transmission speeds.
802.11b networks may incur interference from the following devices, which operate in
the same RF band:
Rev. 14.21
Microwave ovens
Bluetooth devices
383
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11a
Rev. XX
Knowing that companies needed better performance, the IEEE next ratified the
802.11a standard. In fact the IEEE had been working on 802.11a in tandem with
802.11b. However, 802.11b was approved firsthence the order in which they are
presented in this module.
802.11a increases the slow rates offered by 802.11b, supports from 6 to 54 Mbps.
802.11a radios operate in the 5 GHz band. Because this band is less crowded than
the 2.4 GHz band, 802.11a-compliant wireless products encounter less interference
from other electronic devices. However, some radar, HiperLAN devices, and wireless
phones use the 5 GHz band. The generally less crowded band comes at a costthe
5 GHz band is more tightly regulated.
Due to the nature of radio communication, 802.11a also requires that devices are in
closer proximity to achieve the faster possible rates. Devices operating on this
standard must be 25 to 50 percent closer together than 802.11b devices to achieve
their maximum speeds. As a result, 802.11a is a more practical option when high
throughput is more important than wide coverage.
802.11a is incompatible with 802.11b devices, which were widely adopted by both
home and business users. Because of the earlier popularity of 802.11b, users were
often reluctant to reinvest in the new hardware required to take advantage of the
greater speed offered by 802.11a-compliant devices. 802.11a never achieve the same
popularity as 802.11b, but it provided a good option for companies that wanted to
increase throughput and decrease interference.
384
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Fundamentals
802.11g
10
Rev. XX
Rev. 14.21
385
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.11n
12
Rev. XX
386
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Module 4
Objectives
Although wireless networks have become required equipment for most companies,
they are not without their challenges. Perhaps the most critical issue is security.
Because radio waves are shared media, anyone can eavesdrop on wireless
transmissions or tamper with the data wireless devices transmit.
To secure these transmissions, you must address three aspects of wireless security:
Authentication, which ensures that only authorized users access the network
Confidentiality, which hides data from other users of the shared wireless medium
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
41
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Supplemental
authentication
options
Supplemental
authentication
options
802.1X with:
WPA
WPA2
Dynamic WEP (not recommended)
Pre-shared keys:
WPA
WPA2
WEP (not recommended)
Web-Auth
MAC-Auth
Rev. 12.31
As you learned in Module 3, the original 802.11 standard does not provide true
authentication. To protect the wireless transmissions, supplemental authentication
options were developed.
The 802.11 standard also supports several encryption options, each of which
corresponds to one or more authentication options. The following summarizes the
authentication and encryption options that are available for securing wireless-network
access and wireless communications.
Shared key
WPA-PSK, WPA2-PSK , and static WEP are the authentication options that use
shared keys.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
key, it can be easily compromised, and this authentication method does not provide
true user authentication.
Static WEP
Static WEP requires users to submit the correct shared key to connect to the WLAN. It
uses the same shared key for encryption. Because both the key and encryption
algorithm can be cracked, IEEE has disapproved this option except in
implementations that require backward compatibility.
Web-Auth
As the name applies, Web authentication (Web-Auth) allows users to submit login
credentials through a Web browser interface. Because Web-Auth is typically used for
guest access, it does not require encryption to protect the wireless transmissions
between the station and the AP. The responsibility for protecting the wireless
communications is left to the guest users, who can use HTTPS or VPN access to
secure the transmissions.
MAC-Auth
MAC authentication (MAC-Auth) allows you to authenticate devices that do not
support other security measures. For example, you may need to implement MAC-Auth
for some printers that do not support an 802.1X client. MAC-Auth can also be used
in conjunction with other security measures to provide an additional check. However,
MAC addresses can be easily spoofed, so this authentication method is ultimately not
very secure. In addition, this authentication method requires the network
administrator to know and track the MAC addresses of the devices that will access
the network, creating a high-level of administrative overhead.
You can use MAC-Auth with other authentication methods and encryption.
Rev. 14.21
43
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion Discussion
topics topics
802.1X with WPA/WPA2 or dynamic WEP
802.1X
Roles in the 802.1X authentication process
802.1X ports
Controlled port states
EAP process and EAP methods
802.1X requirements
Certificates required for 802.1X
Installing certificates on MSM Controllers
Advantages and disadvantages of using 802.1X
802.1X encryption options: WPA, WPA2, and dynamic WEP
Activity: Advantages of using WPA and WPA2
Configuring 802.1X on the MSM Controllers
Lab Activity 4.1
WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
Additional security measures
4
Rev. 12.31
The first section focuses on the most secure authentication option: 802.1X. It also
covers the encryption options that can be combined with 802.1X.
44
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
802.1X
802.1X
Requires a user to authenticate to a RADIUS server as soon as the users
station associates to a WLAN
802.1X forces users to authenticate as soon as the Data Link Layer establishes a
connection. This is when the station associates with the APhaving first passed
through the 802.11 open authentication phase. 802.1X then manages the process by
which users authenticate to the network and gain access.
The basic sequence for initiating 802.1X is outlined below.
1.
The station passes open-system 802.11 authentication and associates with the AP.
2.
Depending on how the VSC is configured, the AP or controller blocks all traffic
from the association and initiates the 802.1X authentication process.
Rev. 14.21
45
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
To understand
802.1X authentication, you must understand the devices involved in
Rev. 12.31
6
the process and the role each device plays:
Keep these questions in mind as you learn about the three devices involved in the
802.1X authentication process:
Supplicant
Authenticator
Authentication server
Supplicant
On a wireless network, the station is the supplicant, or more precisely, the port
access entity (PAE), which implements 802.1X on the station.
The supplicant requests access to the network and proves that it deserves this access
by authenticatingtypically in response to a challenge from the far end of the
connection (for example, an AP).
In addition to responding to a challenge, the supplicant may also initiate the
authentication process on its own behalf (by transmitting an EAP-Start packet). This
mechanism protects supplicants that receive the challenge before the station has
entirely booted, causing authentication to time out before the user can submit his or
her credentials.
46
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Authenticator
The authenticator is the PAE on the far end of the supplicants connection. In an
MSM solution, the authenticator can be the AP or the controlleragain depending
on how the VSC is configured. An AP or controller has as many PAEs as it has
associations with stations.
The authenticator controls network access, forcing a supplicant to authenticate before
it can send any non-EAP traffic over the connection. The authenticator initiates the
authentication process but then relays authentication messages between the
supplicant and the authentication server.
After the authentication is completed, the authenticator decides how to control the
connection. If the authentication server has accepted the users request, the
authenticator activates the virtual port created for the wireless association. In other
words, the station is now completely connected to the wireless network. If the
authentication server rejects the users request, the authenticator enforces this denial
and keeps the virtual port closed.
Authentication server
The authentication server makes decisions about whether or not users can access the
network. These decisions are based on whether or not the user:
Can prove his or her identity (the users credentials are correct)
For example, an authorized employee might be prohibited from using wireless access
after regular work hours.
The server also submits its own credentials to the supplicant. In essence, the
supplicant and the server authenticate each other, although the authenticator always
acts as a proxy in this process.
The authentication server can be any Authentication, Authorization, and Accounting
(AAA) server; however, it is typically a RADIUS server and will be referred to as such
in this module.
The authenticator and authentication server use RADIUS messages to communicate.
The authenticator encapsulates the supplicants EAP messages in this protocol.
Rev. 14.21
47
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.1X ports
802.1X ports
Controlled port:
Used to control network access, based on the stations authentication state
Disabled by default
Uncontrolled port:
Used to transport authentication messages
Always enabled but allows only EAP
To restrict an unauthenticated user so that the users station can send only
authentication messages, 802.1X divides the association between the AP and the
station into
two
virtual ports.
Rev. 12.31
7
Controlled port
The controlled port allows all types of traffic, but it can be disabled and, by default,
is. Both the authenticator PAE and the supplicant PAE control the port, based on the
supplicants authentication state. The controlled port allows the authenticator to block
network access by unauthenticated users.
Uncontrolled port
802.1X secures the network from the moment the supplicant connects by deactivating
the controlled port. The uncontrolled port is always active, but it can carry only the
EAP packets used for authentication.
Without the uncontrolled port, this high level of security would shut out all traffic from
users, preventing even authorized users from proving that that they are authorized.
48
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Controlled Controlled
port states
port states
Disabled
Enabled
Rev. 12.31
Because 802.1X considers all peers untrusted by default, the controlled port is
disabled as soon as the connection is established. By the end of the authentication
process, however, the authentication state of the supplicant, the authentication server,
or both may have changedand the controlled ports status will reflect that change.
Both the authenticator and the supplicant PAEs leave the controlled port disabled if
the far ends authentication fails. In other words, the authenticator PAE protects your
network from unauthorized users. The supplicant PAE protects the user from man-inthe-middle attacks and rogue APs.
If the user authenticates successfully, the authenticator enables the controlled port and
allows the user to access the network. Similarly, the supplicant enables the controlled
port if the server authenticates successfully. (For example, the Windows Wireless Zero
Configuration utility now lists the connections status as Connected.)
Unlike the authenticator, the supplicant also enables the port if EAP times out; it
assumes the network does not require 802.1X.
Rev. 14.21
49
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
EAP process
EAP process
Rev. 12.31
You will now examine the authentication process for 802.1X in more detail.
EAP, the protocol 802.1X uses for authentication, defines a flexible framework into
which you can fit authentication methods that meet your companys environment and
security policies.
The illustration above shows this general framework. As you follow the process,
remember that the authenticator relays all messages from the station to the RADIUS
server, translating them as necessary. The vertical line underneath the AP shows the
point at which the authenticator translates frames. The horizontal dashed lines show
frames after they have been translated to the new format.
1.
2.
410
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
3.
Depending on the EAP method, the station and RADIUS server exchange a
particular series of messages, which might contain one of many types of
authentication credentials.
Because EAP is so flexible, it supports a variety of different EAP methods. This
module will describe some of the more common EAP methods used on wireless
networks.
4.
Rev. 14.21
411
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
412
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
EAP methods:
TLS TLS
EAP methods:
11
Rev. 12.31
Considered one of the most secure EAP methods, EAP-TLS uses a three-way TLS
handshake to exchange digital certificates and to generate encryption keys. By the
end of the process, not only are the connection endpoints authenticated, but the
connection itself is secured with encryption.
The EAP Request/TLS and EAP Response/TLS packets include information such as:
Advantages
EAP-TLS is one of the most secure EAP methods because it provides mutual
authentication with Public Key Infrastructure (PKI) digital certificates. (Digital
certificates rely on extremely strong asymmetric keys and trusted certificate authorities
[CAs].) In addition, the process has built-in key distribution, making a secure option
for wireless networks.
With TLS, authentication is based on a digital certificatesomething the user has
rather than on a shared secretsomething the user knows. The digital certificate is
typically stored on a laptop or a smart cardproviding stronger security. Although
you can set up requirements to force users to create stronger, and therefore more
secure, passwords, you cannot prevent users from telling people their password or
writing it on a paper displayed in plain sight.
Someone who steals a laptop or smart card can gain access to certificates installed
on that laptop, but the user can immediately report the theft, allowing you to disable
the related account.
Rev. 14.21
413
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
EAP-TLS is impervious to the attacks that affect less secure EAP methods such as EAPMD5, but security comes at the cost of purchasing and managing the digital
certificatessubstantially more expensive than managing passwords. Maintaining a
large number of certificates requires specialized software and trained IT staff.
Another barrier to adopting EAP-TLS is the requirement for digital certificates on all
stationsan impossibility in some environments.
414
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
EAP methods:
TTLS and
PEAP
EAP methods:
TTLS and
PEAP
12
Rev. 12.31
Tunneled Transport Layer Security (TTLS) and Protected EAP (PEAP) were developed to
provide much of the security of EAP-TLS without forcing stations to use digital
certificatesdrastically reducing implementation costs. For this reason, these are
among the most commonly used EAP methods. (TTLS was developed by Funk
Software and Certicom; PEAP was developed by Microsoft, Cisco Systems, and RSA
Security.)
TTLS and PEAP function in very similar ways. Both methods involve a two-step
authentication process; in the first step, the outer method creates a secure tunnel in
which the second step takes place.
Rev. 14.21
415
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
The tunnel is closed after the station authenticates. However, the final RADIUS
Access-Accept packet distributes new keying information for the wireless association.
Benefits
Like EAP-TLS, EAP-TTLS and PEAP provide strong, mutual authentication and dynamic
key distribution. Because TTLS and PEAP use encrypted tunnels to secure usernames
and passwords (rather than requiring digital certificates on stations), you can
implement these methods more easily than you can TLS.
TTLS has one unique benefit: it always protects the username. Depending on how
PEAP is implemented, the username might be transmitted in plain text, allowing a
hacker to detect the users identity and possibly lock the user out of his or her
account.
416
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Complete 802.1X
process
Complete 802.1X
process
13
Rev. 12.31
This illustration outlines the entire 802.1X process. The authenticator initiates the
process when the station is associated with the AP. The authenticator then relays EAP
messages between the station and the RADIUS server, encapsulating the messages in
RADIUS format for the server. (This illustration and the steps below use an AP as the
authenticator, but the authenticator could also be an MSM Controller.)
More precisely, the steps are as follows:
1.
2.
Either the AP or the station can initiate EAP: the AP sends an EAP Request/
Identity packet to initiate the process; the station sends an EAPOL Start packet.
3.
After the AP issues an EAP Request/Identity packet, the station responds with its
identity (either its MAC address or a username).
The AP relays the EAP Response/Identity to the RADIUS server to initiate the
authentication process. The AP copies this message into the EAP field of a
RADIUS NAS Access-Request and also adds information such as its own MAC
address and the stations WLAN.
4.
The RADIUS server selects a particular EAP method based on the users identity
and other criteria. The server initiates this EAP method, requesting credentials
from the station. The AP relays the EAP message to the station, decapsulating it
from the RADIUS packet.
The station sends a reply, and the exchange proceeds as dictated by the
particular EAP method.
Rev. 14.21
417
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
EAP methods appropriate for wireless networks include the exchange of key
material. By the time the authentication is completed, the station should have all
the material necessary for generating a shared encryption key.
5.
If the station authenticates successfully, the RADIUS server transmits an AccessAccept packet, including an encapsulated EAP-Success packet.
When the AP receives the Access-Accept packet, it enables the controlled port
and relays the EAP-Success packet to the station. The station now has network
access (although the users rights might be limited by access control lists, or
ACLs).
6.
The RADIUS server transmits an EAPOL Key packet to the AP so that it can
generate the same key that the station has generated. You will learn more about
these keys in the next section, which describes the encryption options for wireless
networks that use 802.1X. For now, you should simply remember that 802.1X
authentication has become an integral part of the secure generation of
encryption keys.
RADIUS protocol
This module has referred to the fundamental exchange between the supplicant and
the authentication server. In reality, the supplicant and the server do not communicate
directly. Instead, the authenticator (the AP or controller) acts as a proxy to the
RADIUS server.
As mentioned earlier, an 802.1X authenticator can use any AAA protocol to
communicate with the authentication server. RADIUS is an industry-standard protocol
for communications between a device that grants users network access and a device
that authenticates, authorizes, and tracks the users. As such, it is ideal for 802.1X.
The RADIUS standard sends calls to the entity that 802.1X refers to as the
authenticator, which is also called a network access server (NAS). The NAS enforces
the RADIUS servers policy decisions. For example, acting as a NAS, an AP receives
a RADIUS message that a user is allowed to connect. The APs 802.1X PAE activates
the association. The NAS also enforces access controls.
418
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
The RADIUS server acts as the policy decision point. It determines whether a user is
who he or she claims to be and decides which policies apply to the user. The server
draws on information stored in a database (either its own database or a directory
service database) to make these decisions.
The NAS and the RADIUS server exchange these packets:
NAS Access-Request
Access-Challenge
Access-Accept
Access-Reject
When used with 802.1X, the NAS acts as a go-between for a station and a RADIUS
server, encapsulating the stations EAP messages into RADIUS format. As mentioned
earlier, the server must support EAPOL, so that it can read these messages.
Rev. 14.21
419
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
802.1X requirements
802.1X requirements
AP and controller must support 802.1X.
Network must include an EAPOL-compliant RADIUS server.
MSM Controllers include a RADIUS server.
Stations wireless NIC and client utility must support 802.1X with EAPOL.
Native support in Windows 2000 SP1 and above
802.1X delivers more than 802.11 authentication, but it also demands more.
First, the AP and the controller must support this authentication standard. As you
learned in Module 1, the MSM APs and MSM Controllers both support 802.1X.
Your network also requires a RADIUS server (or other AAA server) that supports
EAPOL. The MSM Controllers provide an internal RADIUS server, or you can use a
third-party RADIUS server such as Microsoft Network Policy Server (NPS). With the
MSM Controllers, you can also authenticate users to Active Directory.
14
Rev. 12.31
In addition, stations that access the wireless network must support 802.1X with
EAPOL. If a legacy wireless NIC does not support 802.1X, the station can still
authenticate as long as it includes a separate client utility that supports EAPOL. In
other words, the station must include one of the following:
420
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
required
for 802.1X
CertificatesCertificates
required
for 802.1X
EAP method
RADIUS server
certificate
EAP-TLS
Yes
Yes
EAP-TTLS
Yes
No
PEAP
Yes
No
Supplicant certificate
EAP method
EAP-TLS
Trusted by clients
EAP-TTLS
Trusted by clients
PEAP
Trusted by clients
15
Rev. 12.31
RADIUS EAP CA
Several of the EAP methods about which you have learned use digital certificates as
authentication credentials, as the source for the keys that secure an SSL tunnel
between the client and the server, or both. The table in Figure 4-14 indicates common
EAP methods and which components of the 802.1X process require certificates for
that method. As you see, the RADIUS server requires a certificate for all of these
methods.
When the MSM Controller acts as the RADIUS server, it requires the certificate. The
controller supports multiple certificates; it uses whichever certificate is specified as the
local certificate for the RADIUS EAP usage.
For EAP-TLS, the controller also requires a list of trusted CA certificates. It uses these
certificates to check the signatures on clients certificates. If the certificate is valid,
and if the subject name matches a local user account, the controller accepts the
authentication.
Rev. 14.21
421
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Installing certificates
on the
MSM
Installing certificates
on the
MSM Controller
Controller
Local certificate:
Create the certificate request and private key offline.
CA certificate:
Install the CA certificate for the CA that signed clients certificates
Add to the CA list for the RADIUS EAP usage
Only required for EAP-TLS
Figure 4-15: Installing certificates on the MSM Controller
At factory default settings, the controller has a self-signed certificate which its RADIUS
server uses. This certificate enables the controller to support local authentication for
Rev. 12.31
16
802.1X. However,
clients will not trust the certificate and authentication will fail.
Although you can disable validation of the server certificate on the clients, this step is
not generally recommended. It increases administrative burden and decreases
security. Instead you should install a certificate that is signed by a trusted CA on the
MSM Controller. Depending on the companys environment or policies, the trusted
CA might be a Windows domain CA that the company manager or a thirdparty CA.
To install the certificate on the MSM Controller, follow these steps (the companys
certificate administrator might complete steps 1 through 3; you should provide the
guidelines below to that administrator):
1.
Key usages
digitalSignature
keyEncipherment
serverAuth
clientAuth
422
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Finally, you need to make sure that the private key is saved in a way in which
you can export it. (You will need to install it on the MSM Controller.) Most
certificate request applications will prompt you to secure a reproducible key with
a password; you should use a strong one (with random alphanumeric
characters).
If you are using a Windows CA, you can use the Web request windows or the
Certificate request wizard. Valid certificate templates include the template for
IAS or for Web servers (the latter, only if you are not using EAP-TLS). Make sure,
however, that you can request an exportable private key.
2.
3.
After the CA returns the signed certificate, combine the certificate with the saved
private key in a PFX file. Again, you can use an application such as OpenSSL.
If you saved the private key with a password, you will be prompted to enter this
password. Typically, you will also be prompted to save the PFX file with a
password, which administrators must enter when they attempt to install the
certificate. Again, it is recommended that you set a strong password.
4.
5.
b.
In the lower section of the window, which includes the controllers local
certificates, click the Browse button.
c.
d.
e.
Click Install.
b.
c.
d.
Click Save.
The RADIUS EAP certificate usage window also includes a section in which you
set the trusted CA certificates. You only need to complete this step when the
MSM Controller is enforcing EAP-TLS.
Rev. 14.21
6.
Obtain the CA certificate for any CA that will sign clients certificates.
7.
b.
c.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
8.
424
d.
Click Install.
e.
Add these certificates to the trusted CA list for the RADIUS EAP usage.
a.
b.
c.
d.
Click Add.
e.
f.
g.
Click Save.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Rev. 12.31
Originally designed for Ethernet networks, product developers quickly recognized the
benefits the standard this secure security method would bring to wireless networks.
Your facilitator will organize learners into groups and assign each group a question
to answer. After you discuss the answer with the members of your group, appoint a
member of the group to present your answers to the remainder of the group:
1.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
425
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
2.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
426
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
427
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Dynamic WEP
Figure 4-17: 802.1X encryption options
802.1X satisfies the authentication requirement for security for an 802.11 network.
Because most EAP methods allow for securely negotiating encryption keys, 802.1X
can be used with the following encryption standards:
WPA
Dynamic WEP
As the next section in this module explains, these encryption methods provide
Rev. 12.31
varying degrees of confidentiality18 and
integrity.
428
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
WPA
WPA
History
Designed to address WEPs vulnerabilities but run on WEP-capable software
Provided an interim solution before 802.11i (WPA2) was ratified
Authentication options
Preshared keysless secure option
802.1Xtrue user authentication
Rev. 12.31
Because WEP was cracked almost as soon as it was released as part of the IEEE
802.11 standard in 1999, the IEEE 802.11i taskforce set to work on a new standard,
which was completed in 2004. In the meantime, however, companies needed an
interim security solutionparticularly since hackers certainly were not waiting years
to attack. The Wi-Fi Alliance designed WPA as an interim solution until the
ratification of 802.11i.
WPA and WPA2 were developed in accordance with the 802.11i standard: WPA
meets only the first part of the standard, which provides for backward compatibility
with WEP equipment, while WPA2 meets the complete standard. You should use
WPA2 unless you have legacy stations that do not support it.
WPA consists of a series of compromises between two overarching goals.
On the one hand, WPA had to address WEPs vulnerabilities, providing:
On the other hand, WPA had be backward compatible with WEP hardware,
eliminating the need for expensive upgrades to equipment.
Rev. 14.21
Synchronizing the refreshing of unicast and global keys on APs and stations via
various handshakes
429
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Michael
Hackers can predict how to alter WEP to conceal tampering. To meet the
requirement for true data integrity, WPA designers introduced Michael. When
transmitting a frame, Michael hashes the frame payload with a MIC key to produce
a cryptographically secure 8-byte message integrity check (MIC), which is then
appended to the payload. When receiving a frame, Michael checks the MIC,
implementing countermeasures if it detects an error.
Authentication options
802.1X provides true user authentication. In addition, 802.1X authentication lays the
foundation on which TKIP builds secure, per-frame keys.
To accommodate home and small-office networks, which may not include an AAA
server, WPA defines a Personal mode that uses preshared keys for authentication.
This mode will be discussed later in this module.
Requirements
Stations must have a wireless card and a wireless client utility that support WPA. The
table below summarizes which versions of Windows include support for Wireless
Zero Configuration, the Windows client utility, and WPA. You might also be able to
obtain a WPA-compliant configuration tool from your wireless NIC vendor.
Wireless Zero
Configuration
Vista or 7
XP with Service Pack 2 (SP2) or
above
2000
Yes
Yes
Not applicable
430
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
TKIP
TKIP
Rev. 12.31
Receives pairwise master keys (PMKs) from a RADIUS server when it is used in
conjunction with 802.1X authentication
2.
Distributes refreshed pairwise and global keys, called transient keys, through
periodic handshakes
3.
Rev. 14.21
431
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Because keys are generated randomly and never transmitted unsecured over the
network, they are not vulnerable to leaks and dictionary attacks in the way WEP keys
are.
432
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
21
Rev. 12.31 4-20: TKIP key distribution: four-way handshake for a pairwise key
Figure
Distributing keys
TKIPs dynamic distribution system significantly enhances the security of the network
by:
Rev. 14.21
433
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Its own and the APs nonceThe randomly generated nonces, which are
different for each new handshake, make transient keys unique.
The first two keys serve only to secure the exchange of keys.
The station transmits the TK to TKIP for generating per-frame keys. Michael uses
the MIC key to preserve data integrity.
434
2.
The station transmits its nonce to the AP, so the AP can follow the same process
to generate identical keys. The station also creates a MIC with the KCK and
appends it to the packet. After the AP generates the KCK itself, it verifies the
packet. An incorrect MIC indicates a man-in-the-middle attack, so the AP
terminates the handshake.
3.
The AP acknowledges that it has installed the new keys. The packet the AP sends
can optionally include a GTK encrypted with the KEK to refresh the global key.
4.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Figure 4-21: TKIP key distribution: two-way handshake for group key
22
Rev. 12.31
Rev. 14.21
435
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
WPA2 (802.11i)
WPA2 (802.11i)
Recommended encryption option
Highly secure
Authentication options
802.1Xtrue user authentication
Preshared keysless secure option
WPA supports a subset of 802.11i and provides backward compatibility with WEP
equipment. WPA2, on the other hand, is fully compatible with 802.11i. You should
use WPA for the following reasons:
Strong encryption
AES operates under the Counter Mode with Cipher Block Chaining Message
Authentication Code (CBC-MAC) Protocol (CCMP). Using handshakes similar to
TKIPs, CCMP also distributes and refreshes the keys necessary for AES.
The bulk of WPA2s added security originates in the strength of the AES block cipher.
For WPA2, AES operates in counter mode, a mode that:
Encryption-based integrity
CCMP/AES creates a cryptographically secure, 8-byte hash, or MIC, to verify a
frames authenticity. The protocol calculates the MIC by operating on the frame
436
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
payload, as well as information from the frames header, with the same temporal key
used to encrypt the payload. However, this operation uses Cipher Block Chaining
(CBC) rather than AES counter mode.
The most important concepts for you to understand are:
Authentication
Because 802.1X currently provides industry-standard secure authentication, WPA2
relies on the same authentication as WPA. In addition to 802.1X, WPA2, like WPA,
can use preshared keys, an option described later in this module.
Requirements
Stations must have a wireless card and a wireless client utility that support WPA2.
The table below summarizes which Windows versions support Wireless Zero
Configuration and WPA2. You might also be able to obtain a WPA2-compliant
configuration tool from your wireless NIC vendor.
Wireless Zero
Configuration
Vista or 7
Windows XP with SP3
Server 2003
2000
Yes
Yes
No
Not applicable
Rev. 14.21
437
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
CCMP/AES
CCMP/AES
The main24difference
between CCMP/AES and TKIP is the greater security of the
Rev. 12.31
encryption method. The key hierarchy and distribution process, however, are quite
similar:
Each station generates its PMK, preferably as part of the 802.1X authentication
to a RADIUS server. The AP also knows the PMK.
The AP periodically expands each PMK into a new PTK, which it distributes to
the station via a four-way handshake. The AP uses either the four-way handshake
or a two-way handshake to distribute refreshed GTKs to all stations.
Unlike TKIP, CCMP uses the same key to secure data and the MIC. As a result,
CCMP requires only 128 bits for the GTK and 384 bits for the PTK. The entire GTK is
used to create the per-frame keys for global traffic while the PTK first divides into
three 128-bit keys:
438
The KCK and the KEK for securing the key distribution handshakes
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
CCMP/AES
(cont.) (cont.)
CCMP/AES
34
Rev. 12.31
An entire book could be devoted to the intricacies of WPA2 and CCMP/AES. This
guide focuses on explaining WPA2s improvements at a relatively high-level:
Operating in counter mode, AES generates unique key streams and encrypts
data. AES is the most important security enhancement of WPA2 over WPA. This
algorithm is simply stronger than the algorithm used by WEP and TKIP, despite
all of TKIPs fixes.
CCMPs method of calculating the MIC relies on encryption and is tamperresistant.
The output is a 128-bit keystream, which then encrypts plain-text data in much the
same way as a stream cipher, using a simple XOR operation.
Rev. 14.21
439
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Note
An binary exclusive OR (XOR) operation for binary numbers takes two inputsin
this case, the plain-text data and the keystreamand produces an output, which
is the encrypted text. The XOR operation produces a 1 if the binary numbers are
different and 0 if the binary numbers are the same. For example, if the plain-text
bit is 0 and the keystream bit is 0, the encrypted bit is 0.
The next 128-bit block of data will be XORed with a different key stream, the one
created by encrypting the second counter block with the block cipher and TK.
Because each block of data is encrypted with a unique, securely generated key
stream, the same block of plain text never produces the same block of cipher text,
and encrypted data remains quite secure (vastly more secure than WEP-encrypted
data).
Using a block cipher that mimics a stream cipher makes CCMP more resistant to
errorsan important advantage in the wireless medium. A bit corrupted during
transmission only affects one decrypted bit instead of an entire block of data.
Hole 196
GTKs in WPA/WPA2 open a vulnerability called Hole 196:
All stations and the AP share the same GTKs, and these keys do not provide
data authenticity.
A malicious authorized user can send a message encrypted with the GTK to
other stations, spoofing the AP MAC address (BSSID, or Basic Service Set
Identifier).
With this message, the hacker can implement a number of attacks. One of the most
dangerous is an ARP poisoning attack. ARP poisoning occurs when a hacker forges
440
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
an ARP response that binds the wrong MAC address to an IP address. Other devices
then send traffic to the wrong location.
Hole 196 is not a weakness in the encryption, and WPA2 has not been cracked.
Instead Hole 196 is a vulnerabilityexploitable by authorized users onlyof the
way WPA/WPA2 works. If you are concerned that authorized users could launch
such an attack, you can implement a wireless IDS/IPS, such as HP RF Manager
Controller and the MSM415 sensor, which detects stations spoofing the AP MAC
address.
Rev. 14.21
441
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
WPA/WPA2
compatibility
WPA/WPA2
compatibility
WPA and WPA2 stations can join
the same WLAN but must use the
required encryption.
802.11i Mixed mode allows both
types of encryption:
Station can use either a TKIP or
an AES pairwise key.
AP distributes a TKIP group key.
The two WPA versions correspond loosely to encryption protocols. WPA stations
Rev. 12.31
26
always support TKIP, and WPA2 stations always support CCMP/AES. However,
WPA stations, with the proper software and hardware, can use AES. WPA2 stations
support backward compatibility with TKIP.
Because WPA and WPA2 overlap in many ways, stations of both types can join the
same WLAN. However, all stations in the WLAN must use the required encryption
standard. For example, if the WLAN requires AES encryption, WPA stations can join
only if they support such encryption, even though AES is optional under WPA.
802.11i Mixed Mode allows simultaneous support for multiple encryption standards
so that networks can migrate from TKIP with WPA to CCMP/AES with WPA2. Mixed
Mode allows stations to choose either a TKIP or AES key for unicast traffic.
The Mixed Mode group key is always a TKIP key. Because both WPA and WPA2
stations must support this standard, all stations can encrypt and decrypt broadcasts
and multicasts.
442
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Dynamic WEP
Dynamic WEP
Generates keys as part of the 802.1X authentication process
Narrows the window for an attack with per-session and rotating keys
27
Rev. 12.31
WEP defines a process for encrypting data with a symmetric key. It does not dictate
how wireless stations receive this key. Static WEP encryption is weak because it uses
the same key again and again.
Two closely related barriers stand in the way of changing WEP keys often enough for
any level of security:
Dynamic WEP overcomes both of those barriers with 802.1X. First, 802.1X
authentication frees the encryption key from its double-duty of providing both
confidentiality and authentication. Second, the 802.1X process is co-opted for
generating a unique, per-session key at the beginning of each association.
Per-session unicast keys and securely distributed global keys greatly increase security.
Periodic key rotation helps to prevent hackers from collecting enough packets encrypted
by the same key to crack the key. 802.1X centralizes key distribution, making dynamic
WEP not only more secure, but also easier to manage than static WEP.
Despite all these improvements, dynamic WEP is vulnerable to all the attacks that
have compromised static WEP (although the windows of vulnerability are much
narrower with dynamic WEP). Consequently, per-session keys can be cracked. Perframe keys, a more secure option, would require excessively frequent key rotation
and a prohibitive amount of overhead. Periodically rotating both session and global
keys is usually a better solution for dynamic WEP than per-packet keys, and this is
how the HP mobility infrastructure solutions implement dynamic WEP.
Rev. 14.21
443
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Note
444
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Activity: Advantages
of using
WPA2
Activity: Advantages
of using
WPA/WPA2
What are the advantages of using WPA2?
Why should you use WPA2, rather than WPA, whenever possible?
Rev. 12.31
What are the advantages of using WPA2? Why should you use WPA2, rather than
WPA, whenever possible
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
445
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Best practices:
Use WPA2 (particularly for 802.11n) or WPA encryption
Disable Access Control
Enable Fast Roaming
Access the Add New VSC Profile window to configure VSC settings.
Figure 4-28: Configure 802.1X on the MSM Controller
Configuration decisions
Before you begin configuring 802.1X as the security for a VSC, you must make some
decisions. For example, you must determine if you will use the controllers internal
Rev. 12.31
RADIUS 29
server
or an external RADIUS server. If you have an existing RADIUS server,
you will probably want to configure that RADIUS server to support authentication
requests from wireless users. (The configuration steps vary, depending on what
RADIUS server you are using.)
If your company does not have an existing network RADIUS server, you may want to
use the controllers internal RADIUS server. Keep in mind, however, that the RADIUS
server is intended for small hotspots or enterprise networks. If you have a large-scale
wireless network, you should probably deploy a network RADIUS server. You can
then extend 802.1X authentication to all users on the wired network and
management access for network infrastructure devices.
In addition, you must determine if you want the AP or the controller to handle the
authentication process for wireless users. The Use Controller for Authentication setting
in the VSC enforces your decision. If you clear the check box, the AP handles
authentication; if you select the check box, the controller handles it.
You must have the controller handle the authentication process if you are using the
controllers internal RADIUS database to authenticate users. You may also want the
controller to handle authentication if you using an external RADIUS server and you
want the controller to be the only RADIUS client for wireless traffic. This setup will
simplify configuration on the RADIUS server. (However, there are other ways to
simplify this setup. For example, you can configure an external RADIUS server to
support all RADIUS clients on a subnet.)
Although the MSM APs are sending only authentication traffic (which is a relatively
small amount of traffic) to the MSM Controller, you must still evaluate the impact of
that traffic. For example, how will the authentication traffic affect traffic flow on the
wired network? You must also ensure that the wired network does not introduce
latency to the authentication process.
446
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Next, you must decide if you want all the VSC traffic to be placed into the same
VLAN or if you want the RADIUS server to send the AP or controller a user-assigned
(dynamic) VLAN assignment. For example, you may want all the users who access a
VSC and authenticate successfully to be assigned to VLAN 10. Alternatively, you may
want the RADIUS server to send a dynamic VLAN assignment when users
authenticate successfully. You could have the RADIUS server send all marketing users
a dynamic VLAN of 70 and all manufacturing users a dynamic VLAN assignment of
80.
Dynamic VLAN assignments override a static VLAN. (You will learn how to configure
a static VLAN by binding a VSC to an AP group on the following page. You will also
practice configuring VSC bindings in the lab.)
Best practices
When configuring 802.1X, keep in mind the following best practices:
Enforce WPA2---As mentioned earlier in this module, you should use WPA2 to
protect wireless communications. This is particularly important for 802.11n
because the standard requires it.
Use a non-access-controlled VSCDisable the Use the Controller for access
control option, as shown in the figure below.
447
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
To configure a VSC, you click Controller > VSCs >> Overview > Add New VSC
Profile (as shown in the figure above). You will practice configuring a VSC that is
secured with 802.1X and WPA2 in Lab Activity 4.1.
448
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
If you want all VSC traffic placed into the same VLAN, you bind the VSC to an AP
group. As you would expect, the VSC is then bound to all the APs that are part of
Rev. 12.31
30
that AP group.
To access the VSC binding window, select an AP group in the navigation tree and
click VSC bindings. Then click Add New Binding.
You then configure the following settings:
VSC profileUse the drop-down menu to select the VSC you want to bind to this
group.
Egress networkUse the drop-down menu to select the network profile that
defines the VLAN.
Rev. 14.21
449
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Lab ActivityLab4.1
Activity 4.1
Use the automated workflow to implement a VSC with WPA/WPA2 and
802.1X.
31
Rev. 12.31
In this lab, you will configure a VSC that is secured with 802.1X and WPA/WPA2.
You will first configure the VSC to use the internal RADIUS server and test the
configuration by authenticating a wireless user. You will then change the VSC settings
to use an external RADIUS server.
Your lab guide contains the instructions for performing this lab activity.
450
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Key Insights
Use the space below to record your thoughts about various deployment strategies
that you explored during Lab Activity 4.1.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
451
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion Discussion
topics topics
802.1X with WPA/WPA2 or dynamic WEP
WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
Additional security measures
Figure 4-32: Discussion topics
This section describes a less secure option for authentication: using WPA/WPA2 with
preshared keys.
33
452
Rev. 12.31
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
WPA/WPA2-PSK
(personal
mode)
WPA/WPA2PSK (personal
mode)
Less secure than 802.1X
Preshared key provides:
Authentication
Master keys for TKIP or CCMP/AES encryption
Rev. 12.31
As mentioned earlier, both WPA/WPA2 and the 802.11i standard on which they are
based specify an exception for the 802.1X requirement. Instead of authenticating
through 802.1X, all users can authenticate by entering the same preshared key. Wi-Fi
also calls this option Personal mode.
WPA/WPA2-PSK allows small businesses without an EAPOL-compatible RADIUS
server to take advantage of the stronger encryption offered by TKIP or CCMP/AES.
You might also select this variant of WPA/WPA2 if you must configure a WLAN for
guests with stations that might not support 802.1X.
802.1X typically helps APs and stations derive unique keys from which other keys are
derived. For WPA/WPA2-PSK, all keys are derived from the preshared key instead.
However, each station still computes its own per-frame keys.
Like open-system WEP, WPA/WPA2-PSK institutes a de facto, rather than formal,
authentication. A user who enters the incorrect preshared key completes the 802.11
association, but the TKIP or CCMP handshake fails, and the station cannot forward
data.
Rev. 14.21
453
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Rev. 12.31
Now that you understand TKIP (or CCMP) handshakes, you should understand how a
WPA preshared key enforces de facto authentication. The preshared key acts as the
PMK for WPA-PSK.
If a station and an AP have different preshared keys, or PMKs, they derive different
PTKs. From the PTKs, they in turn derive different KCKs. When the AP uses its KCK to
check the stations response in the four-way handshake, the check fails. The AP drops
the response, and the station, although formally associated with the AP, can never
complete the handshake. Typically, the station then disassociates itself.
454
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
1.
36
Rev. 12.31
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
455
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion Discussion
topics topics
802.1X with WPA/WPA2 or dynamic WEP
WPA/WPA-PSK
Web-Auth
Web-Auth overview
Web-Auth advantages and disadvantages
MAC-Auth
WEP
You will now learn about Web-Auth, an authentication option that is typically used
for guests.
37
456
Rev. 12.31
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Used for:
Guest access
Public wireless networks
Small-to-medium organizations
Wireless network access used to be a perk. Today, however, users expect it. Now, in
addition to accommodating regular employees, companies need to provide wireless
access for guests or partners. Customers and other guests request network services
such as Internet access, and if companies do not provide these network services to
them, their competition will.
In these situations, you 38
cannot
be sure that all users stations will support 802.1X or
Rev. 12.31
particular EAP methods. You cannot help the users configure their stations correctly to
complete the authentication. On the other hand, you do not want to open your
wireless and wired network to anyone with a wireless NIC.
Web-Auth is one solution for this type of network access. As the name suggests,
Web-Auth makes it easy for users to access the network through their familiar Web
browser interface. They can then connect to the Internet with a minimum of hassle.
Rev. 14.21
457
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Disadvantages
Does not require encryption
Requires input from users
39
Rev. 12.31
Advantages of Web-Auth
Security solutions such as WPA/WPA2 require specific capabilities, but any station
can authenticate to a wireless network that uses Web-Auth as long as the user has a
legitimate username and password and a Web browser.
Web-Auth also allows you to open parts of your network to guests by providing
limited access to unauthenticated users. Choose Web-Auth when you want to provide
limited network rights or simple Internet access to the public. For example, suppose
your company is a retail store with wireless network access for managers and
support staff. Customers, however, can bring their own devices and reach a Web
page that provides information about products and upcoming promotions.
Other environments with external users who may benefit from Web-Auth include:
Hospitals
Universities
Cafs, libraries, hotels, airports, and other businesses that provide courtesy
wireless networks
Disadvantages of Web-auth
Web-Auth does not require encryption.
Because Web-Auth requires interaction with the user, you cannot use it to
authenticate stations or devices without a user interface.
458
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
The MSM Controllers provide more for guest access than Web-Auth. You will learn
more about these sophisticated guest solutions and begin configuring them in the
next module.
Rev. 14.21
459
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion Discussion
topics topics
802.1X with WPA/WPA2 or dynamic WEP
WPA/WPA2-PSK
Web-Auth
MAC-Auth
MAC-Auth overview
Local MAC-Auth
Remote MAC-Auth
Activity: Advantages and disadvantages of using MAC-Auth
Configuring MAC-Auth on the MSM Controllers
Lab Activity 4.2
WEP
Additional security measures
Figure 4-39: Discussion topics
460
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
MAC-Auth MAC-Auth
overview
Access control for stations with limited authentication capabilities
All 802.11 authentication requests include the stations MAC address.
This address is checked against:
MAC address list that is stored on an AP or controller
Login credentials that are configured in a RADIUS server
MAC-Auth, which is one of the most basic security options available, adds only
minimal protection to 802.11s open-system authentication.
Although the IEEE 802.11 specification does not require MAC-Authand MAC-Auth
is not as secure as other authentication optionsmany vendors support it because it
is the only option for devices that do not have a user interface or support for 802.1X.
Typically, an AP accepts all 802.11 authentication requests. When MAC-Auth is
Rev. 12.31
enforced,41 however,
the AP or controller (depending on which device is handling
authentication) filters requests according to the source MAC address in the request
frames header. Because all stations must include their MAC address in the request
frame, all stations can be controlled through MAC authentication.
Two types of MAC-Auth are available:
Rev. 14.21
461
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Local MAC-Auth
Local MAC-Auth
With local MAC-Auth, the AP or controller checks access requests against lists stored
locally. Typically, two types of lists are supported:
462
Allow
Rev. 12.31 list of addresses allowed to associate with the AP. This list might
42 lista
also be called a white list.
Deny lista list of addresses prohibited from associating with the AP. This list
might also be called a block or black list.
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Remote MAC-Auth
RADIUS MAC-Auth
AP or controller translates stations request to RADIUS format and sends it
to a RADIUS server.
1.
The AP or controller copies the source MAC address of the stations request into
the packets username field. The AP must use the format in which the address is
stored on the RADIUS server. (For example, if the RADIUS server uses delimiters,
the AP must use delimiters.)
2.
The AP or controller can place one of several values in the password field:
Typically, the AP or controller copies the stations MAC address into this
field using the same format that is used for the username.
The RADIUS server checks the username and password against its database. If the
values match, the RADIUS server issues an Access-Accept, and the AP sends an
authentication-success response to the station. Otherwise, the RADIUS server issues
an Access-Reject, and the AP forwards an authentication-denied response to the
station.
Rev. 14.21
463
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
44
Rev. 12.31
For this activity, your facilitator will organize the class into groups and ask each
group to list the advantages and disadvantages of using MAC-Auth to secure
wireless communications. Consider the following questions to determine the
advantages and disadvantages:
1.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
464
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
3.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
Why might you use RADIUS MAC-Auth as opposed to MAC filters and vice
versa?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
465
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Configuring
MAC-Auth
on the
Controllers
Configuring
MAC-Auth
on theMSM
MSM Controllers
RADIUS
Remote (network) RADIUS server
Local (internal) RADIUS server
The MSM Controller supports MAC-Auth through a network RADIUS server or its own
internal RADIUS server. When configured to support MAC-Auth, the MSM Controller
copies the stations MAC address into the password field, using the same format that
is used for the username.
45
Rev. 12.31
If you want to use a remote, or network, RADIUS server, you have two options for
configuring the VSC:
Enable the Use Controller for Authentication option for a VSCIf you select this
option, the MSM Controller handles MAC-based authentication. The APs
forward all authentication requests to the controller, and you can configure the
controller to validate user login credentials against a network RADIUS server or
the internal RADIUS server (local user accounts).
When configuring a local user account for MAC-Auth, you enter the MAC
address for both the username and password. Specifically, enter the 12
hexadecimal numbers in lowercase without dashes and colons as follows:
0003520a0f01
Disable the Use Controller for Authentication option for a VSCIf you clear this
option, the APs handle MAC-based authentication. The APs send authentication
requests to a network RADIUS server for validation.
You can also configure MAC lockout, which allows you to block particular MAC
addresses. MAC lockout is applied to:
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Lab ActivityLab4.2
Activity 4.2
Create a VSC that enforces WPA/WPA2-PSK
Rev. 12.31
You will now complete a lab in which you configure a VSC that enforces WPA-PSK.
Rev. 14.21
467
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Key Insights
Use the space below to record your thoughts about various deployment strategies
that you explored during Lab Activity 4.2.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
468
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Discussion Discussion
topics topics
802.1X with WPA/WPA2 or dynamic WEP
WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
Static WEP
Shared-key WEP
Open-key WEP
Although static WEP is no longer recommended as a security option, you may find
that some companies are using it. This section explains the WEP encryption
algorithm and points out its weaknesses.
48
Rev. 14.21
Rev. 12.31
469
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
WEP was designed to secure wireless networks. Its very nameWired Equivalent
Privacyimplied that it would provide the same privacy for the shared wireless
medium that users enjoyed on a point-to-point wired connection.
How did WEP measure up? As you have learned basic wireless security has three
requirements:
Authentication
Rev. 12.31
49
Confidentiality
Integrity
WEP attempted to meet both authentication and confidentiality needs with a secret
key but, in the end, did not meet either.
Encryption
With WEP, all stations and the AP in a given WLAN must encrypt frames with a
shared key before transmitting them over the wireless medium. The secret key
encrypts the 802.11 payload, not the header. The receiving stations and the AP use
the same key to decrypt the frames. (That is, the key is symmetric.) If the AP receives
a frame it cannot decrypt, it drops the frame.
Encryption occurs between the AP and wireless stations. The AP decrypts traffic
before transmitting it into the wired network, where it travels in plain text.
Authentication
The WEP standard does not mandate how the shared key is established. Static WEP
uses a single key shared between all stations and APs. As a result, the encryption
key also authenticates users: users must know the key in advance for their stations to
associate with the AP.
Two methods are commonly used for sharing the WEP key:
470
Static WEP
Dynamic WEP
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Shared-keyShared-key
WEP WEP
Stations encrypt a challenge to prove they have the key.
Attackers combine plain text challenge and encrypted challenge to derive
the key.
50
Rev. 12.31
Rev. 14.21
2.
3.
The station copies the challenge text into its response. The station then uses its
shared key to encrypt the frame payload and transmits the encrypted response
back to the AP.
4.
The AP decrypts the encrypted frame. If the challenge text matches the challenge
the AP sent, it knows the station is using the correct WEP key; the AP transmits
an authentication-success response. Otherwise, the AP replies with an
authentication-failed message and prohibits the station from associating.
471
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
472
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Open-key WEP
Open-key WEP
All stations can authenticate.
AP drops frames encrypted with the wrong key.
51
Rev. 12.31
Open-key WEP uses 802.11 open-system authentication. In theory, any station can
authenticate and associate to the AP; in practice, however, only stations with the
correct key can connect to the network.
After associating to a WLAN, stations can send data. At this point, the stations must
encrypt every frame with the shared WEP key before transmitting the frame to the AP.
If the AP can decrypt the frame, the AP accepts it. Otherwise, the AP drops the
frame. Because the AP drops all incorrectly encrypted frames, only stations with the
correct key can send data into the network.
Even though, at first glance, open-key WEP seems less restrictive than shared-key,
most network administrators consider open-key WEP more secure: at least it does not
feed hackers information about the WEP key.
As mentioned earlier, neither shared-key nor open-key WEP is a recommended
security option. Hackers can compromise WEP encryption with readily available
tools:
Finally, because you must configure the WEP keys manually on every AP, static WEP
consumes a disproportionate amount of IT resources for the relatively little security it
offers. Best practices dictate that you change the key not only every time an
employee leaves the organization or a device is potentially compromised, but also
periodically. In reality, many networks use the same key for monthsif not longer.
Rev. 14.21
473
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Discussion Discussion
topics topics
802.1X with WPA/WPA2 or dynamic WEP
WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
Additional security measures
You will now learn about some additional security features that the MSM Controllers
and APs support. These features allow you to control which resources users are
allowed to access on the network.
52
474
Rev. 12.31
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Security filters
forfilters
VSCs
Security
for VSCs
Wireless security filters
Not generally recommended for non-access-controlled VSCs
With an MSM solution, you can apply additional layers of security in the form of
filter. These filters either restrict wireless traffic or the wireless users allowed on the
network. You configure these filters for individual VSCs.
APs default gatewayIf you select this option, make sure that the wireless
stations have the same default router as the AP. In other words, the stations and
the AP must be on the same subnet (VLAN).
Specified MAC addressSelect this option if wireless stations that connect to
this VSC are placed on a different subnet from their AP default gateway. Enter
the MAC address of the station default gateway on their subnet.
Custom list--You can create a custom list of allowed MAC addresses. For
example, you might select this option when wireless users who connect to this
VSC are placed in several different VLANs. They have different default
gateways, and you must specify the MAC address for each gateway.
If the Use the Controller for Access Control option is selected for a VSC, the wireless
security filters are enforced before any configured authentication options. For
example, if the VSC is configured to support 802.1X, the wireless security filters are
enforced before the wireless station begins the 802.1X authentication process.
Rev. 14.21
475
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
If the Use the Controller for Access Control option is not selected, however, the station
is authenticated before the wireless security filters are enforced.
Wireless security filters are generally used in access-controlled VSCs in which APs
tunnel all traffic to the controller. You should always be careful when implementing a
wireless security filter on a non-access-controlled VSC. You have to use custom filters
to specify every potential default gateway, and you might make an error, or the MAC
addresses might change. In addition, some applications require particular
broadcasts, or the clients might actually require access to specific resources on their
VLAN.
For these reasons, you should generally use different methods of security and leave
wireless security filters disabled on access-controlled VSCs.
Allow listUse this type (sometimes called a white list) when you want to create
an exclusive pool of devices allowed to connect. For example, you could specify
the MAC address for each of your companys wireless devices.
Block listThis type (sometimes called a black list) acts much like a MAC
lockout feature. All devices are allowed to connect except the ones specified on
the list, which are blocked by APs.
On each VSC, you can create either an allow list or a block list. You cannot specify
both allowed MAC addresses and blocked MAC addresses on a single VSC.
You can use both MAC-Auth and a Wireless MAC filter for a particular VSC. If the
Use the Controller for Access Control option is selected for a VSC, the Wireless MAC
filter is executed first. If this option is not selected, MAC-Auth is executed first.
Wireless IP filter
With wireless IP filters, you can restrict wireless-to-wired traffic to specific destination
IP addresses or subnets. For example, in a public access VSC (which you will learn
more about in the next module), you could specify the IP address of your public Web
server. APs would drop all other traffic.
Because a wireless IP filter controls the IP addresses to which wireless stations can
send traffic, it offers more granular control of the endpoints (or servers) that wireless
users can access.
A wireless security filter controls the IP addresses to which wireless stations can send
traffic. It controls whether wireless users can communicate with any device in its
subnet (including other wireless devices) or only its default gateway.
If the Use the Controller for Access Control option is selected for a VSC, the wireless
IP filters are enforced before any configured authentication options. For example, if
476
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
the VSC is configured to support 802.1X, the wireless IP filters are enforced before
the wireless station begins the 802.1X authentication process.
If the Use the Controller for Access Control option is not selected, however, the station
is authenticated before the wireless IP filters are enforced.
Rev. 14.21
477
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Client-to-site
and site-to-site
VPNs
Clients-to-site
and site-to-site
VPNs
Secures wireless communications for a VSC that does not enforce
encryption
Designed to be used with low data applications such as point of sale
terminals
Supports:
IPsec, L2TP, or PPTP VPNs
Client-to-site VPNs
Site-to-site VPNs
54
Rev. 12.31
478
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Lab ActivityLab4.3
Activity 4.3
Modify the VSC using WPA/WPA2 and 802.1X to authenticate users to an
external RADIUS server.
55
Rev. 12.31
As a final lab on the security measures that you have learned about throughout the
module, you will alter your X_Marketing VSC to authenticate users to an external
RADIUS server.
Rev. 14.21
479
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Key Insights
Use the space below to record your thoughts about various deployment strategies
that you explored during Lab Activity 4.3.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
480
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Wireless Security
Summary
Summary
Authentication and encryption
Most secure: 802.1X with WPA2
Less secure option for smaller companies: WPA2-PSK
Guest or public access: Web-Auth
No longer recommended: static or dynamic WEP
Least secure: MAC-Auth
Additional security
Wireless security filters
Wireless MAC filter
Wireless IP filter
VPNs
Rev. 14.21
VPN access
481
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Learning check
1.
You are creating a VSC that enforces WPA/WPA2 with 802.1X authentication
and authenticates users to accounts configured on the MSM Controller. You want
users to authenticate with certificates. What is the correct EAP method?
_______________________________________________________________________
2.
Describe the advantages of TKIP and AES-CCMP in terms of the encryption keys
that they use.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
You have enabled MAC-Auth on a VSC and enabled local authentication. When
you create the user account and configure the username, in what format do you
specify the MAC address? What do you configure for the password?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
482
Rev. 14.21
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.