MSMv1 PDF

Implementing HP MSM
Wireless Networks
Learner guide volume 1
HP ExpertOne
Rev. 14.21
Course #: 00886659
Part #: 00886659S11404
HP Employee self-study use only. Reproduction or transfer outside of HP in whole or in part is prohibited.
Implementing HP MSM
Wireless Networks
HP ExpertOne
Rev. 14.21
Course #: 00886659
Part #: 00886659S11404
Copyright 2014 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements accompanying
such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
This is an HP copyrighted work that may not be reproduced without the written permission of
HP. You may not use these materials to deliver training to any person outside of your
organization without the written permission of HP.
Printed in United States of America
Implementing HP MSM Wireless Networks, Rev. 14.21
April 2014
This course is an HP ExpertOne authorized course designed to prepare you for

the associated certification exam. All material to be used and studied in
preparation to pass the certification exam is included in this training.
HP ExpertOne provides training and certification for the most sought-after IT
disciplines, including convergence, cloud computing, software-defined
networking, and security. You get the hands-on experience you need to hit the
ground running. And you learn how to design solutions that deliver business
value.
HP ExpertOne gives you:
A full range of skill levels, from foundational to master
Personalized learning plans and resources through My ExpertOne
Certifications that command some of the highest pay premiums in the
industry
A focus on end-to-end integration, open standards, and emerging
technologies
Maximum credit for certifications you already hold
A supportive global community of IT professionals
A curriculum of unprecedented breadth from HP, the worlds most
complete technology company
Visit hp.com/go/ExpertOne to learn more about HP certifications and find the
training you need to adopt new technologies that will further enhance your IT
expertise and career.
Contents
Course introduction: Implementing HP MSM Wireless Networks

Course overview ............................................................................. Introduction-1
Course objectives............................................................... Introduction-2
Course agenda .............................................................................. Introduction-3
Day 1 .............................................................................. Introduction-3
Supplement ....................................................................... Introduction-4
HP ASE - FlexNetwork Architect V2 and HP ASE - FlexNetwork Integrator
certification .................................................................................... Introduction-5
Module 1: HP Mobility Solutions

Objectives .................................................................................................... 1-1
Product overview ........................................................................................... 1-2
Discussion topics ........................................................................................... 1-3
HP MSM Controllers ...................................................................................... 1-4
Number of controlled APs per MSM Controller ..................................... 1-5
Access, mobility, and premium mobility controllers ............................................ 1-6
Overview of access controllers key features ...................................................... 1-9
Overview of access controllers security features ............................................... 1-11
Overview of mobility and premium mobility controllers key features ................... 1-12
Activity: Which controller would you select? ..................................................... 1-14
Discussion topics .......................................................................................... 1-16
AP operating modes ..................................................................................... 1-17
HP APs ........................................................................................................ 1-19
HP MSM AP models: 802.11n ....................................................................... 1-20
HP MSM AP models: 802.11a/b/g ................................................................ 1-23
Other AP models ......................................................................................... 1-25
HP M110 ....................................................................................... 1-25
HP MSM313 .................................................................................. 1-26
HP M111 Client Bridge Series ........................................................................ 1-28
HP MSM317 Access Device .......................................................................... 1-29
Activity: Name the models ............................................................................ 1-30
Discussion topics ......................................................................................... 1-31
HP RF Manager .......................................................................................... 1-32
HP MSM415 ............................................................................................... 1-33
HP IMC and WSM: Centralized management and configuration ....................... 1-34
HP IMC and WSM: Monitoring ..................................................................... 1-35
Rev. 14.21
Implementing HP MSM Wireless Networks

Activity: Explore the architectural possibilities .................................................. 1-37
The centralized WLAN architecture ................................................... 1-37
The optimized WLAN architecture .................................................... 1-39
Centralized WLAN architecture ..................................................................... 1-42
Optimized WLAN architecture ...................................................................... 1-44
Distributed forwarding without centralized authentication ..................... 1-45
Distributed forwarding with centralized authentication ......................... 1-45
Centralized access control ............................................................... 1-45
Lab Activity 1 .............................................................................................. 1-46
Lab Activity 1 debrief ................................................................................... 1-47
Summary .................................................................................................... 1-48
Learning check ............................................................................................ 1-49
Module 2: Initial Setup and Configuration

Objectives .................................................................................................... 2-1
Discussion topics ........................................................................................... 2-2
MSM760 or MSM775 zl ports ........................................................................2-3
MSM775 zl internal ports ...............................................................................2-5
MSM Controller schematic .............................................................................. 2-7
Exploring how the MSM Controller handles incoming traffic ...............................2-9
Web browser interface traffic ........................................................................ 2-10
Other management traffic ............................................................................. 2-12
Traffic from access-controlled clients (default) ................................................... 2-14
Adding VLANs to MSM760 or MSM775 zl Controller ports ............................. 2-16
Network profiles ............................................................................. 2-16
Mapping network profiles to controller ports as VLANs........................ 2-16
Configuring IP interfaces for profiles with VLAN IDs (non-default IP
interfaces) ...................................................................................... 2-17
Non-default IP interfaces and the controller schematic ......................... 2-18
MSM720 ports............................................................................................ 2-20
MSM720 networks ...................................................................................... 2-21
Activity: Exploring how the MSM Controller handles incoming wired traffic
(untunneled) ................................................................................................ 2-23
MSM760 Controller ........................................................................ 2-23
MSM720 Controller ........................................................................ 2-28
Discussion topics .........................................................................................2-30
Initial setup process ..................................................................................... 2-31
Planning the MSM Controllers connection ...................................................... 2-32
MSM760 and MSM775 zl controllers ............................................... 2-32
MSM720.......................................................................................2-34
Obtain initial access .................................................................................... 2-35
Direct connection ............................................................................ 2-35
Alternative strategies ....................................................................... 2-37
ii
Rev. 14.21
Contents
Configuring IP and other initial settings .......................................................... 2-39

Configuring IP settings on MSM760 or MSM775 zl
Controllers ..................................................................................... 2-39
MSM720.......................................................................................2-40
Create a default route ..................................................................... 2-41
CLI commands for configuring IP settings ........................................... 2-41
Temporarily disabling the default VSC (optional) .............................................2-43
Connecting the MSM Controller in its final location ........................................ 2-44
Ready the network infrastructure .......................................................2-44
Connect the controller ..................................................................... 2-45
Verify the connection ....................................................................... 2-45
Activity .......................................................................................... 2-45
Restricting management to the correct interface ............................................... 2-47
Lab Activity 2.1 ........................................................................................... 2-48
Lab Activity 2.1 debrief .................................................................................2-49
Planning the AP deployment ......................................................................... 2-51
AP deployment solutions ............................................................................... 2-52
Solution 1: Deploying APs in a dedicated VLAN .............................................. 2-53
Using DHCP to assign IP addresses to APs ......................................................2-54
Preferred option: Network DHCP server .............................................2-54
Controller DHCP server ................................................................... 2-55
Solution 2: Deploying APs in an existing VLAN ............................................... 2-56
Layer 2 AP discovery ................................................................................... 2-57
AP management .......................................................................................... 2-61
AP configuration settings ................................................................. 2-61
AP configuration levels .................................................................... 2-62
AP configuration synchronization ...................................................... 2-63
Lab Activity 2.2 ...........................................................................................2-64
Lab Activity 2.2 debrief ................................................................................ 2-65
Solution 3: Deploying APs across Layer 3 boundaries ......................................2-66
Assigning IP addresses to MSM APs in multiple subnets .................................... 2-67
Network DHCP server ..................................................................... 2-67
Static assignment ............................................................................ 2-67
Layer 3 AP discovery ................................................................................... 2-69
Order of discovery methods ............................................................. 2-70
Layer 3 AP discovery: DHCP ......................................................................... 2-71
Layer 3 AP discovery: DNS ........................................................................... 2-73
Layer 3 discovery: Static ............................................................................... 2-74
Provisioning APs .......................................................................................... 2-76
Non-staged or individual AP provisioning ..........................................2-77
Provisioning APs with other settings ................................................................ 2-79
Lab Activity 2.3 ........................................................................................... 2-81
Rev. 14.21
iii
Review: Planning an MSM Controller and AP deployment.................................2-83

Summary ....................................................................................................2-90
Learning check ............................................................................................ 2-91
Module 3: Wireless Fundamentals

Objectives .................................................................................................... 3-1
Discussion topics ...........................................................................................3-2
Wireless cell ................................................................................................ 3-3
802.11 a/b/g/n review................................................................................. 3-5
Channels in the 2.4 GHz band .......................................................................3-7
Commonly used channels in the 5 GHz band .................................................. 3-8
802.11h ....................................................................................................... 3-9
DFS................................................................................................ 3-9
TPC ............................................................................................... 3-10
Optional activity ............................................................................. 3-10
802.11n enhancements ................................................................................. 3-12
802.11n: channel bonding ............................................................................ 3-13
802.11n: MIMO and spatial streaming ........................................................... 3-14
802.11n: transmit beamforming ..................................................................... 3-16
802.11n: band steering................................................................................. 3-18
802.11n backward compatibility .................................................................... 3-19
CTS-to-self ..................................................................................................3-20
RTS/CTS..................................................................................................... 3-21
Finding and resolving hidden node issues ..........................................3-22
Activity: Identifying modes and IDs ................................................................ 3-24
Ad hoc mode .............................................................................................. 3-27
Infrastructure mode ...................................................................................... 3-28
In-cell relay mode ........................................................................................ 3-29
BSS and BSSID ........................................................................................... 3-30
ESS and ESSID ............................................................................................ 3-31
Open versus closed systems ..........................................................................3-32
Discussion topics ........................................................................................ 3-33
Passive and active scanning on 802.11 networks............................................. 3-34
Preparing to authenticate and associate ........................................... 3-35
Overview of 802.11 authentication and association ......................................... 3-36
802.11 authentication ..................................................................... 3-36
802.11 association ......................................................................... 3-36
Supplemental authentication ............................................................3-37
802.11 authentication .................................................................................. 3-38
Open-system authentication............................................................. 3-38
Shared-key authentication ............................................................... 3-38
802.11 association ...................................................................................... 3-40
Review activity............................................................................................. 3-41
iv
Rev. 14.21
Contents

Coverage and capacity ............................................................................... 3-44
Factors that affect coverage and capacity ...................................................... 3-45
Measuring wireless power ............................................................................3-47
EIRP .......................................................................................................... 3-49
Free space path loss ................................................................................... 3-50
Real-world path loss and obstacles.................................................................3-52
Scattering Exponent ........................................................................3-52
Major obstructions in the signal path.................................................3-53
Antenna type .................................................................................3-53
Basic and supported rates ........................................................................... 3-54
Activity: planning coverage and capacity ...................................................... 3-58
Conclusion .................................................................................... 3-60
Antennas ....................................................................................................3-62
Three-dimensional coverage ......................................................................... 3-64
Omnidirectional antenna ............................................................................. 3-65
Directional antenna .................................................................................... 3-66
Diversity antenna ......................................................................................... 3-67
Yagi antenna ............................................................................................. 3-68
Discussion topics .........................................................................................3-69
What does roaming mean to your company? ................................................. 3-70
Factors that affect roaming............................................................................ 3-72
Roaming to a new AP .....................................................................3-72
Layer 2 roaming .......................................................................................... 3-74
APs must be in the same ESS ............................................................ 3-74
The APs must support the same VLAN and subnet ............................... 3-74
Layer 3 roaming .......................................................................................... 3-76
Fast roaming ...............................................................................................3-77
Lab Activity 3 .............................................................................................. 3-78
Lab Activity 3 debrief ................................................................................... 3-79
Summary ................................................................................................... 3-80
Learning check ............................................................................................ 3-81
Supplemental information about 802.11 a/b/g/n ............................................3-82
802.11b ..................................................................................................... 3-83
802.11a ..................................................................................................... 3-84
802.11g ..................................................................................................... 3-85
802.11n ..................................................................................................... 3-86
Rev. 14.21
Module 4: Wireless Security

Objectives .................................................................................................... 4-1
Supplemental authentication options ............................................................... 4-2
802.1X with WPA, WPA2, or dynamic WEP ....................................... 4-2
Shared key ..................................................................................... 4-2
Web-Auth ....................................................................................... 4-3
MAC-Auth....................................................................................... 4-3
Discussion topics .......................................................................................... 4-4
802.1X ........................................................................................................ 4-5
Roles in the 802.1X authentication process ....................................................... 4-6
Supplicant ...................................................................................... 4-6
Authenticator................................................................................... 4-7
Authentication server ........................................................................ 4-7
802.1X ports ................................................................................................ 4-8
Controlled port ................................................................................ 4-8
Uncontrolled port ............................................................................. 4-8
Controlled port states .................................................................................... 4-9
EAP process ................................................................................................ 4-10
Negotiating the EAP method ......................................................................... 4-12
EAP methods: TLS ........................................................................................ 4-13
Advantages ................................................................................... 4-13
EAP methods: TTLS and PEAP ........................................................................ 4-15
Step 1outer method ..................................................................... 4-15
Step 2inner method ..................................................................... 4-15
Benefits ......................................................................................... 4-16
Complete 802.1X process ............................................................................. 4-17
RADIUS protocol ............................................................................ 4-18
802.1X requirements ................................................................................... 4-20
Certificates required for 802.1X ..................................................................... 4-21
Installing certificates on the MSM Controller....................................................4-22
Activity: Advantages and disadvantages of using 802.1X .................................4-25
802.1X encryption options ............................................................................4-28
WPA ..........................................................................................................4-29
Temporal Key Integrity Protocol (TKIP) ............................................... 4-29
Michael ........................................................................................ 4-30
Authentication options .................................................................... 4-30
Requirements................................................................................. 4-30
TKIP ........................................................................................................... 4-31
Securely generated master keys ........................................................ 4-31
Key rotation with transient keys ........................................................ 4-32
Key mixing for per-frame keys .......................................................... 4-32
TKIP key distribution: four-way handshake for a pairwise key ........................... 4-33
Distributing keys ............................................................................ 4-33
Completing the four-way handshake ................................................ 4-33
vi
Rev. 14.21
Contents
TKIP key distribution: two-way handshake for group key .................................. 4-35
WPA2 (802.11i).......................................................................................... 4-36
Strong encryption .......................................................................... 4-36
Encryption-based integrity ............................................................... 4-36
Authentication ............................................................................... 4-37
Requirements................................................................................. 4-37
CCMP/AES ............................................................................................... 4-38
CCMP/AES (cont.) ..................................................................................... 4-39
AES counter mode encryption ......................................................... 4-39
MIC for data integrity..................................................................... 4-40
Hole 196 ...................................................................................... 4-40
WPA/WPA2 compatibility .......................................................................... 4-42
Dynamic WEP ............................................................................................ 4-43
Activity: Advantages of using WPA2 ............................................................. 4-45
Configure 802.1X on the MSM Controller ...................................................... 4-46
Configuration decisions .................................................................. 4-46
Best practices ................................................................................ 4-47
Bind the VSC to an AP group ....................................................................... 4-49
Lab Activity 4.1 .......................................................................................... 4-50
Lab Activity 4.1 debrief................................................................................. 4-51
WPA/WPA2- PSK (personal mode) ............................................................... 4-53
Failed WPA/WPA2-PSK handshake .............................................................. 4-54
Activity: Advantages and disadvantages of using WPA/WPA2-PSK .................. 4-55
Web-Auth overview .................................................................................... 4-57
Activity: Advantages and disadvantages of using Web-Auth ............................ 4-58
Advantages of Web-Auth................................................................ 4-58
Disadvantages of Web-auth ............................................................ 4-58
MAC-Auth overview ..................................................................................... 4-61
Local MAC-Auth ......................................................................................... 4-62
RADIUS MAC-Auth ..................................................................................... 4-63
Activity: Advantages and disadvantages of using MAC-Auth ............................ 4-64
Configuring MAC-Auth on the MSM Controllers ............................................. 4-66
Lab Activity 4.2 ...........................................................................................4-67
Lab Activity 4.2 debrief ............................................................................... 4-68
Static WEP .................................................................................................4-70
Encryption .................................................................................... 4-70
Authentication ............................................................................... 4-70
Shared-key WEP.......................................................................................... 4-71
Shared-key authentication process..................................................... 4-71
Vulnerability of shared-key WEP ...................................................... 4-72
Open-key WEP ...........................................................................................4-73
Rev. 14.21
vii

Security filters for VSCs................................................................................. 4-75
Wireless security filters ................................................................... 4-75
Wireless MAC filter .........................................................................4-76
Wireless IP filter ..............................................................................4-76
Client-to-site and site-to-site VPNs ..................................................................4-78
Lab Activity 4.3 .......................................................................................... 4-80
Summary ................................................................................................... 4-82
Learning check ........................................................................................... 4-83
viii
Rev. 14.21

Course introduction
Course overview
The Implementing HP MSM Wireless Networks course is designed to help network
administrators learn how to implement HP MultiService Mobility (MSM) wireless
solutions. In this course, you will learn about the 802.11 standard, which governs how
Access Points (APs) establish wireless networks and stations associate with those APs.
You will also learn about coverage and capacity and the factors that affect both, and
you will examine the security options for wireless networks.
In addition to learning about the standards and technologies that provide the
foundation for wireless networks, you will learn about the HP MSM products,
including MSM Controllers and APs. Specifically, you will learn how to complete the
initial setup and configure Virtual Service Communities (VSCs) that support user
groups such as employees and guests. (As you will learn in this course, a VSC is a
group of configuration settings that define key operating characteristics for the APs
and controller. These settings include those typically defined for a WLAN, such as
the Service Set Identifier [SSID] and related security settings as well as other settings
such as: Quality of Service [QoS] settings, DHCP server settings, advanced security
settings such as wireless security filters, and many others.)
You will also learn about the many options the MSM Controllers provide for public or
guest networks and begin to practice implementing them. And you will determine
how to configure MSM APs and MSM Controllers to forward users traffic as required
by the company.
In addition, you will learn how to configure:
Local meshes (wireless bridges)
Controller teaming for redundancy
Special features available on the HP MSM317 Access Device (which provide

both wired and wireless access for small areas such as a hotel room)
Solutions that do not function as expected when teaming is implemented
Course objectives
After completing this course, you should be able to:
Rev. 14.21
Determine appropriate MSM products and licenses for particular environments

and needs
Deploy MSM Controllers and APs, following best practices for connecting the
controllers to the network
Configure radio settings, drawing on a basic knowledge of 802.11 standards
and wireless properties
Introduction1
Introduction2
Establish secure WLANs using technologies such as WPA/WPA2 encryption

and 802.1X authentication, either to an MSM Controller or an external RADIUS
server
Implement additional security methods when appropriate
Establish guest solutions for wireless and wired users using access-controlled
VSCs and the controllers internal login pages
Configure the appropriate account settings and access controls for guests on the
MSM Controller
Configure MSM APs and MSM Controllers to forward users traffic as required
by the company, enforcing user-based settings when necessary
Establish local meshes between MSM AP radios to extend wireless coverage or
connect network segments
Provide high availability and scalability by connecting MSM Controllers in
teams
Reconfigure access-controlled solutions on MSM teams, in particular,
implementing DHCP relay correctly
Secure MSM317 ports based on the needs of the environment
Rev. 14.21
Course Introduction
Course agenda
Figure Intro-1: Course agenda
The agenda for this course is listed below.
Day 1
Module 1: Mobility Solution
Lab 1: Initial Network Setup
Module 2: Initial Setup and Configuration
Lab 2.1: Deploying the MSM Controller
Lab 2.2: Discovering and Managing APs
Lab 2.3: Implementing Layer 3 Discovery
Module 3: Wireless Fundamentals
Module 3: Wireless Fundamentals (cont.)
Day 2
Rev. 14.21
Lab 3: Configuring Radio Settings
Module 4: Wireless Security
Lab 4.1: Configuring 802.1X with WPA2
Lab 4.2: Configuring WPA2-PSK
Lab 4.3: Configuring WPA2 with 802.1X to Windows NPS

Introduction3
Module 5: Guest Solutions
Lab 5.1: Implementing a VSC for Guest Access
Day 3
Module 5: Guest Solutions (cont.)
Lab 5.2: Enabling Free Access and Applying Subscription Plans
Optional Lab 5.3: Customizing Login Pages
Lab 5.4: Customizing Guest Access
Module 6: VLANs
Lab 6.1: Configuring User-Based VLANs and Egress VLANs
Lab 6.2: Implementing DHCP Relay for a Guest VSC
Day 4
Module 7: Wireless Mesh
Module 8: Controller Teaming
Lab 7: Implementing a Local Mesh

Lab 8: Configuring Teaming
Module 9: HP MSM317 Access Devices
Supplement
At the end of the Learner Guide volume 2 you will find supplemental information on the MSM
6.0 software release. This content will not be covered in the HP2-Z32 exam. It is included so
you have specific information about the latest major MSM software release.
Introduction4
Rev. 14.21
Course Introduction
HP ASE - FlexNetwork Architect V2 and HP ASE FlexNetwork Integrator certification
Figure Intro-2: HP ASE - FlexNetwork Architect V2 and HP ASE - FlexNetwork Integrator certification
Implementing HP MSM Wireless Networks is designed to help you earn the HP

ASEWireless Networks Implementer V1 certification. To earn this certification level,
you must demonstrate that you can configure, deploy, and manage HP MSM wireless
solutions. And to demonstrate that you have mastered these capabilities, you must
pass the Implementing HP MSM Wireless Networks (HP2-Z32) exam. (For more
information about the HP networking certifications, you can use the ExpertOne
explorer tool at http://www.certificationexplorer.com.)
This course helps you pass the HP2-Z32 exam. You may also find the HP Wireless
LAN Technologies Web-Based Training (WBT) helpful. (For more information about
WBTs, visit http://www.hp.com/certification.)
To learn more about the exam, visit http://www.hp.com/certification/
learn_more_about_exams.html.
You can also use the HP2-Z32: Implementing HP MSM Wireless Networks Exam
Preparation Guide to help you prepare. In addition to providing a list of topics
covered, the exam preparation guide offers practical guidelines for studying for and
taking the exam. It also includes some sample questions, which will help you
determine if you are ready to take the exam.
The exam preparation guide describes other ways to earn the HP ASEWireless
Networks Implementer V1 certification. For example, it explains your options if you
already have other certifications such as a Cisco CCNPWireless certification.
Rev. 14.21
Introduction5
HP Mobility Solutions
Module 1
Objectives
This module introduces the HP mobility products, including MultiService Mobility
(MSM) Controllers and access points (APs). It also outlines the wireless LAN (WLAN)
architectures these products support.
After you complete this module, you should be able to:
Rev. 14.21
Given a particular customers wireless requirements, recommend the appropriate

HP MSM Controllers and APs
Describe the WLAN architectures that MSM Controllers and APs support
11
Product overview
Figure 1-1: Product overview
Wireless technologies offer both networking and end-user flexibility. For example, with
wireless networks, you can more easily reconfigure office space because you do not
need to install or move existing wiring. Wireless technologies also help employees and
guests be productive no matter where they work.
HP offers two types of devices for establishing a wireless network:
12
HP MSM Controllers, which enable you to centrally configure, manage, and

control multiple APs and which also handle access-controlled (usually guest) clients
HP MSM APs, which establish the wireless network and can be deployed as
standalone or controlled APs
Rev. 14.21
Discussion Discussion
topics topics
HP MSM Controllers
Access, mobility, and premium mobility controllers

Overview of access controllers key features
Overview of access controllers security features
Overview of mobility and premium mobility controllers key features
Activity: Which controller would you select?
HP APs
Security and management
WLAN architectures
Figure 1-2: Discussion topics
The first section in this module introduces the HP MSM Controllers.
Rev. 14.21
Rev. 12.31
13
HP MSM Controllers
Figure 1-3: HP MSM Controllers
MSM Controllers enable you to centrally manage and control HPs intelligent MSM
APs. For large, geographically distributed WLANs, controllers eliminate the timeconsuming process of separately configuring and managing numerous APs. Instead,
you can use a single management interface to configure and manage an entire group
of APs.
In addition, MSM Controllers allow you to automate software-updates, and configure a
consistent set of services and policiesincluding quality-of-service (QoS) and security
policiesacross the entire WLAN.
HP offers four MSM controllers:
HP MSM720
HP MSM760
HP MSM775 zl
As shown in the figure above, the MSM720 and MSM760 are appliances, while the
MSM775 zl is a module that is installed into an HP 5400 zl or 8200 zl Series Switch.
You can install up to four MSM775 zl Controllers in one 5412 zl or 8212 zl switch. You
can also install up to four MSM775 zl controllers in one 5406 zl switch; however, to
operate at up to 50 C, only three modules, in the left side of the chassis, are
supported. (Check the installation guide for more details.)
The MSM760 have two RJ-45 10/100/1000 ports, which can be used to connect
them to the network. Similarly, the MSM775 zl has two 10 GbE internal ports, which
connect it to the switch backplane. On these controllers, one port is designated as the
LAN port, and one port is designated as the Internet port. The MSM720, on the other
hand, has four RJ-45 10/100/1000 BASE-T ports and two RJ-45 10/100/1000
dual-personality ports. You will learn how to connect and configure these ports in
Module 2.
14
Rev. 14.21
Number of controlled APs per MSM Controller

The MSM Controllers collectively support wireless solutions for any size business, from
small to enterprise-level. Each controller can manage a specific number of APs
starting with a base number and scaling to a maximum number of controlled APs.
When you purchase a controller, it includes a base license, which provides support for
a certain number of APs, as outlined in the table. You can then purchase incremental
licenses, until you reach the maximum number of APs each controller supports.
If you have more than 200 APs and want to manage them from a single interface, you
will need either the MSM 760 or the MSM775 zl Controller. Both of these controllers
support teaming with five controllers (which are called members). You can then
configure and manage all five controllers from as single Web browser interface.
A team provides redundancy in addition to simplifying the management of a large
number of APs. (The MSM720 supports teaming with two controllers, or members.)
You will learn more about this feature and the requirements for supporting it later in
this course.
Table 1-1: Number of APs controlled by MSM Controllers

Model
Number of APs with

base license
Maximum number of APs
Concurrent guest access users
MSM720
10
250
MSM760
40
40 with incremental licenses

(per controller or per team)
Per controller200 with
incremental licenses
Per team800 if premium
mobility license is
installed, teaming is
enabled, and the team
includes 5 controllers (thus
providing N+1
redundancy)
Per controller200 with
incremental licenses
Per team800 if teaming
is enabled and the team
includes 5 controllers (thus
providing N+1
redundancy)
MSM775 zl
40
Firmware releases prior to MSM
Rev. 14.21
v5.7: 1,000 simultaneous guest

access users upgradable in
increments of 250 per 40-AP
license pack, up to a maximum
of 2,000 guest access users
MSM v5.7 and later: 2,000
simultaneous guest access users
with base product
Firmware releases prior to MSM
v5.7: 1,000 simultaneous guest
access users upgradable in
increments of 250 per 40-AP
license pack, up to a maximum
of 2,000 guest access users (the
limit holds for a team, regardless
of the number of controllers)
MSM v5.7 and later: 2,000
simultaneous guest access users
with base product
15
Access, mobility, and premium mobility controllers
Figure 1-4: Access, mobility, and premium mobility controllers
In addition to offering flexible licensing options for controlled APs, HP allows you to
purchase controllers based on the features that you need.
The MSM720 and MSM760 are available as access controllers. Access controllers
allow you to manage controlled APs and offer a core set of features. Further
elaborated in the next few pages, the core features include, among others:
Complete AP configuration, management, and monitoring capabilities

Support for WLANs that implement WiFi Protected Access (WPA) or WPA2 with
or without 802.1X authentication
Support for access-controlled, or guest solutions, in which the controller provides
Web authentication (Web auth), access control, and routing services for both
wired and wireless clients
A local RADIUS server as well as the ability to act as a RADIUS client to another
server
Some companies need to add advanced features to the core set. The advanced
mobility features, supported by Mobility or Premium Mobility controllers include:
Fast roamingAs you will learn later in this course, the most secure way to
protect access to a wireless or wired network is 802.1X authentication. On a
wireless network, you must also add WiFi Protected Access (WPA) or WPA2 to
encrypt the transmissions and protect them from eavesdropping.
Although 802.1X provides the tightest security, it has one downside: it slows down
the roaming process when users must roam from one AP to another. Fast roaming
reduces the latency of roaming for 802.1X.
16
Layer 3 roamingStations can roam between two APs that support the same SSID
(WLAN). Layer 3 roaming becomes necessary if a station moves between two
APs that support the same SSID but bridge the wireless traffic onto different VLANs
Rev. 14.21
(or subnetworks) on the wired network. You will learn more about Layer 3
roaming later in this course.
Ability to control exactly where traffic is bridged onto the wired networkSome
companies need more flexibility in how traffic is bridged onto the wired network.
For example, they may want to ensure that users traffic is place in certain VLANs
but those VLANs have not been extended across the network. Rather than
reconfiguring the network, those companies may want their wireless solution to
handle the way traffic is distributed onto the wired network.
The premium capabilities, which the Premium Mobility controllers add to the core and
mobility features listed above, include:
Large number of SSIDsSome companies may need a high number of SSIDs (or
WLANs). Premium Mobility controllers support up to 64 Virtual Service
Communities (VSCs). You will learn more about VSCs on the following page.
TeamingThis license also allows companies to combine controllers in teams,
which provide:
Redundancy for controllersIf users require wireless access to complete their

work, companies should build redundancy for the controller into their wireless
solution, eliminating a single point of failure.
ScalabilityLarge enterprises may need more manage and configure more

than 200 APs. To simplify management, they should be able to manage
these APs from a single interface. (The MSM760 and MSM775 zl provide
this benefit; on the MSM720 uses teaming for redundancy only.)
HP offers several mobility and premium mobility controllers, which provide the
functionality to fulfill these requirements:
MSM720 Premium Mobility Controller and MSM760 Premium Mobility

ControllerBy purchasing and installing a Premium Mobility license, you can
upgrade the MSM720 and MSM760 Access Controllers to Premium Mobility
Controllers. These Premium Mobility Controllers can then provide the advanced
features of fast roaming, Layer 3 roaming, and MTM. In addition, they support
teaming, which can be used to provide redundancy for controllers and scalability,
and up to 64 VSCs. (You will learn more about teaming and VSCs on the
following page.)
775775The next few pages describe the features provided by access, mobility, and
premium mobility controllers.
Rev. 14.21
17
Overview
of access
controllers
key features
features
Overview of
access
controllers
key
Centralized management of APs
Automated deployment and

software updates
Unified policy enforcement
Multiple virtual service
communities (VSCs)
Support for 802.11n, including
band steering
Guest access solutions
Workflow wizard for easy
implementation
Variety of options for customized
solutions
DHCP server
QoS solutions
7
Rev. 12.31
Figure 1-5: Overview of access controllers key features
The MSM720 and MSM760 access controllers can manage different number of APs,
but they all support the same key featuresmany of which are listed below.
18
Centralized management of APsThe controllers allow you to configure settings

for all APs, groups of APs, or individual APs. They provide a single vantage point
from which to view wireless network resources.
Automated deployment and software updatesThe controllers automate the
deployment of APs and software updates.
Unified policy enforcementThe controllers enable you to enforce a unified set of
policies across multiple APs.
Up to 16 virtual service communities (VSCs)A VSC is a group of configuration
settings that define key operating characteristics for the APs and controller. These
settings include those typically defined for a WLAN, such as the Service Set
Identifier (SSID) and related security settings as well as other settings such as:
Quality of Service (QoS) settings, advanced security settings such as wireless
security filters, DHCP server, and many others. You will learn more about VSCs
and the available settings in this course and practice configuring them in the labs.
Support for 802.11a/b/g/nThe controllers can manage and control 802.11n
APs without the need for expensive upgrades.
Rev. 14.21
Guest solutionsThe controllers provide a flexible and robust guest access

solution. You can quickly implement a guest access VSC, using a workflow wizard
to select the basic configuration settings. You can also customize the guest access
VSC as needed to meet the needs of your company. For example, you can control
which resources (if any) guests can access on the companys network, or you can
limit their access to the Internet. You can also set up subscription services so that
guests pay for wireless access. In addition, you can configure guest VSCs to
require Web authentication, 802.1X authentication, or MAC authentication (MACAuth).
Because the MSM Controllers offer such a wide range of options for guest access,
you will begin to explore those options later in this course. You will also practice
implementing a basic guest network solution.
DHCP serverThe controllers can operate as DHCP servers, assigning IP

addresses to APs and guests. They can also act as the DHCP relay for external
DHCP servers.
QoS solutionsThe controllers and APs support industry-standard QoS protocols.
If your wired infrastructure devices also support standard QoS protocols, you can
implement an end-to-end QoS solution, ensuring that delay-sensitive and
bandwidth-intensive traffic receives priority handling from the wireless station to
the destination device on the wired network and back.
To prioritize traffic between the stations and the APs, the APs support Wi-Fi
Multimedia (WMM), a set of features defined for the 802.11 standard, and
SpectraLink Voice Protocol, a proprietary protocol for improving QoS for wireless
devices. The APs can also mark the traffic bridged onto the wired network with an
802.1p value, DiffServ value, or both. Provided that the upstream wired
infrastructure honors this setting, the traffic continues to receive the correct type of
service to preserve the quality of the application in its journey end-to-end. (QoS
solutions are not covered in this course. If you want to know more about QoS
solutions on the MSM Controllers and APs, attend the Master Accredited Solution
Expert course, HP Enterprise Wireless Networks.)
Rev. 14.21
19
Overview
of access
controllers
security features
Overview of
access
controllers
security
features
RADIUS authentication (through internal or external RADIUS server)
Microsoft AD authentication
Secure management access
Firewall
ACLs and security filters
NAT
Rev. 12.31
Figure 1-6: Overview of access controllers security features
The controllers also provide comprehensive security, including, but not limited to, the
following features:
110
Remote Authentication Dial-in User Service (RADIUS)--based authentication:
Internal
External
Microsoft Active Directory authentication, including to Windows Server 2008 R2

Secure management access, using HTTP over Secure Sockets Layer (SSL) or Secure
Shell (SSHv2). You can also limit management access to certain IP addresses.
Stateful firewall, which enforces policy-based access on incoming and outgoing
data
Access control lists (ACLs) and security filters, which you will learn about later in
this course
Network address translation (NAT)
Rev. 14.21
Overview of mobility and premium mobility

controllers key features
Figure 1-7: Overview of mobility and premium mobility controllers key features
The mobility and premium mobility controllers provide all the features that the access
controllers offer plus the following:
Fast roamingThis feature speeds up the roaming process for stations that
authenticate to VSCs secured by 802.1X with WPA/WPA2. You will learn more
about the specific actions APs and the controllers take to accelerate this roaming
later in this course.
Mobility traffic manager (MTM)MTM gives you complete control over where
each users traffic is distributed into the Ethernet network. It also supports Layer 3
roaming.
MTM assigns each user to a home network based on a variety of settings,
including identity-based policies. It then helps the MSM APs determine whether
the users traffic can be distributed locally or whether it must be tunneled to the
controller.
Thus, this feature delivers complete flexibility and efficiency to the architecture.
Users can connect wherever they need to connect yet always retain a consistent IP
address in their assigned home networks. For efficiency, APs forward traffic locally
when they can, butwhen necessarythey tunnel the traffic to the controller for
distribution. All this occurs seamlessly with users only aware that they can connect
wirelessly and receive access to the resources that they need.
For example, in the following figure, User As home network is Network 1. User A
can connect to any AP, and the users traffic is always forwarded on the correct
network. The APs in the left of the figure can forward the users traffic locally while
the APs on the right tunnel the traffic to the controller. But, in either, case the MSM
solution connects the user to the correct home network. In addition, if the user
Rev. 14.21
111
roams from one AP to another, MTM ensures that the user remains connected to
the home network.
Figure 1-8: Overview of mobility and premium mobility controllers key features
MTM is not covered in this course. If you want to know more about this feature,
attend the Master Accredited Solution Expert course, HP Enterprise Wireless
Networks.
Premium mobility controllers also offer:
Support for up to 64 VSCsThis feature allows companies to define more than 16

VSCs, allowing them to offer up to 64 WLANs.
TeamingThis feature provides redundancy for the MSM720, MSM760, and
MSM775 zl Controllers. With MSM720 Controllers, you can create a team with
two members and manage up to 40 APs (provided you have the necessary
incremental licenses.) If one of the MSM720 Controllers becomes unavailable, the
remaining controller will handle all necessary operations.
With the MSM760 and MSM775 zl Controllers, you can create a team with up to
five members. Each team must include only MSM760 Controllers or only MSM775
zl Controllers. In addition to providing redundancy, the team allows you to
manage up to 800 APs from a single interface (again, provided you have the
necessary incremental licenses for the APs). You will learn more about this feature
and practice implementing it later in this course.
112
Rev. 14.21
Activity: Which controller would you select?
Figure 1-9: Activity: Which controller would you select?
Below you will find descriptions of four organizations that need an MSM Controller to
manage a certain number of APs. Use what you have learned about the MSM
Controllers to recommend an MSM Controller, based on the information that is
provided. Sometimes more than one solution might fit the needs; what is most
important is that you can make a reasonable selection that you can justify.
1.
A business estimates that it will need at least 12 APs on each floor of its five-floor
office building to provide adequate wireless coverage. The senior IT manager
wants to eliminate a single source of failure and ensure that the wireless network
is always available. The business is using HP switches, including the 3500-48GPoE+, 5412 zl, 6600-24G, and 8212 zl switches. Which HP MSM Controller(s)
would you recommend for this organizations wireless solution? Why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
113
2.
The IT manager for a medical office building estimates that she will need at least
10 APs on each floor of a five-floor office building to provide adequate wireless
coverage. The office building is currently using the following HP switches: 580048G with 2 slots, 5500-24G, and 10508 switches. Which MSM Controller would
you recommend for this medical office building? Why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
A medium-sized business plans to have 200 employees working in a large, onefloor warehouse. Because the business wants the flexibility to reconfigure this
space as needed, the IT manager plans to provide these employees with wireless
access, so the wireless network must be reliable. The business estimates that it will
need 30 APs to provide adequate coverage. Which HP MSM Controller(s) would
best meet this businesss needs? Why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
A business is establishing a new wireless network at an office with 60 employees.

In addition to providing access for employees, the wireless solution should also
provide guest access. The IT manager has estimated that the office needs only
four APs to provide adequate coverage and capacity. Which HP MSM
Controller(s) would best meet the needs for the office? Why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
114
Rev. 14.21
topics topics
HP MSM Controllers
HP APs
AP operating modes
HP APs
HP MSM AP models: 802.11n
HP MSM AP models: 802.11a/b/g
Other AP models
HP M111 Client Bridge Series
HP MSM317 Access Device
Activity: Name the models

WLAN architectures
You will now examine the APs that HP offers.

11
Rev. 14.21
Rev. 12.31
115
AP operating
AP operating
modes modes
Figure 1-11: AP operating modes
Typically, 12APsRev.operate
in one of two modes:
12.31
Autonomous
Controlled
As the name suggests, autonomous mode means that you manage the AP as a
standalone AP. That is, you access the APs management interface (whether Web
browser interface or command line interface) and configure the settings needed for
just that AP. Autonomous mode is generally used for small companies or branch offices
that need just a few APs or do not have any immediate plans to expand the wireless
network to include more APs.
Autonomous APs might also work well for companies who need a few APs that provide
network coverage outdoors such as in a retail environment or at an airport. HP
provides ruggedized APs, as you will learn later in this module.
When APs operate in controlled mode, you use a controllers management interface to
centrally configure and manage the APs. By automating AP configuration and
management, controlled mode simplifies the process of applying a consistent set of
security and quality-of-service policies across WLANs. Controlled mode also reduces
deployment and management costs.
The MSM APs can operate in either autonomous or controlled mode. By default, the
MSM APs operate in controlled mode, but you can access an APs Web browser
interface to switch its operating mode to autonomous mode. (The MSM317 is the one
exception to this rule. It does not include a web-based management interface of its
own because it operates only in controlled mode.) When you are ready to expand
your wireless network and add a controller, you can easily purchase a controller and
configure your APs to operate in controlled mode.
116
Rev. 14.21
Because the MSM APs operate in controlled mode by default, they must discover an
MSM Controller. You have a number of options for AP discovery, as you will learn
later in this course. For example, if both the APs and MSM Controller are on the same
subnet, they will automatically discover the controller. Once the APs discover the
controller, the controller immediately provisions the APs with a software version that
matches its own and sends the APs the appropriate configuration settings.
Rev. 14.21
117
HP APs
HP APs
Indoor and outdoor 802.11n APs
Indoor 802.11a/b/g AP
Other APs
13
Rev. 12.31
Figure 1-12: HP APs
HP provides a variety of MSM APs, each of which offers a unique set of features. Basic
categories include:
Indoor and outdoor 802.11n/a/b/g APs
Indoor and outdoor 802.11a/b/g APs
Integrated services APs
The MSM AP model numbers indicate which 802.11 standards each AP supports and
how many radios it has:
If the model number begins with a four (4), the MSM AP supports 802.11n (as
well as a/b/g)
If the AP model number begins with a three (3), the MSM AP supports
802.11a/b/g.
The second digit in the MSM AP model number indicates how many radios the model
provides. The third digit indicates whether the AP provides sensor capabilities for
working with RF Manager, HPs wireless IDS/IPS. A 0 indicates no sensor capabilities
and a 5 indicates the ability to act as a sensor.
For example, the MSM310 supports 802.11a/b/g and has one radio.
The higher-end 4xx models make an exception to the rule about the second digit. The
HP 425, MSM430, MSM460, and MSM466 all have two radios. However, they
support additional spatial streams and the higher 802.11n data rates.
Like MSM Controllers, MSM APs have a great deal in common. All bring intelligence to
the network edge, offer multiple network services and high performance, and enforce
security. They also support plug-and-play deployment (automatic configuration) and work
in controlled mode with MSM Controllers.
In addition, most MSM APs work in autonomous mode (without a controller).
118
Rev. 14.21
HP MSM AP models: 802.11n
Figure 1-13: HP MSM AP models: 802.11n
These Wi-Fi Alliance certified 802.11 a/b/g/n APs provide the following capabilities:
Radio:
Auto-channel selection (ACS), which allows each radio to select a channel

with the least interference on power-up and continuously improve channel
selection based on background interference
Self-healing, self-optimizing wireless bridge, in which AP radios can

dynamically establish new links with other MSM AP radios as required (local
mesh)
Configuration of power, frequency band, and data rates
Security:
802.1X authentication with:
EAP-SIM
EAP-FAST
EAP-TTLS
EAP-TLS
PEAP
Note
You will learn more about 802.1X and these different types of EAP later in this
course.
Rev. 14.21
119
MAC-Auth
Web-Auth
Encryption:
120
802.11i, WPA2, or WPA
Lifetime warranty for indoor HP 425, MSM430, MSM460, MSM466 and a 1year warranty for outdoor models (check the HP networking support web site for
details about what the warranty covers)
QoS:
WMM
802.1p
SVP
DiffServ
VSCsMSM 802.11n APs support up to 16 VSCs. You can configure each VSC
separately to support a variety of QoS and security profilesincluding policies
based on the Wi-Fi Multimedia (WMM) specification and 802.11e standard. (You
can configure the VSC on a controller if the AP is running in controlled mode or
on the AP itself if it is running in autonomous mode.)
VoIPThe APs support a maximum of 12 active VoIP calls on 802.11a/b/g/n.
DiagnosticsHPs MSM 802.11n APs log client events such as authentications and
DHCP events. The APs also include a packet capture tool for Ethernet and 802.11
interfaces, and a data-rate matrix.
Multiple-input multiple output (MIMO)The MSM410 supports two spatial
streams and MIMOone of the technologies that helps 802.11n deliver higher
performance than other 802.11 standards. The HP425 and MSM430 also offers
two spatial streams and 3x3 MIMO. Finally, the MSM460 and MSM466 support
three spatial streams and 3x3 MIMO. Three spatial stream MIMO allows for 450
Mbps of signaling per radio, which in turn represents a performance increase of
more than 50 percent over APs using two spatial stream technology. You will learn
more about MIMO and spatial streams later in this course.
BeamformingThe HP 425, MSM 430, MSM460, and MSM466 support
beamforming, which, if the client also supports the feature, can focus the signal
between the AP and client. Thus this feature can provide better coverage for given
areas and enhance performance at given distances from APs.
Band steeringThe HP 425, MSM 430, MSM460, and MSM466 also support
band steering, which steers wireless clients to the 5 GHz bandthe band that
provides superior performance for 802.11n. In addition the MSM466 is capable
of running both radios in the 5 GHz band for even better performance.
Rev. 14.21
Table 1-2: Indoor 802.11n APs

AP
Radios
Port
Antennas
Power
Plenum rating
HP 425
Dual (a/n
+ b/g/n)
One RJ-45
10/100/
1000
4 dBi antenna at 2.4 GHz
802.3af PoE
Yes
MSM430
Dual (a/n
+ b/g/n)
One RJ-45
10/100/
1000
802.3af PoE
Yes
MSM460
Dual (a/n
+ b/g/n)
One RJ-45
10/100/
1000
802.3af PoE
Yes
MSM466
Dual
(a/b/g/n)
One RJ-45
10/100/
1000
802.3af PoE
Yes
and 5 dBi antenna at 5

GHz
four indoor RP-SMA
connectors for use with
optional external antennas)
Six internal omnidirectional
antennas that support twospatial streams & 3x3 MIMO:
Three 4dBi 2.4 GHz
antennas
Three 7dBi 5 GHz
antennas
Six internal omnidirectional
antennas that support three
spatial streams & 3x3 MIMO
reaching 450 Mbps per radio:
Three 4dBi 2.4 GHz
antennas
Three 7dBi 5 GHz
antennas
Six RP-SMA connectors for
external antennas, which
are sold separately
Support for three spatial
streams & 3x3 MIMO
reaching 450 Mbps per
radio
**Power cords are sold separately as accessories.
Table 1-3: Outdoor 802.11n AP

AP
Radios
Port
Antennas
Power
Operating
temperatures
MSM466-R
Dual
(a/b/g/n
run both
radios at 5
GHz for
optimal
performance)
One RJ-45
10/100/
1000
Six N-type connectors
PoE or
PoE+
-40 degrees C to 55
for external antennas,

which are sold
separately
Support for three
spatial streams & 3x3
MIMO reaching 450
Mbps per radio
degrees C (-40
degrees F to 131
degrees F)
For -20 degrees C,
802.3at (PoE+)
required for
embedded heater
For a list of HP external antennas that each AP supports, visit the HP networking web
site at:
http://www.hp.com/networking
Rev. 14.21
121
HP MSM AP models: 802.1

HP 1a/b/g
MSM AP models: 802.11a/b/g
MSM310
Figure 1-14: HP MSM AP models: 802.11a/b/g

Rev. 12.31
15
This intelligent, Wi-Fi Alliance certified
802.11 a/b/g AP provides the following
features:
122
RadioThese APs enable you to:
Configure frequency bands for each radio
Extend network availability through self-healing, self-optimizing mesh

capabilities
Configure minimum data rates and power
Select ACS, which allows each radio to select a channel with the least
interference on power-up and continuously improve channel selection based
on background interference
SecurityThese APs support 802.1X authentication with EAP-SIM, EAP-FAST, EAPTLS, EAP-TTLS, and PEAP. They also support MAC-Auth and Web-Auth. To protect
wireless transmissions, they support industry-standard wireless encryption
standards including WPA2 and WPA and the legacy WEP.
QoS:
WMM
802.1p
SVP
DiffServ
Rev. 14.21
Lifetime warrantyHP provides a warranty for these APs for as long as you own
the product, with next-business-day advance replacement (available in most
countries). For the software, HP generally provides a 1-year warranty. You should
refer to the HP networking support site for details and up-to-date information.
VSCsMSM 802.11n APs support up to 16 VSCs. You can configure each VSC
separately to support a variety of QoS and security profilesincluding policies
based on the Wi-Fi Multimedia (WMM) specification and 802.11e standard. (You
can configure the VSC on a controller if the AP is running in controlled mode or
on the AP itself if it is running in autonomous mode.)
VoIPThe APs support a maximum of 12 active VoIP calls on 802.11a/b/g/n.
Two RJ-45 10/100 portsThe MSM310 can bridge traffic between its two ports,
so customers can connect one port as the uplink port and use the second port to
connect a wired device.
Table 1-4: Indoor 802.11 a/b/g APs

AP
Radios
Ports
Antennas
Power
Plenum
MSM310
Single
(a/b/g)
Two RJ-45
10/100
Two external 2 dBi dual-
PoE or power
supply*
Yes
band 2.4/5 GHz

omnidirectional antennas
(ship with the AP)
Two RP-SMA connectors
*Power cords are sold separately as accessories.
Rev. 14.21
123
Other AP models
Other AP models
MSM110
MSM313
Figure 1-15: Other AP models

16
Rev. 12.31
HP M110
You can configure this entry-level access device to operate as an access point, a
wireless distribution system (WDS) bridge, or a full-spectrum 802.11 WLAN monitor.
The M110 operates in autonomous mode and supports up to two VSCs, each with
independent VLAN and wireless security profiles. It is plenum-rated and powered by a
PoE source. The M110 access point is Wi-Fi Certified for WPA2, WPA, and WEP
security and has hardware-assisted Advanced Encryption Standard (AES) and RC4
encryption.
This device provides the following features
124
Single 802.11a/b/g radio
Support for two VSCs
Two external antennas
PoE support
QoS:
802.1p prioritization
WMM
Rev. 14.21
Security:
Authentication:
802.1X authentication using EAP-SIM, EAP-FAST, EAP-TLS, and PEAP
MAC-Auth
RADIUS AAA using EAP-MD5, PAP, CHAP, and MS-CHAPv2 (via a

controller)
Encryption:
WPA2 (AES)
WPA
WEP
Plenum rated
Centrally manageable
HP MSM313
Nicknamed hotspot in a box, the HP MSM313 is designed to simplify the task of
setting up a wireless network for small companies that need a guest access solution in
addition to wireless access for employees. These devices allow you to implement
centralized access control for guests and to control what these users can access
through the wireless network. You can handle employee access differently, allowing
these users to access network resources.
This device provides the following features:
Single 802.11a/b/g radios
Firewall and NAT features (which are enabled by default)
Default VSC, which simplifies the setup process
Integrated DHCP server (default) or client (APs are configured as clients by default)
Support for 16 VSCs
Security:
Rev. 14.21
Authentication
802.1X authentication with EAP-SIM, EAP-FAST, EAP-TLS, EAP-TTLS, and

PEAP
MAC-Auth
Web-Auth
Encryption
WPA/WPA2
WEP
125
126
QoS:
WMM
SVP
802.1p
DiffServ
Support for WEP, WAP, and RADIUS
Wireless bridge (mesh)
Support for 12 active VoIP calls
PoE support
Rev. 14.21
HP M111 Client
Bridge
HP M1
11 Client Series
Bridge Series
17
Rev. 12.31
Figure 1-16: HP M111 Client Bridge Series
HP also provides a solution for organizations that want to connect legacy Ethernet or
serial devices to their WLANs. For example, an organization might want to connect a
fax machine to its WLAN so wireless users can send faxes.
Instead of upgrading its legacy fax machine, this organization can connect it to the
HP M111 Client Bridge, which provides a wireless signal that allows access via the
WLAN.
This device provides the following features:
Rev. 14.21
Single 80211a/b/g radio
Two external antennas
Support for a wide range of wired devices (DECnet, IPX, AppleTalk, and others)
Integrated TCP/IP converter
An 802.1X supplicant
Hardware-accelerated WPA2, WPA, or WEP encryption
127
HP MSM317
Access Device
HP MSM317 Access Device
18
Rev. 12.31
Figure 1-17: HP MSM317
As mentioned earlier, the MSM317 operates only in controlled mode. This device
requires one of the MSM Controllers for both configuration and operation. It integrates
an AP with four managed 10/100 Ethernet switch ports and includes a pass-through
port for digital phone service. Ideal for small businesses with little or no networking
experience and for businesses that want to provide wireless services in discrete areas,
such as hotel rooms, the MSM317 fits within the space of a standard electrical wall
outlet. AP features include:
A single 802.11b/g radio
Two internal 2.4 GHz omnidirectional antenna (chips)
Support for up to 16 VSCs (mapped to separate VLANs)
You can configure one of this APs Ethernet ports as an 802.3af-compliant PoE port for
wired devices such as IP telephones and security cameras. Each MSM317 provides up
to 440 square feet (41 square meters) of WLAN coveragecontingent on proper
deployment, free of obstacles placed directly in front of the device.
Note
You do not have to install AP licenses to manage MSM317 APs. The controllers
can manage any number of MSM317 APs, as long as the controllers do not
exceed their maximum number of controlled-APs.
128
Rev. 14.21
Activity:
Name
the models
Activity: Name
the
models
Which MSM 802.11a/b/g and 802.11n models fit in each category?
Outdoor
Single radios
Dual radios
?
Figure 1-18: Activity: Name the models
In this activity, you will complete the following table using information provided in this
module. Your facilitator may ask you to work individually or in a group. One of the
dual-radio APs is provided for you.
Be prepared to share your results with the class.
19
Outdoor
Rev. 12.31
_________
Rev. 14.21
Single radios
Dual radios
_________
_________
_________
_________
_________
_________
__MSM466__
_________
_________
_________
129
Discussion topics
Discussion topics
HP MSM Controllers
HP APs
HP RF Manager
HP MSM415
HP IMC and WSM
WLAN architectures
The next section in this module introduces:
Wireless intrusion detection system/intrusion prevention system (IDS/IPS)
Complete wired/wireless management solution

20
130
Rev. 12.31
Rev. 14.21
HP RF Manager HP RF Manager
Wireless IDS/IPS
Works with sensors to detect vulnerabilities and attacks
Mitigates those vulnerabilities and attacks

Audits security
Figure 1-20: HP RF Manager

21
Rev. 12.31
The HP RF Manager Controller works with HP MSM415 and HP AirProtect 5750 and
SS-300 security sensors to detect and prevent wireless intrusions and threatssuch as
threats from rogue APs, denial-of-service (DoS) attacks, and WEP-cracking attacks.
This device analyzes the wireless traffic samples its sensors collect to:
Detect all APs and wireless clients in the area

Classify these devices according to their proper functions and the security policies
you configure
Monitor each AP and client for inappropriate behavior
In addition to detecting a variety of DoS attacks and WEP-cracking attacks, RF

manager notifies you when it detects a potential attack on more secure WPA-based
WLAN security.
It constantly logs information about security events and uses this information to provide
a variety of reportsincluding automated regulatory-compliance reports for standards
such as Payment Card Industry (PCI), Sarbanes-Oxley (SOX), Health Insurance
Portability and Accountability Act (HIPAA), and many others.
RF Manager Controller comes with a 50-sensor license, which you can expand to 250
licenses via four 50-sensor license upgrades.
Rev. 14.21
131
HP MSM415
HP MSM415
802.11 a/b/g/n radio
Scans wireless network, looking for suspicious behavior
Reports vulnerabilities and attacks to RF Manager

Based on configuration, quarantines attacker
Figure 1-21: HP MSM415

22
Rev. 12.31
The HP MSM415 RF Security Sensor works with the HP RF Manager Controller to

provide wireless intrusion detection and prevention. (Intrusion detection systems
IDSsalert you when they detect an attack; intrusion prevention systemsIPSstake
action to mitigate the attack.)
This device is not an AP; it is a dedicated sensor. Its single, 802.11a/b/g/n radio
sensor continuously scans the 2.4 and 5 GHz bands to detect and counter security
threats for 802.11a/b/g/n wireless devices and APs.
The MSM415 provides the following features:
132
Dual-band, 2.4 and 5 GHz omnidirectional antennas
Scans wireless network, looking for suspicious behavior
Reports vulnerabilities and attacks to RF Manager
Based on configuration, quarantines attacker
Works offline to provide security coverage if RF Manager is unavailable
Rev. 14.21
HP IMC and WSM: Centralized management and

HP IMC and WSM
configuration
Centralized management and configuration
Device management (autonomous APs and controller-based solutions)
WLAN configuration
Wireless topology management
Figure 1-22: HP IMC and WSM: Centralized management and configuration

23
Rev. 12.31
The final component of the HP mobility solutions is the solution that helps you deploy
and manage them more efficiently.
HP Intelligent Management Center (IMC) provides centralized management for a
companys complete networking solution, from switches and routers to MSM
Controllers and APs. IMC even supports thousands of other vendor products so that
companies with heterogeneous environments can manage all of their solutions from a
single interface.
Wireless Services Manager (WMS), one of several modules that can enhance IMCs
capabilities, delivers unified wired and wireless management. As of version 5.1, IMC
and WSM can manage both autonomous MSM APs and APs that are part of a
controlled MSM solution. Management capabilities include:
Rev. 14.21
WLAN configuration
AP group management
Radio configuration management
Wireless topology management
133
IMC and WSM

HP IMC andHP
WSM:
Monitoring
Monitoring
Wireless usage monitoring
Wireless statistics
Client association monitoring
Other reports
24
Rev. 12.31
Figure 1-23: HP IMC and WSM: Monitoring
HP WSM collects statistics from across all managed wireless devices, consolidating
and analyzing them so that you can discover at a glance vital information about your
network.
Some of the information collected includes:
Details about wireless network usage (bandwidth transmitted and received by

each radio)
Wireless statistics, which can help you to determine if an issue with radio settings
or RF coverage must be addressed
Client association monitoring, with histories that span a clients association to
several APs and maps that show where a client has roamed
Wireless topologies and maps that show where your APs areas well as
potential rogues that you might need to track down and eliminate to secure your
network
These examples illustrate just some of the tasks that WSM helps you to perform and
just some of the information that it places at your fingertips.
134
Rev. 14.21
topics topics
HP MSM Controllers
HP APs

WLAN architectures
Activity: Explore the architectural possibilities
Centralized WLAN architecture
Optimized WLAN architectures
Lab Activity 1
You will now consider the WLAN architectures that MSM Controllers support.
25
Rev. 14.21
Rev. 12.31
135
Activity: the
Explore
the architecturalpossibilities
possibilities
Activity: Explore
architectural
Meet in groups
Answer the questions
Present your answers to the class
26
Rev. 12.31
Figure 1-25: Activity: Explore the architectural possibilities
The next several slides detail several types of architecture, which provide different
possibilities for how users authenticate and how their traffic is bridged from the
wireless network to the wired. After you learn about these architectures, you can
compare and contrast them using the question below.
The centralized WLAN architecture

1.
What is a centralized WLAN architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
Through what device (or devices) do you manage APs in this architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
136
Rev. 14.21
3.
Which devices enforce user authentication?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
Which devices are involved in forwarding wireless users traffic onto the wired
network?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
What are the advantages of implementing the centralized architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
137
6.
What are the disadvantages?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
The optimized WLAN architecture

1.
What is the optimized WLAN architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
Through what device (or devices) do you manage APs in this architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
138
Rev. 14.21
3.
Which devices enforce user authentication?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
Which devices are involved in forwarding wireless users traffic onto the wired
network?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
What are the advantages of implementing the distributed forwarding architecture?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
139
6.
What are the disadvantages?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
140
Rev. 14.21
architecture
CentralizedCentralized
WLAN WLAN
architecture
The controller manages all traffic.
All traffic travels through the
controller
27
Rev. 12.31
Figure 1-26: Centralized WLAN architecture
As this figure illustrates, the centralized WLAN architecture uses a controller to

manage all wireless traffic and inter-device communications. The controlled APs
transmit all authentication traffic to the controller. The controller determines if users and
devices are authenticated, which it might do be checking credentials against a local
database or by sending an authentication request to an external server. The controller
then communicates this information to the controlled APs.
Similarly, APs forward traffic from wireless stations to the controller, which acts as the
gateway between the wireless network and the corporate network. Typically, the APs
encapsulate the stations traffic in unicast packets destined to the controller, essentially
tunneling the traffic. Depending on the solution, the APs might bridge the traffic from
802.11 to Ethernet before encapsulation, or they might simply encapsulate the 802.11
frames for the controller to handle.
The controller receives the traffic and decapsulates it. If necessary, it bridges the traffic
to Ethernet. It then forwards packets onto the corporate network. Similarly, devices on
the wired network send packets bound for wireless stations to the controller for
distribution to the APs and, from there, on the WLAN. In other words, all traffic to and
from wireless users passes through the WLAN controller.
The AP and the controller might be deployed at the same site or at different sites,
separated by routers and firewalls.
Rev. 14.21
141
Although this architecture simplifies the management and deployment of a large

number of APs, it concentrates the wireless users traffic onto a single path, potentially
creating a bottleneck at the controller, adding latency to the wireless users
communications, and increasing traffic at the network core. This constriction can be a
particular problem if the WLAN handles 802.11n voice and video traffic. In addition, if
the deployment spans several sites, lower-bandwidth WAN connections might have
trouble handling the traffic load. Depending on the amount of traffic your WLAN
generates, congestion at the controller could significantly slow wireless traffic.
142
Rev. 14.21
architectures
Optimized Optimized
WLAN WLAN
architecture
Figure 1-27: Optimized WLAN architecture

28
Rev. 12.31
HP uses the optimized WLAN architecturean architecture that capitalizes on the

strengths of the centralized WLAN architecture while overcoming its limitations.
With the optimized WLAN architecture, you still have all the benefits of configuring
and managing APs, which might be deployed at several sites, from a centralized
controller. However, you also have much more flexibility in how traffic is distributed
onto the wired network and how authentication and access control measures are
applied.
You can configure an optimized WLAN architecture to:
Use APs to enforce user authentication to an external server and to bridge users
wireless traffic directly onto the wired network
Use the controller to enforce user authentication (to a local database or an
external server), but allow APs to forward authenticated users wireless traffic
directly onto the wired network
Use the controller to handle both users authentication and the forwarding of all
wireless user traffic onto the corporate LAN
These options are shown in the figure:
Distributed forwarding
Distributed forwarding with centralized authentication
Centralized access control
As you will see when you begin implementing VSCs in the labs for this course, you
can configure how traffic is handled for each VSC. That is, one VSC might be
configured with centralized access control, which means the AP forwards all
authentication and wireless users traffic to the controller. For another VSC, the AP may
handle authentication requests and forward traffic directly onto the wired network.
Rev. 14.21
143
For all architectures, management traffic flows between the controlled AP and the
controller. How the APs and controller handle user traffic, as well as traffic related to
authenticating users, relates to the type of VSC.
Distributed forwarding without centralized authentication

If you do not enable centralized (controller-based) authentication or access control on
a VSC, the AP uses the distributed forwarding architecture without centralized
authentication. The illustration in the left of Figure 1-27 illustrates the traffic flow for this
architecture. Notice how neither user nor authentication traffic flows to the controller.

If you enable only centralized authentication for a VSC, the controller handles the
authentication process. The AP forwards authentication requests from the controller to
the wireless stations and then forwards stations responses to the controller.
APs bridge wireless users traffic directly onto the wired network (rather than
forwarding it to the controller for distribution onto the wired network).
The middle illustration in the Figure 1-27 depicts this architecture.

As the illustration on the right side of Figure 1-27 illustrates, you can configure an
access-controlled VSC. For this VSC, the controller handles both the authentication
process and the forwarding of wireless users traffic onto the corporate network.
Usually, APs tunnel the wireless users traffic to the controller; that is, they encapsulate
it in unicast packets destined to the controller. Sometimes, however, the APs bridge the
traffic onto the wired network themselves. In either case, however, the controller acts as
the wireless clients default gateway and a bridge to the corporate LAN. The clients
traffic passes through it.
Note
As you see, non-access-controlled VSCs are usually associated with distributed
forwarding with or without centralized authentication. However, if you implement
MTM, APs can tunnel wireless users traffic to the MSM Controller, which tunnels
them to another controller or bridges them onto the corporate LAN. The slide
does not illustrate this option, which is covered in the HP Enterprise Wireless
Networks training.
144
Rev. 14.21
Lab Activity 1
Lab Activity 1
Figure 1-28: Lab Activity 1
In this lab, you will begin to set up the wired network that you will use in this lab. You
will also reset the MSM Controllers so that you can begin configuring them in the next
Rev. 12.31
29
lab.
Rev. 14.21
145
Lab Activity 1 debrief

Use the space below to record your key insights and challenges from Lab Activity 1.
Table 1-5: Debrief for Lab Activity 1

Challenges
Key insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
146
Rev. 14.21
Summary
This module introduced MSM Controllers and APs.
The HP MSM Controllers provide:
Centralized AP deployment, configuration, and management
Flexible licensing options that enable you to add APs and features as
needed
HP offers a variety of MSM APs.
With the exception of the M110 and the MSM317, these APs can operate in
autonomous or controlled mode.
The MSM Controllers and APs support an optimized WLAN architecture. You can
configure how authentication and wireless traffic is handled for each VSC, selecting
one of the following options:
Rev. 14.21
Distributed forwarding
147
Learning check
Answer the following questions:
1.
Match the following:

a.
MSM410
b.
MSM466
_____ AP that provides one 802.11n radio

_____ AP that provides two 802.11n radios
2.
A company is implementing an MSM wireless solution. The network designer has

determined that the company requires 28 APs. However, the company plans to
expand the wireless network when it builds a new wing on the building later this
year. The network designer thinks the company will need a high-density AP
environment for the new building, requiring 10 additional APs. Which MSM
Controller would you recommend, and why?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
What is the difference between an access controller and a premium mobility

controller?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
148
Rev. 14.21
Initial Setup and Configuration

Module 2
Objectives
This module explains how traffic flows through an HP MSM Controller, providing
guidelines and best practices for deploying the controller in a variety of
environments. After completing this module, you should be able to:
Plan how to connect an MSM Controllers ports based on a companys

requirements
Deploy an MSM Controller and complete the initial configuration
Deploy MSM APs and enable them to become controlled
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
21
Discussion topics
To deploy an MSM Controller properly, you must plan how to connect the controller
to other network infrastructure devices. Which MSM720 ports should you connect?
On other MSM Controllers, should you connect the LAN port, the Internet port, or
both? Should the port connect to a switch port that has an untagged VLAN
assignment, or should you send traffic that is tagged for particular VLANs to the
controller? On the controller side, how do you map IP addresses to VLANs and
VLANs to ports?
To answer these questions and create the best plan for a particular deployment, you
must understand the controller ports and network. In particular, you require a good
understanding of how the controller processes incoming traffic depending on the port
and VLAN on which it arrives. The first section of this module provides some answers;
you will continue to expand your understanding of controller ports and networks as
you learn about more features of the controllers throughout this course.
22
Rev. 14.21
MSM760 MSM710,
or MSM775
zland
ports
MSM760,
MSM765 zl ports
Two ports
Internet
LAN
Routed
Different subnets
One default network profile

per port:
Associated with untagged
traffic
Associated with an IP interface
Figure 2-2: MSM760 or MSM775 zl ports
Begin by4 examining

the MSM760 and MSM775 zl Controllers, which each have two
Rev. 12.31
ports named the Internet port and the LAN port. Permanently associated with each
physical port is a network profile, named Internet port network and LAN port
network, respectively. When the controller operates at the default settings, you might
not understand the importance of distinguishing between the network profile and the
physical port. However, as you add network profiles to the controller, you will see
that two network profiles mapped to the same port might support quite different
features and exhibit different behavior. For this reason, you should take care to
distinguish between, for example, the LAN port network and the physical LAN port.
The permanent, default profiles are associated with untagged traffic. That is, all
untagged traffic on the LAN port is mapped to the LAN port network profile; at the
default settings, all tagged traffic is dropped. Similarly, if this interface needs to
forward traffic, it forwards it as untagged. To help you understand when a ports
default network profile interface is being discussed as opposed to the physical port,
this course will refer to interfaces as the (untagged) LAN port interface and the
(untagged) Internet port interface. When you configure the controller, you might
change the name of the default profiles to names that make sense for you.
In some ways, you can think of these interfaces like the untagged VLANs on switch
ports. If the controller connects to a switch, the untagged VLAN assignment on the
connecting switch port determines the interfaces VLAN. In other words, if you
connect the Internet port to a switch port that is untagged for VLAN 50, the Internet
port network receives traffic in VLAN 50.
Do not carry this analogy too far, however. It is very important to understand that the
MSM760 and MSM775 zl ports are true router ports, and each IP interface requires
its own unique subnet.
The LAN port network and Internet port network profiles are also associated with IP
interfaces, on which you establish IP settings. The figure shows the default IP settings.
Rev. 14.21
23
The LAN port has an IP address of 192.168.1.1/24. The Internet port uses DHCP. If it
receives a default gateway with the DHCP settings, it adds the gateway as a default
route in its global table. You can also configure a static IP address on the (untagged)
Internet port interface, or disable its IP settings entirely. The (untagged) LAN port
interface always requires a static IP address.
For these default profiles, match the IP settings for the connected switch ports
untagged VLAN. For example, if the Internet port requires an IP address in the VLAN
50 subnet, connect the Internet port to a switch port that is untagged for VLAN 50.
WARNING
Never assign an IP address in the same subnet to two different MSM Controller
IP interfaces. Doing so creates a routing loop that might lock you out of the
controller and cause other issues.
The controller associates the default profiles with specific functions, which are
described in a schematic just a bit later. For this reason, you cannot delete these
profiles nor remove them from the controller ports.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
24
Rev. 14.21
MSM775 zlMSM765
internalzl internal
ports ports
Rev. 12.31
Figure 2-3: MSM775 zl internal ports
Because the MSM775 zl Premium Mobility Controller resides within an HP 5400 zl

or 8200 zl Series switch as a module, you cannot see its ports. Nonetheless, the
module does have two internal, physical 10 GbE ports, which correspond to the
Internet and LAN ports on, for example, an MSM760.
The HP zl switch also has two ports in the line card that are hard cabled to the
module ports. The switch CLI refers to the ports as <slot>1 and <slot>2, <slot> being
the letter of the slot in which the MSM775 zl is installed. The <slot>1 port connects
to the Internet port, and the <slot>2 port connects to the LAN port. You treat these
ports as you do other ports on the switch. You can enable, disable, and assign
VLANs to them. For example, an MSM775 zl switch is installed in slot D of an HP
8212 zl switch, and you want to connect the MSM775 zls untagged Internet port
network in VLAN 11. You would enter this command in the switch CLI:
Switch(config)# vlan 11 untagged d1
The HP zl switch can then receive traffic from the MSM775 zl Internet port on VLAN
11 and switch that traffic to any of its other ports in that VLAN. The switch can also
receive the traffic on its own VLAN 11 IP interface, if it has one.
The MSM775 zl and zl switch internal ports are permanently connected. As you
investigate standard MSM solution deployments, you will learn that in some
circumstances, you only want to use one of the ports. To simulate disconnecting an
MSM775 zls Internet port, you disable the <slot>1 interface.
Rev. 14.21
25
However, the situation is a bit more complicated for an MSM775 zls LAN port. In
addition to carrying network traffic to the controllers LAN port, the <slot>2 port
carries Services Management Agent (SMA) communications between the MSM775
zl module and the switch. These communications enable the switch to detect the
modules status and to support the controllers CLI, which you access by entering
services <slot> name msm775-application from the switchs global configuration
mode.
The communications also deliver the clock to the MSM775 zl. When configuring the
MSM775 zl, you will notice that the settings in its Controller >> Management >
System time window are disabled. You should make sure that the switch
administrator sets the clock on the switch, preferably to a Simple Network Time
Protocol (SNTP) server.
For all of these reasons, you must never disable the <slot>2 port. Keep this rule in
mind as you learn about deploying the MSM Controllers. You might decide to adjust
your plan to incorporate the LAN port. The figure shows an example in which the
controller has IP interfaces for profiles mapped to the LAN port. The connected switch
port carries tagged traffic to these interfaces. The port does not carry untagged
traffic, so the untagged LAN port network, although not the LAN port itself, is
effectively disconnected. If you do decide to use an Internet-port-only deployment, in
which the LAN port does not receive either untagged or tagged traffic, you will need
to isolate the <slot>2 port in an unused VLAN rather than disable the port.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
26
Rev. 14.21
MSM Controller
schematic
MSM Controller
schematic
Rev. 12.31
Figure 2-4: MSM Controller schematic
With this general background in controller ports, you can move on to examining how
the controller passes traffic received on its default (untagged) interfaces to its internal
functions. You will examine the schematic above from various angles throughout this
course as you turn your attention to one function or another.
For now, you must understand that the untagged interfaces have specific functions:
Rev. 14.21
The (untagged) LAN port interface supports DHCP services.

If access control is enabled on the default VSC, as it is by default, traffic
received on the (untagged) LAN port interface connects to the internal Access
Controller. This internal Access Controller is responsible for redirecting accesscontrolled users to a login portal and for controlling the users traffic both before
and after authenticationin other words, the functions typically associated with
guest access. You will learn more about these functions, as well as other ways to
map client traffic to the Access Controller, in Module 5: Guest Solutions.
The controller can route access-controlled trafficthat is, traffic mapped to the
Access Controller. When it routes the traffic out the (untagged) Internet port
interface, the controller can apply bandwidth control, NAT services, and stateful
firewall services.
The controller can also route access-controlled traffic out the (untagged) LAN
interface. However, this interface does not connect to the bandwidth controller,
NAT services, or firewall. For this reason, you usually should not design your
solution to route access-controlled client out this interface.
The router is tied to the internal Access Controller. In other words, the MSM
Controller routes traffic to or from access-controlled clients. It does not route
traffic for other devices or on its own behalf.
27
28
The controller can pass traffic from either untagged interface to its management
functions. (The next slides explain how to enable these functions on interfaces.)
This traffic does not interact with the access controller, router, bandwidth
controller, NAT, or firewall. In other words, it is separate and secured from the
client traffic passing through the controller.
Similarly, the controller can pass traffic from the management tunnel established
with an AP to its AP Controllerprovided that AP discovery is enabled on the
interface. Again, the AP management traffic is separate and secured from other
traffic, such as that from access-controlled clients or mobility clients.
Rev. 14.21
Exploring how the MSM Controller handles

Exploring how the MSM Controller handles incoming
incoming traffic
traffic
Traffic destined to the controller:
Controller management (Web, SOAP, SNMP, and so forth)
AP management
Traffic associated with access-controlled clients (default: untagged LAN

port traffic):
DHCP discovery broadcasts
Traffic directed to the controller for routing
Figure 2-5: Exploring how the MSM Controller handles incoming traffic
Rev. 12.31
You will now verify that you understand the schematic, by beginning to explore
various types of traffic that might arrive on a controllers ports.
First, you will examine how the controller handles traffic that is destined to its own IP
address on one of its interfaces. This traffic might be related to several different
functions including AP management or management of the controller itself. You will
examine this traffic on the next several slides.
Controllers may also receive traffic from or to access-controlled clients. This type of
traffic might be received on any controller interface. To understand how the controller
handles this traffic, you must understand VSCs, client data tunnels, and various
security mechanisms. Therefore, you will wait until Module 5: Guest Solutions for
an in-depth look. However, because the controllers (untagged) LAN port network
can immediately start associating traffic with the default access-controlled VSC, you
will consider this type of traffic briefly in this module.
Note
The MSM Controller can also receive and handle tunneled traffic from mobility
clients. The Mobility Traffic Manager (MTM) feature is discussed in the HP
Enterprise Wireless Networks course.
Rev. 14.21
29
Web browser interface traffic
Web browser interface traffic
Figure 2-6: Web browser interface traffic

Rev. 12.31
8
When you
are
first setting up a controller, you want to reach its Web browser
interface (also called its management tool) so you can begin configuring it. Here you
see how the controller handles HTTP and HTTPS traffic that arrives on one of its
interfaces.
The controller recognizes that the traffic is destined for the Web browser interface by
the TCP port. By default, the well-known HTTP and HTTPS ports (80 and 443,
respectively) map to the Web browser interface. When the controller receives traffic
destined to one of its IP addresses on one of these TCP ports, it checks whether
management is permitted on the interface on which the traffic has arrived. If so, the
controller displays the Web browser interface login page, first redirecting HTTP traffic
to HTTPS for extra security.
You configure the permitted interface list, as well as other settings related to the Web
browser interface, in the controllers Controller >> Management > Management tool
window. By default, access is allowed on both the (untagged) Internet port and LAN
port interfaces.
You can also specify a list of allowed source addresses for the HTTP or HTTPS
requests; if the list is empty, the controller allows any IP address. However, as soon
as you add one IP address to the list, only IP addresses in the list can reach the
controllers Web browser interface.
In addition to adjusting the interfaces on which management is allowed and the
permitted source IP addresses, you can configure the TCP ports that map to the Web
browser interface. For example, you could change the HTTP and HTTPS ports to
8010 and 8020. Then you would have to browse to http://<controller IP
address>:8010 or https://<controller IP address>:8020 to access the Web browser
interface.
210
Rev. 14.21
Finally, remember that the controller only provides routing for other devices when the
traffic is destined to or received from an access-controlled client (passes through the
Access Controller engine). Therefore, the HTTP or HTTPS request for the controllers
Web browser interface must arrive on the IP interface with the address to which the
request is destined. A management station can reside on a different VLAN from the
controllers management interface, but another device must route the traffic to the
correct subnet for the controller interface.
On the other hand, the controller does perform routing for its own traffic. Therefore,
you must verify that the controller has a route back to any subnet from which you
want to access it. Typically, a default route works, but you can define multiple static
routes on the controller.
Note
You can specify a separate management IP address for the untagged LAN port
network (or Access network) interface. In this case, the controller will route any
traffic received on that interface to the management address.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
211
Other management traffic
Other management traffic
Figure 2-7: Other management traffic

Rev.handles
12.31
9
The controller
other traffic destined to one of its interfaces IP address in a
similar manner. It recognizes the application for which the traffic is destined based
on the protocol and port. It determines whether the application is permitted on that
interface and from the source IP address, and, if the application is allowed, the
controller processes the packet.
The table below lists the applications supported on the controllers IP interfaces and
the default protocols and ports associated with them. It also indicates whether you
can change the ports, whether you can choose the IP interfaces on which the traffic is
permitted, and whether you can choose the permitted source IP addresses.
Table 2-1: Applications supported on MSM Controller IP interfaces

Application
Web browser
interface
(Management
tool)
Default
protocol and
port
Default permitted
IP interfaces
Configurable
TCP or UDP
port?
Configurable
interfaces?
Configurable
source IP
addresses?
MSM720: Access
Yes
Yes
Yes
Yes
Yes
Yes
No
Configurable
through the
Management
tool interfaces
(the same
interfaces are
permitted for
SSH)
No
TCP 80
(redirected to
443)
TCP 443
SNMP
UDP 161
SSH
212
TCP 22
network and
Internet network
Other controllers:
LAN port network
and Internet port
network
MSM720: Access
network
Other controllers:
LAN port network
MSM720: Access
network and
Internet network
Other controllers:
LAN port network
and Internet port
network
Rev. 14.21
Application
SOAP
Default
protocol and
port
TCP 448
Default permitted
IP interfaces
Configurable
TCP or UDP
port?
Configurable
interfaces?
Configurable
source IP
addresses?
MSM720: Access
Yes
Yes
Yes
No
Yes
No
No
No
No
Configurable
through the
discovery
interface (APs
are always
managed on
the interface
on which they
are
discovered)
No
Yes
Yes
No (any
permitted)
Yes
AP discovery
UDP 38212
AP management
TCP or UDP
1194
Management
with HP MM
Return TCP traffic

from 7668
network
Other controllers:
LAN port network
MSM720: Access
network
Other controllers:
LAN port,
including any IP
interfaces on the
LAN port
Any interface
Any interface
Any traffic from

Public access
interface
(internal login
pages and login
requests)
HTTP:
TCP 8080
HTTPS:
TCP 8090
access-controlled
clients
If NOC-based
authentication is
enabled, Internet
port
GRE
IP protocol 47
Any interface
IPsec
ESP or AH
None configured by
default
Rev. 14.21
Yes (you must

configure a
single IP
address)
Yes
Only applies to
NOC-based
authentication;
traffic from
access-controlled
clients is always
permitted
Accepted from
configured peer
Accepted from
configured peer
213
Traffic from access-controlled

clients(default)
(default)
Traffic from access-controlled
clients
Default VSC has access
control enabled by default.
The controller treats devices
on the untagged LAN port
interface as access-controlled
clients.
If enabled, the DHCP server
responds to requests.
Other traffic is captured.
10
Figure 2-8: Traffic from access-controlled clients (default)
Rev. 12.31
The controller is a network infrastructure device that can process and forward traffic
that is not specifically destined to it. Specifically, the controller includes a Layer 3
router as you saw within earlier schematics.
However, you must understand that the controller does not function as a simple
router. That is, you cannot simply direct traffic to the controller and expect the
controller to route the traffic. Instead, the controllers routing functions relate to how it
forwards client traffic that it receives and maps to an access-controlled VSC.
You will study how the controller maps incoming traffic to access-controlled VSCs in
detail in Module 5: Guest Solutions. For now, you simply need to understand that
an MSM760 or MSM775 zl, by default, considers any traffic that arrives untagged
on its LAN port as part of the default VSC. Thus it considers any devices on those
networks as access-controlled clients, which need to authenticate.
As it attempts to capture and control traffic mapped to this VSC, the controller
exhibits the following behavior:
214
If you enable the DHCP server on the LAN port, the controller responds to all
untagged DHCP discovery requests received on the LAN port. The controller
assigns its own LAN port IP address to clients as their DNS server and typically
as the default gateway. Therefore, any clients that receive the controllers DHCP
offer begin directing DNS requests and traffic that needs routing to it.
The controller responds to DNS requests that are directed to it, of course. It can
also intercept requests that are directed to other DNS servers (if DNS
interception is enabled on it).
Rev. 14.21
Rev. 14.21
As the clients default gateway, the controller begins to receive traffic to be

routed from clients to which it assigned DHCP settings. Rather than simply
routing this traffic, the controller first passes it through its Access Controller. You
will learn about the controllers access control capabilities in Module 5: Guest
Solutions. For now, you simply need to understand that the controller initially
drops most client traffic and redirects HTTP and HTTPS traffic to a login page.
215
Adding VLANs to MSM760 or MSM775 zl

Adding VLANs to MSM710, MSM760, or MSM765 zl
Controller ports
Controller ports
11
Rev. 12.312-9: Adding VLANs to MSM760 or MSM775 zl Controller ports

Figure
For several reasons that you will examine throughout this course, you might require
more IP interfaces than the default two. You might also require VLAN interfaces
without IP interfaces. The slide illustrates how you use network profiles to create
additional VLANs and IP interfaces on the physical controller ports.
Network profiles
An MSM Controller maintains a list of network profiles, each of which has a name
and an optional VLAN ID. You can create new network profiles in the Controller >>
Network > Network profiles window. However, a network profile does not have any
effect until you apply it. The controllers support multiple functions for their network
profiles, including assignment to APs to control how the APs forward traffic. But for
this module, you will focus on profiles that are mapped to the controllers own ports.
Mapping network profiles to controller ports as VLANs

You can map a profile to the controllers LAN port or Internet port using the
Controller >> Network > VLANs window. The controller can then send and receive
traffic on that network.
Note
You will look at these windows closely and practice the configuration in this
modules labs.
216
Rev. 14.21
Although the VLAN ID is optional, you can only assign profiles with VLAN IDs to a
controller port. A port can only support one untagged profile, and the default,
permanently assigned profiles already fulfill that role. For this reason, the new profiles
that you assign to an MSM760 or MSM775 zl port always send and receive tagged
traffic. The connected switch port, of course, must support the VLAN as a tagged
VLAN.
Remember: the physical ports are routed ports. You cannot assign the same network
profile to both ports. In addition, although you can configure the same VLAN ID in
two profiles and assign them to different ports, you must understand what this means.
The MSM Controller does not switch traffic in that VLAN between the ports. Instead,
you should only set up the ports this way if the VLAN is truly associated with a
different subnet on each device connected to the two ports.
Configuring IP interfaces for profiles with VLAN IDs (non-default IP

interfaces)
You can create an IP interface for each network profile that is mapped to a controller
port. Conversely, if the profile is not mapped to a port, you cannot create an IP
interface for it. The option will not be displayed in the Controller >> Network > IP
interfaces window.
For these profiles, the physical port to which you map the interface does not affect
the interfaces functions. An IP interface mapped to either the physical LAN port or
the physical Internet port acts like the (untagged) Internet port interface. You can
specify a static IP address or configure the interface to use DHCP. Similarly, you can
configure NAT on the interfaces.
For example, in Figure 2-9, network profile A (VLAN ID 10) is mapped to the LAN
port and has an IP interface associated with it. This IP interface supports much the
same functions as the untagged Internet port network interface. Write Like Internet
network under VLAN 10 to remind you of this. Do the same for other IP interfaces in
the figureexcept the (untagged) LAN port interface.
Two differences between an IP interface associated with a tagged VLAN and the
(untagged) Internet port interface apply:
Rev. 14.21
You can configure a default gateway IP address in the IP interface settings. If the
interface uses DHCP, it can also receive a default gateway IP address. However,
this gateway is not added as the next hop for a default route in the controllers
global list. Instead it is used for a special function about which you will learn in
Module 5: Guest Solutions. If you want to create a route through the IP
interface, you must define it globally in the Controller >> Network > IP routes
window.
The bandwidth controller only applies to interfaces that are associated with the
physical Internet port.
217
Note
You do not have to create an IP interface for every profile mapped to a controller
port. You will learn about some functions for VLANs without IP interfaces in later
modules.
You might hear about non-default IP interfaces associated with controller ports
referred to as tagged VLAN interfaces. On the MSM760 or MSM775 zl Controller,
this term is accurate. However, as you will see, on the MSM720, this rule does not
hold true. To eliminate confusion, this course will refer to the profiles as non-default IP
interfaces.
Non-default IP interfaces and the controller schematic

Now that you understand, for example, the difference between an IP interface on the
LAN port and the (untagged) LAN port interface, you should understand how the
non-default interfaces fit in the controller schematic. These IP interfaces play the same
roles as the (untagged) Internet port interface.
Figure 2-10: Other IP interfaces in the MSM Controller schematic
218
Rev. 14.21
Rev. 14.21
The controller can pass traffic from any IP interface to its management functions.
However, you must enable these functions on the IP interface separately. For
example, you create a network profile named Management with VLAN ID 10,
map it to the LAN port, and create an IP interface for it (IP address
10.1.10.1/24). You must enable the management tool on this interface, if you
want to be able to contact the controllers Web browser interface at 10.1.10.1.
Similarly, you must enable SNMP on the interface to manage the controller in
that way on this address.
The controller can receive traffic from APs on any IP interface. For this function,
you enable the feature on a physical port, and the controller allows the function
on any IP interface configured on that port.
Just like the (untagged) Internet port network, the non-default IP interfaces do not
map to the Access Controllerunless special tunneling is involved as you will
learn later.
However, the controller can route traffic to and from access-controlled clients and
any IP interface (no matter which physical port supports the interface).
Remember: the controller does not route traffic for non-access-controlled devices.
For example, you have defined an IP interface for the Management (VLAN 10)
profile as described above. If you want other devices to reach this address, the
subnet must also exist in the LAN or on the router to which the controller
connectsjust like the subnets for the controllers untagged IP interfaces must
exist. You cannot expect the controller to route this traffic from one of its
interfaces to another.
219
MSM720 ports
MSM720 ports
MSM720 ports act like switch ports.
You can:
Aggregate ports (static trunk and active LACP)
Assign network profiles as untagged and tagged to multiple ports or trunks
Do not create loops.
Figure 2-11: MSM720 ports

Rev. have
12.31
Until now,12 you
learned about the MSM760 and MSM775 zl controllers, all of
which have the same two ports. You will now learn about the MSM720, which
although similar in many ways, has its unique features.
The MSM720 has six ports instead of the two ports of the other MSM Controllers.
Four of these ports are RJ-45 10/100/1000 Mbps ports while two are dualpersonality RJ-45 10/100/1000 Mbps or GbE fiber ports.
The MSM720 ports act less like router ports, as do the other controllers ports, and
more like routing switch ports. You can create tagged and untagged VLAN
assignments on these ports much as you would switch ports. You can also combine
the ports into link aggregation groups, or trunks, using static mode or active LACP.
Then you can apply VLAN assignments to the trunks.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
220
Rev. 14.21
MSM720 networks
MSM720 networks
You can associate a mapped profile with an IP interface:

Access network interface = (untagged) LAN port interface
Internet network interface = (untagged) Internet port interface
Non-default profile interfaces = Non-default profile interfaces
Any profile can be tagged or untagged.

13
Rev. 12.31
Figure 2-12: MSM720 networks
Like other controllers, the MSM720 uses global network profiles. However, every
profile that is mapped to a port requires a VLAN ID. When you assign the profile to
a port, you select whether the associated VLAN is tagged or untagged on that port.
If tagged, the controller includes a VLAN tag when it needs to send a frame on that
VLAN and that port. Equally, the controller uses a VLAN tag in traffic received on the
port to map the traffic to the VLAN. It only accepts tagged traffic for which the ID is
configured as a tagged VLAN on the port.
If untagged, the controller sends traffic in that VLAN and on that port as untagged,
and it assigns any traffic that is received on that port without a tag to that VLAN.
Although the controller does not use the VLAN ID in sending and receiving traffic on
that particular port, it does use the ID internally to determine how to switch traffic
from one port to another.
The MSM720 has two network profiles at factory defaults. Called the Access network
and the Internet network, these profiles roughly correspond to other controllers LAN
port network (untagged) and Internet port network (untagged) profiles, respectively.
However, the profiles have associated VLAN IDs, the Access networks default ID
being 1 and the Internet networks being 10.
The figure illustrates the relationship between these profiles and the MSM720s ports
at factory defaults. The Access network is assigned untagged to the four RJ-45
10/100/1000 Mbps ports, ports 1 to 4. The Internet network is assigned untagged
to the two dual-personality ports, ports 5 and 6.
You can edit the default profiles, giving them, for example, different VLAN IDs.
However, you cannot delete them.
Rev. 14.21
221
The default profiles have functions similar to the untagged profiles on other MSM
Controllers ports. For example, traffic associated with the Access networkwhether
that network is tagged or untagged on a portis always treated like untagged traffic
on another controllers LAN port. If you do not want any traffic treated in this way,
you can always assign a different profile to the ports and remove the Access network
profile.
As on other controllers, you can create additional profiles and assign them to ports.
However, you can assign these profiles as either tagged or untagged. Of course,
each port can have only one untagged assignment, so assigning a new network
profile to a port as untagged would remove the existing untagged network profile.
After you assign a profile to a port, you can create IP interfaces for that profile in the
same manner as for other controllers. The figure below shows an example.
Table 2-2: Relationship between MSM720 and other controller

profiles
MSM720 network profile
Access networkCan be tagged or
untagged
Internet networkCan be tagged or
untagged
Non-default profiles assigned to
portsCan be tagged or untagged
Other controller
(untagged) LAN port network
(untagged) Internet port
network
Non-default profiles assigned to
one port onlyAlways tagged
Figure 2-13: Ports and example VLANs and IP interfaces on an MSM720
222
Rev. 14.21
Activity: Exploring
how how
the the
MSM
Controller
Activity: Exploring
controller
handles handles
incomingtraffic
wired traffic
(untunneled)
incoming wired
(untunneled)
How does the controller handle the packet?
MSM760
DHCP requests
MSM760
HTTP requests
MSM720
DHCP requests
MSM720
HTTP requests
1
Responds
3
Ignores
________
7
Ignores
________
9
Sends
to Access
________
Controller
2
Ignores
________
4
Sends
to Access
________
Controller
8
Responds
________
10
Responds
________
________
5
Ignores
________
6
Responds
________
Figure 2-14:
Activity:
Exploring how the MSM Controller handles incoming wired traffic (untunneled)
Rev. 12.31
14
You will now examine two scenarios and determine how the MSM Controller in each
scenario handles several packets. For this activity, you are exploring how the
controller operates when you have configured IP addresses, enabled DHCP services,
and set a management interface. However, you have not configured your own VSCs,
changed settings on the default VSC, or deployed APs. In other words, these packets
arrive on the controllers interfaces from the Ethernet network without any special
tunneling from an AP.
This activity helps you to understand what to expect when you connect the controller
to the networkso that you can plan the proper ways to connect the controller and
configure these features.
As you answer questions for the scenarios, you can fill them in the figure above.
MSM760 Controller
The following figure indicates the VLAN and IP settings for an MSM760 Controllers
LAN port at the top; it also shows the controllers IP route. The bottom section of the
figure shows the untagged VLAN assignment on the connected switch port. The
switchs routes are shown below.
Rev. 14.21
223
Figure 2-15: Network settings on the MSM760 LAN port and connected switch port
Figure 2-16: DHCP settings on the MSM760
224
Rev. 14.21
DHCP requests
As you see in the above figure, DHCP is enabled on the server. Consider to which
DHCP requests the controller responds.
1.
A DHCP discovery broadcast arrives on the LAN port in an untagged frame.

Does the controller respond?
_______________________________________________________________________
2.
A DHCP discovery broadcast arrives on the LAN port in a frame tagged for
VLAN 10. Does the controller respond?
_______________________________________________________________________
HTTP requests
Next explain how the controller handles each HTTP packet as it arrives on the
indicated port.
Note
Some packets arrive on IP interface but are not destined for that interfaces IP
address. These packets arrived there because the encapsulating frame had the
controllers MAC address; that is, the packet was directed to the controller
interface for routing.
3.
This packet arrives on the LAN port:
VLAN tag: None
Source IP address: 10.1.20.50
Destination IP address: 10.1.3.2
Destination TCP port: 80
What does the controller do?

_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
Rev. 14.21
VLAN tag: None

225

_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
VLAN tag: None

_______________________________________________________________________
_______________________________________________________________________
The switch has been reconfigured as indicated in the figure.
226
Rev. 14.21
Figure 2-17: Network settings on the MSM760 LAN port and connected switch port
6.
VLAN tag: 10

_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
227
MSM720 Controller
The figure indicates the VLAN and IP settings for an MSM720 Controller port 1 at
the top and the corresponding VLAN assignments on the connected switch port. The
MSM720 supports the same DHCP settings and management tool settings as
indicated in Figure 2-16 (replace LAN port with Access network).
As indicated earlier, besides these settings, the controller is using default ones.
Figure 2-18: Network settings on the MSM720 port 1 and connected switch port
DHCP requests
First consider to which DHCP requests the controller responds.
7.
A DHCP discovery broadcast arrives on port 1 in an untagged frame. Does the

controller respond?
_______________________________________________________________________
8.
A DHCP discovery broadcast arrives on port 1 in a frame tagged for VLAN 3.

Does the controller respond?
_______________________________________________________________________
228
Rev. 14.21
HTTP requests
Next explain how the controller handles each HTTP packet as it arrives on the
indicated port.
9.
This packet arrives on port 1:
VLAN tag: 3

_______________________________________________________________________
_______________________________________________________________________
10. This packet arrives on port 1:
VLAN tag: None

_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
229
Discussion topicsDiscussion topics

HP MSM Controller ports and networks
Initial setup
Initial setup process

Planning the controllers connection
Obtaining initial access
Configuring IP and other initial settings
Temporarily disabling the default VSC (optional)
Connecting the controller in its final location
Restricting management to the correct interface
Lab Activity 2.1
AP deployment
Figure 2-19: DHCP settings on the MSM760
The next section takes you through the initial setup process, providing guidelines and
best practices.
21
230
Rev. 12.31
Rev. 14.21

1. Obtain initial access.
2. Configure IP settings.
3. Connect the controller to the network.

4. Restrict management to the correct interface.
5. Temporarily disable the default VSC (optional).
Figure 2-20: Initial setup process
You should typically obtain direct access to the MSM Controller and configure its IP
settings before you connect the controller to the network. You might also disable the
default VSC to ensure that it does not start controlling clients until you have
configured the correct settings for your environment. Finally, after you have connected
the controller to the network and verified that you can reach its Web browser
management interface, you should restrict management to the correct interface.
The next slides cover22 this
process in more detail.
Rev. 12.31
Rev. 14.21
231
Planning the
MSM
connection
Planning
the Controllers
controllers connection
Select an IP interface (and port) on which to manage the controller:
Typical: Internet
Another option: LAN port +

tagged management
Figure 2-21: Planning the MSM Controllers connection
Before you
Rev. 12.31 the initial setup process, however, you need to plan the final
23 begin
connection. First, you must select on IP interface on which to manage the controller.
At the factory default settings, you have two MSM Controller interfaces from which to
choose:
The MSM760 or MSM775 zl has:
The (untagged) Internet port interface
The (untagged) LAN port interface
The MSM720 has:
The Internet network
The Access network
Of course, you can also create a new IP interface if necessary.
MSM760 and MSM775 zl controllers

On these controllers, the default interfaces are permanently associated with a
physical port. Therefore, your choices for management interface interact with your
choices for ports to connect. The sections below explain the typical choices.
Note
Although the figure shows an MSM760 for one option and MSM775 zl for the
other, you can use each option with other models of controllers.
232
Rev. 14.21
Typical: Internet port

Administrators often choose the Internet port for connecting the controller to the
network and the (untagged) Internet port interface for managing the controller. This
preference relates to the MSM Controllers DHCP services and access control
capabilities.
You learned how an MSM Controller, by default, treats devices on the untagged
VLAN connected to the controllers LAN port as access-controlled clients. (An
MSM720 does the same on its Access network VLAN). As you initially deploy the
controller, leaving the LAN port (or Access network ports) disconnected, helps to
prevent unexpected behavior. For example, an administrator might enable the DHCP
server to provide access-controlled clients with IP addresses without checking the
untagged VLAN ID on the connected switch ports. This could cause connectivity
failures as the controller begins assigning clients the wrong IP addresses and
redirecting the clients to a login page.
When you are configuring guest access solutions, you want the controller to behave
in this way for the correct clientsModule 5: Guest Solutions teaches strategies for
mapping traffic to the correct VSCs both with and without the LAN port connected
(or Access network mapped to an MSM720 port).
For now, know that you can retain flexibility and avoid misconfigurations by
connecting the Internet port and leave the LAN port disconnected. You can configure
the controllers default route and management functions on the (untagged) Internet
port network. In fact, you can configure a complete solution, including both accesscontrolled and non-access-controlled solutions with such a deployment.
However, if you later decide to add the LAN port (see the section on using two ports
below), you retain that option.
Alternate: LAN port with tagged IP interface

Despite these considerations, some administrators might decide to use the LAN port.
One reason is that they plan to connect the (untagged) LAN port network to an
unauthenticated guest VLANyou will learn more about that in Module 5: Guest
Solutions.
An MSM775 zl introduces another reason. Due to the SMA communications carried
between the HP zl <slot>2 port and the MSM775 zl module, you cannot disconnect
the MSM775 zls LAN port from the switch entirely. Administrators can simulate an
Internet port deployment on the MSM775 zl by isolating the LAN port in an unused
VLAN. However, some might choose to use the LAN port instead.
When you initially connect the LAN port to the network, connect it on an IP interface
associated with a tagged VLAN. That is, create a network profile, map it to the LAN
port, and create an IP interface for that profile. That IP interface then acts almost
exactly like the (untagged) Internet port interface, and you can use it for management
in similar ways.
Rev. 14.21
233
For all the reasons discussed in the section above, pay attention to the untagged
traffic carried between the LAN port and the connected device. Unless you have a
specific reason to connect the (untagged) LAN port interface, do not allow untagged
traffic on the connection. Although you might have disabled the features that can
cause problems, there is no need to introduce a chance for error.
Note
It is possible to manage the controller on the (untagged) LAN port or Access
network interface. However, it is not generally recommended; you must plan
carefully to ensure that the solution functions as you desire and that you do not
introduce security or connectivity issues. You will understand better why as you
learn more about access-controlled solutions.
Two ports
When the controller is mainly managing APs, which are forwarding traffic locally, a
single port can support the necessary traffic. Sometimes, however, the controller
needs to handle a great deal of traffic from access-controlled clients. Module 5:
Guest Solutions, which introduces access-controlled solutions, and Module 6:
VLANs will explain when you might want to add a second port and additional
VLANs and IP interfaces to your solution.
MSM720
For the MSM720, also, the Internet network is generally preferred to the Access
network for management. But, on this controller, you can choose precisely which
network profile to assign to each port. Therefore, you can assign the Internet network
to whichever port or ports you want to connect to the network.
If you choose to use more than one port, simply make sure that you have not
introduced a loop.
Later, just as on other controllers, you can decide whether you need to connect
additional ports and add more VLANs and IP interfaces.
234
Rev. 14.21
Obtain initial access
Figure 2-22: Obtain initial access
You are now ready to obtain initial access to the MSM Controller. At this point, you
might not connect the port that you plan to connect in the end.
Direct connection
Generally, it is recommended that you establish a direct connection between a
management station and the controller. You can then use the controllers Web
browser interface or CLI to configure the controllers IP and management settings
before you ever connect the controller to the network. This option usually provides the
simplest setup but does require you to have physical access to the controller.
You can establish the direct connection with either an Ethernet cable, in which case
you use either the Web browser interface to complete the initial setup, or with a
serial cable, in which case you use the CLI. The Web browser interface generally
provides the simplest option. However, for the MSM775 zl, you must use the CLI to
assign the initial IP settings.
Direct Ethernet connection

In more detail, to obtain initial access to an MSM Controller though a direct Ethernet
connection, follow these steps:
1.
Connect the management station to the MSM760s LAN port. Or connect the
management station to the MSM720s port 1, 2, 3, or 4.
2.
Configure the management station with these IP settings on its Ethernet NIC:
IP address = 192.168.1.2 (you can actually use any address between

192.168.1.2 and 192.168.1.254)
Subnet mask = 255.255.255.0
Also make sure that the management station does not have any other Ethernet or
wireless NICs that are enabled and connected.
Rev. 14.21
235
3.
On the management station, open a Web browser and navigate to 192.168.1.1.
4.
Accept the certificate error and login with the default credentials:
5.
Username = admin
Password = admin
You are prompted to complete several initial tasks such as accepting the EULA
agreement, changing the password, and setting the country code. You will
practice completing this step in Lab Activity 2.1.
The next slides describe how to complete the initial setup and then connect the
controller in its final location.
Console connection or zl switch CLI

The MSM Controllers Web browser interface offers the most configuration options,
and you will use it to complete most tasks. However, you must use the CLI to perform
initial configuration on the MSM775 zl.
Follow these steps:
1.
An MSM775 zl connects to the network as soon as you install it. Therefore, to

follow the guideline about preventing network traffic from arriving on the LAN
port network, you might immediately change the VLAN assignment on the
<slot>2 port. Simply making the port a tagged member of VLAN 1 rather than
an untagged member protects you from issues caused by configuration errors
during the initial setup.
Switch(config)# vlan 1 tagged <slot>2
Replace <slot> with the letter of the slot in which you installed the MSM775 zl.
Note
This step is not required. However, it helps to prevent issues if you later need to
enable DHCP services on the controller.
2.
Access the MSM Controllers CLI:
For the MSM720, or MSM760, connect your management stations console

port to the controllers console port. Use terminal session software to open a
console session. (Refer to the controllers Installation and Setup Guide for
cable and terminal session specifications.) Finally, login with the default
credentials (username, admin and password, admin).
For the MSM775 zl, you must access the CLI through the HP zl switch CLI.
Establish a console, Telnet, or SSH connection with the switch, depending
on how the switch is configured. Then enter this command from the switchs
configuration mode context:
services <slot> name msm775-application
236
Rev. 14.21
3.
Accept the EULA agreement. (You must press a key to move through the pages
and then enter YES.)
The next slides explain how to complete the initial setup. You can also refer to the
MSM 7xx Controllers guides at the HP Networking web site.
Alternative strategies
C
Indirect Ethernet
connection
Fastest way to get the controller

connected when:
You manage the controller on the
untagged Internet port network
The controller can use DHCP to
receive its management address
(recommended, fixed)
Indirect Ethernet
connection and no DHCP
A way to reach the controller remotely

at its default IP addressbut be careful
to leave the controllers DHCP services
disabled or to isolate the LAN port
Figure 2-23: Obtain initial accessAlternative strategies
You can choose two less commonly used, but valid, strategies for obtaining initial
access to the MSM Controller.
Network connection to an IP address assigned to the controller through DHCP

In some cases, you might want to connect the controller to the network and
immediately begin to manage it through a network connection. You might use this
option when you are planning to manage the controller on its Internet port network
and when the controller can obtain its management IP address through DHCP.
Note
The MSM775 zl does not support this initial setup strategy because its Internet
port network is not enabled for DHCP by default.
1.
If the controller will always use DHCP to obtain the IP address on which you
manage it, it is recommended that the DHCP server administrator reserves a
fixed DHCP address for it. The DHCP server administrator must use the
controllers MAC address to reserve the address.
2.
Make a port on the controllers upstream switch an untagged member of the

selected management VLAN.
This VLAN must allow the controller to obtain a DHCP address. In other words, if
a DHCP server is not directly connected to this VLAN, the VLANs default
gateway must implement DHCP relay to the server.
3.
Rev. 14.21
Install the controller in its final location. Connect the MSM760 Internet port to
the prepared switch port. Or connect the MSM720s port 5 or 6 to the switch
port.
237
4.
Find the controllers DHCP address. If the DHCP administrator reserved a fixed
IP address for the controller, as recommended, you should already know the
address.
5.
On a management station that can reach the management VLAN, open a Web
browser and navigate to the controllers IP address.
You can then complete the rest of the process detailed in the following slides,
skipping the step on connecting the controller to the network.
Network connection to the controllers default IP address

You can also connect to the MSM Controller at its default IP address through a
network connection.
Note
The MSM775 zl does not support this initial setup strategy because it does not
have a default IP address.
You might use this option when the controller needs to be installed first, and you must
then complete its initial configuration without having physical access to it. Because
this option introduces more possibilities for misconfiguration, it is recommended that
you avoid it when possible, instead pre-configuring the controller through a direct
connection as described earlier. However, if you keep in mind what you have
learned about the controllers behavior and take care to keep the controllers DHCP
services disabled during the initial setup, you can follow these steps:
1.
Connect the controller LAN port and your management station to ports that are
untagged for the same VLAN.
If possible, you could to take extra care to isolate the controller during the initial
setup by creating a new VLAN for these connections.
2.
Configure the management station with these IP settings on its Ethernet NIC:
IP address = 192.168.1.2 (you can actually use any address between

192.168.1.2 and 192.168.1.254)
Subnet mask = 255.255.255.0
Default gateway = 192.168.1.1
Also make sure that the management station does not have any other Ethernet or
wireless NICs that are enabled and connected.
238
3.
On the management station, open a Web browser and navigate to 192.168.1.1.
4.
Accept the certificate error and login with the default credentials:
Username = admin
Password = admin
Rev. 14.21
Configuring
IP and IPother
initial
Configuring
and other
initialsettings
settings
Specify IP settings for the controller management interface.
Create a default route.
For a non-default IP interface, create a route rather than specify the interface gateway.
Set a DNS server and time server.

Figure 2-24: Configuring IP and other initial settings
You are now ready to configure the controllers IP address on the selected IP
interface. You must also configure a default route through this interface.
Other guidelines include making sure that the appropriate management protocols
are enabled on the interface. For now, you are mainly concerned with the Web
browser interface (management tool), but later you will learn how to enable
protocols like SOAP. You should also set the controllers DNS server and simple
network time protocol (SNTP) server. (The MSM775 zl, however, receives its clock
from the HP zl switch.)
25
Rev. 12.31
The sections below provide detailed guidelines for configuring the IP settings and
default route.
Configuring IP settings on MSM760 or MSM775 zl Controllers

As you learned, valid options for an MSM760s or MSM775 zls management
interface include:
The (untagged) Internet port interfaceYou must configure the proper IP settings
on the Internet port interface. You can set the address statically, or you can
configure DHCP settings. When you use this option, you do not specify the
VLAN ID anywhere on the controller. The connected switch ports untagged
VLAN assignment determines the ID.
With this option, you can use the Configure initial controller settings workflow to
establish the IP settings. This workflow lets you configure several settings and
does not apply them until the end of the workflow, preventing issues with losing
access to the interface as you change the IP settings.
An IP interface associated with a tagged VLANIf you decided to create a new

IP interface on which to manage the controller, complete these tasks (the Web
browser window from which you complete each task is provided for your
reference; labs will provide detailed steps):
a.
Rev. 14.21
Create a network profile with the proper VLAN ID (Controller >> Network >
Network profile window).
239
b.
Map the profile to either the Internet port or the LAN port. (Controller >>
Network > VLANs window).
Some administrators prefer to use only the Internet port to make it easier to
follow the guideline about isolating the (untagged) LAN port interface,
unless specifically required. However, you can certainly assign the VLAN to
the LAN port; simply make sure that the connected switch port carries
tagged traffic.
c.
Create an IP interface associated with the new network profile. Configure

the proper IP settings in the same manner as you would configure them on
the Internet port interface. (Controller >> Network > IP interfaces window).
However, do not configure the default gateway here.
d.
You must enable management on the VLAN interface manually. In the

Controller >> Management > Management tool window, select the new
VLAN under Active interfaces. Leave the other interfaces active for now to
prevent yourself from losing your connection.
MSM720
Valid options for an MSM720s management interface include:
The Internet networkYou can use the default Internet network profile to
manage the controller. This option is generally recommended since it requires
less setup. In addition, you can use the initial configuration wizard to configure
the IP settings at the same time as other initial settings.
Either during the wizard or on your own, you must complete these tasks:
a.
Edit the Internet network profile to use the proper VLAN ID.
b.
Configure the proper IP settings on the Internet network interface. Again,

you can set the address statically, or you can configure DHCP settings.
c.
Adjust the ports to which the Internet network profile is applied as necessary
to meet the requirements of the network infrastructure. You can apply the
profile as tagged or untagged.
Caution
Avoid changing the untagged VLAN assignment for the port on which you are
reaching the controller. Otherwise, you will lose access to the Web browser
interface. You can adjust this ports VLANs after you finish the initial setup and
confirm access on the other interface.
A new network profileIf you have different plans for the default Internet
network profile, you can create a new profile. Follow these steps:
a.
240
Create a network profile with the proper VLAN ID (Controller >> Network >
Network profiles window).
Rev. 14.21
b.
Map the profile to the appropriate ports (Controller >> Network > VLANs
window).
Caution
Again, avoid changing the untagged assignment for your current port.
c.
Create an IP interface associated with the new network profile and

configure the proper IP settings on it (Controller >> Network > IP interfaces
window).
Create a default route

When the controllers Internet port network (or Internet network) receives a DHCP
address, it usually receives a default gateway address as well. When, on the other
hand, you assign the management interface a static IP address, you usually need to
create a default route through this interface. At the least, you need to ensure that the
controller knows a route through the interface to any network on which a
management station might contact it.
If you use the automated workflow to configure IP settings on the (untagged) Internet
port (or Internet network) interface, you create a default route when you configure the
gateway for that interface.
Otherwise, you must create the route manually in the Controller >> Network > IP
routes window.
Note that you must also configure the route manually even when you configure DHCP
on a non-default IP interface. This requirement derives from the fact that these
interfaces apply the default gateway address that they receive from the DHCP server
only to traffic that passes through the Access Controller engine on the associated IP
interface. You must create a global IP route to enable the controller to route its own
traffic back to a management station on a different subnet.
CLI commands for configuring IP settings

If you are configuring an MSM775 zl controller, you must configure its IP settings in
the CLI. If so, follow these steps:
1.
You should be in the global configuration mode context of the controller CLI:
2.
Set the IP address.
If you will manage the controller on its Internet port network:
ip interface wan
ip address mode [static | dhcp]
ip address <IP address/prefix length>
Enter this command only if you chose static for the mode.
end
Rev. 14.21
241
If you will manage the controller on a VLAN that is tagged on either the
LAN or Internet port:
network-profile <name>
You can use any name that you want.
vlan
vlan <ID>
end
interface ethernet [port-1 | port-2]
Use port-1 to map the VLAN to the LAN port; use port-2 to map the VLAN
to the Internet port.
interface vlan <name>
ip address mode [static | dhcp]
ip address <IP address/prefix length>
Enter this command only if you chose static for the mode.
end
end
3.
Allow management on the VLAN interface. (Management is allowed on the

Internet port network by default.)
web access interface vlan <name>
4.
Configure a default route to the default router for this VLAN.

ip route gateway 0.0.0.0/0 <router IP address>
You do not need to complete this step if the controller receives a DHCP address
on its Internet port network. However, you do if the controller has a static IP
address or if it receives a DHCP address on a VLAN.
242
Rev. 14.21
Temporarily
disabling
the the
default
(optional)
Temporarily
disabling
default VSC
VSC (optional)
Prevent the controller and APs from
supporting the default VSC until
you are ready:
Disable access control.
Disable virtual AP.
Figure 2-25: Temporarily disabling the default VSC (optional)

26
Rev. 12.31
If you deploy the MSM Controller and APs before configuring the companys VSCs,
you should be aware that the controller supports the default VSC by default. Either
configure the controller, its VSCs, and the network infrastructure with the desired
settings before deploying the MSM solution or disable the VSC until you are ready
for it. This will help to prevent misconfigurations, in which the controller begins
implementing access control on the wrong VLAN, as well as to prevent discovered
APs from advertising the SSID prematurely.
To disable the default VSC from the controllers Web browser interface, follow these
guidelines:
1.
Edit the VSC.

Expand Controller > VSCs in the Web browser interfaces left navigation tree.
Click HP.
2.
Disable centralized access control.

Clear the Use controller for access control check box.
3.
Disable the SSID.

Clear the Virtual AP check box.
The default VSC is bound to the Default Group by default, which means that APs
might begin to support it as they become controlled. By disabling the VSC, you
prevent the controlled APs from supporting the VSC despite the binding.
4.
Rev. 14.21
Save the settings.
243
Connecting the MSM Controller in its final location
Figure 2-26: Connecting the MSM Controller in its final location
You can now install the MSM Controller, following the instructions in its Installation
and Getting Started Guide, and connect it to the network. At this point, the controller
only requires a connection on one interface.
Ready the network infrastructure

Select a switch port to which to connect the MSM Controller. Generally, select a port
on a core routing switch. An MSM 775 zl should already be installed in this switch,
and the switch port is always <slot>1 for the Internet port connection or <slot>2 for
the LAN port connection.
You might have configured an MSM760 or MSM775 zls management IP

address on its Internet port network. Set the switch ports untagged VLAN to the
correct ID for this IP address subnet.
Similarly, you might have configured the MSM720s IP address on its Internet
profile and left that profile as untagged on one of the MSM720 ports.
Alternatively, you might have configured the address on a new IP interface
associated with an untagged VLAN on an MSM port. In either case, set the
switch ports untagged VLAN to match.
You might have configured the management IP address on an IP interface
mapped to the LAN port (or Internet port) on an MSM760 or MSM775 zl.
Similarly, you might have assigned the VLAN associated with the IP interface as
a tagged VLAN on an MSM720 port.
In either case, configure the switch port to carry tagged traffic with the correct
VLAN ID. Prevent the port from carrying untagged traffic.
244
Rev. 14.21
For example, you have configured a network profile with VLAN ID 20 and
mapped it to an MSM760s LAN port. You plan to connect this port to interface
A1 on an HP switch that runs ProVision software. Assuming that this port is
currently an untagged member of VLAN 1, enter these commands in the switch
CLI:
Switch(config)# vlan 20 tagged a1
Switch(config)# no vlan 1 untagged a1
To connect the controller LAN port to interface GigabitEthernet 1/0/1 on an HP

switch that runs Comware software, enter these commands (assume that, in this
case, the port is currently an access port in VLAN 1):
[Switch] interface GigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 20
[Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
Connect the controller

An MSM775 zl Premium Mobility Controller, of course, is already connected. For
other controller models, the time has come to install the controller in its final location
and connect to the network. Take care to connect the correct port. That is, if you are
using the Internet port network to manage the controller, make sure to connect the
Internet port rather than the LAN port.
Verify the connection

Ping the MSM Controllers management IP address from your management station
and confirm connectivity.
Activity
Examine the scenarios described below and also illustrated in the figure on the
previous page. Make a plan:
How should you configure VLANs on the connecting switch port?
Which controller port or ports should you connect to the switch?
Scenario 1
You have configured an MSM720 with IP address 10.1.1.2/24 on its Internet network,
which is mapped to the default ports, 5 and 6, as an untagged VLAN. You changed
the VLAN ID for this network to 11. You also created a default route to 10.1.1.1.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
245
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Scenario 2
On an MSM775 zl, you have created a new network profile named Management
and set the VLAN ID to 11. You mapped this profile to the controllers LAN port and
created an IP interface with IP address 10.1.1.2/24 for it. You also created a default
route to 10.1.1.1.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Scenario 3
You have configured an MSM760 with IP address 10.1.1.2/24 on its (untagged)
Internet port interface. You also created a default route to 10.1.1.1. The subnet
10.1.1.0/24 corresponds to VLAN 11.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
246
Rev. 14.21
Restricting management
to thetocorrect
Restricting management
the correctinterface
interface
Access the controller on the IP address configured to manage it.
Disable management on other interfaces.
Figure 2-27: Restricting management to the correct interface
You can now access the MSM Controllers Web browser interface at the controllers
final management IP address. Reconnect your management station to the network,
remembering to return its IP settings to ones that are valid on the network (generally,
receiving a DHCP address). Browse to the MSM Controllers management IP address
and confirm that
you can reach the Web browser interface and successfully log in.
Rev. 12.31
28
Once you have confirmed management access, you can restrict management access
on other interfacesand generally should, for the sake of security. In the Web
browser interface, navigate to Controller >> Management > Management tool.
Clear the check box for LAN port or for Access network and for any other interface
that you have not selected for management.
Rev. 14.21
247
Lab ActivityLab2.1
Activity 2.1
Deploy the MSM controller and complete initial configuration.
Figure 2-28: Lab Activity 2.1

29
Rev. 12.31
You will now practice obtaining initial access to an MSM760 Premium Mobility
Controller, establishing the controllers management IP settings, and connecting the
controller to the network.
Consult your Lab Activity Guide for instructions for performing this activity.
248
Rev. 14.21
Lab Activity 2.1 debrief

Use the space below to record your Key Insights and Challenges from Lab
Activity 2.1.
Table 2-3: Debrief for Lab Activity 2.1

Challenges
Key Insights
Use the space below to record your thoughts about various deployment strategies
that you explored during Lab Activity 2.1.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
249
topics topics
HP MSM Controller ports and networks
Initial setup
AP deployment
31
Planning the AP deployment

AP deployment solutions
Solution 1: Deploying APs in a dedicated VLAN
Using DHCP to assign IP addresses to APs
Solution 2: Deploying APs in an existing VLAN
Layer 2 AP discovery
AP management
Lab Activity 2.2
Solution 3: Deploying APs across Layer 3 boundaries
Assigning IP addresses to MSM APs in multiple subnets
Layer 3 AP discovery: DHCP, DNS, static, and provisioning APs
Lab Activity 2.3
Review: Planning an MSM Controller and AP deployment
Next, you will explore strategies for deploying MSM APs and having them become
discovered and controlled by an MSM Controller.
250
Rev. 14.21
Planning the
AP deployment
Planning
the AP deployment
To which VLANs and subnets will APs connect?
How will you assign IP addresses to the MSM APs?
Can you configure the APs VLANs on the controller, or do you need to set
up Layer 3 discovery?
Should the controller accept all MSM APs that discover it, or do you want
to enforce authentication?
Figure 2-30: Planning the AP deployment
You must consider several questions as you plan the AP deployment. Considerations
include the VLAN and subnet to which the APs connect, as well as how the APs
receive IP addresses in those subnets. In some cases, APs can discover the controller
automatically, and, in others, you need to set up a mechanism for delivering the
controllers IP address to the APs.
You will now consider several solutions that provide valid answers to these questions.
32
Rev. 14.21
Rev. 12.31
251
AP deployment solutions
Solution 1Dedicated AP VLAN
(Layer 2 discovery)
Solution 2All APs and controller

managed on the same VLAN
Solution 3
Dedicated
AP VLANs
(Layer 3
discovery)
33
Rev. 12.31
Figure 2-31: AP deployment solutions
You will now examine several ways to deploy MSM APs.

Generally, you should deploy APs on their own subnet, different from the one on
which the controller is managed. This topology is preferred in many environments
because the APs might be physically insecure, allowing someone to connect their
own device to the port.
Because Layer 2 discovery is simpler to implement, you will consider Solution 1 first.
In this solution, the APs VLAN exists where the controller is deployed, so you can
easily add it as an IP interface. By leaving management disabled on that interface,
access to the Web browser interface remains secure.
Solution 2 is an even simpler Layer 2 discovery design, in which all APs and the
controller reside on the same VLAN.
Solution 3 offers a perhaps more common way for meeting the goals of Solution 1.
You configure the APs in their own dedicated VLAN to contact the MSM Controller
on its IP address in another VLAN. With this solution, you can deploy APs in several
subnets at several sites.
Of course, you can combine solutions. For example, you could have some APs
discover the controller at Layer 2 and others at Layer 3.
You will now look at each solution in more detail.
252
Rev. 14.21
Solution 1: Deploying
APs in a dedicated VLAN
Solution 1Deploying APs in a dedicated VLAN
1
Dedicated AP VLAN
Recommended
to separate
controlled AP
communications
from network
traffic
34
Rev. 12.31
Figure 2-32: Solution 1: Deploying APs in a dedicated VLAN
When possible, you should create a VLAN that is dedicated to the MSM APs. This
strategy helps you to match particular IP addresses to a controlled MSM APs. It also
allows you to isolate the MSM APs management traffic from other network traffic.
The figure illustrates an example network in which VLAN 10 has been added for the
APs. The VLAN is assigned to APs ports as an untagged VLAN. (APs also support
tagged VLANs, but for now you are examining the simplest deployment.) The
network administrator extends the new VLAN to the core and also sets up the
associated IP subnet on the core switch.
At this point, the figure only illustrates the topology changes required to deploy the
APs. The controller should also support the new VLAN so that APs can discover the
controller at Layer 2, the simpler option and one supported in this environment.
However, the manner in which you add that VLAN to the controller depends on how
the APs will receive their IP addresses.
Note
For reasons such as this, it is best to plan the AP deployment before configuring
the controllers IP settings and deploying it. In this module, you have focused on
the task of deploying the controller and deploying APs separately. However, in
the end, you must consider both tasks together.
Rev. 14.21
253

Typically, use a
network DHCP
server.
A routing switch or
router is the APs
default gateway
and DHCP relay.
The controller can

support the AP
VLAN on any IP
interface.
35
Rev. 12.31
Figure 2-33: Using DHCP to assign IP addresses to APs
DHCP usually provides the most convenient mechanism for assigning IP addresses to
MSM APs, particularly when you have many APs to deploy. Either a network DHCP
server or the MSM Controller itself can assign the addresses. However, the network
DHCP server is the typical choice.
Preferred option: Network DHCP server

Often, companies want to centralize the assignment of network IP addresses and
already own a network DHCP server or servers that provide these assignments. In this
case, the DHCP server administrator should create a new scope (or pool) with IP
settings for the APs. This scope must include enough IP addresses for the APs but
avoid allocating the IP addresses assigned to the default gateway.
The network administrator should also implement DHCP relay on the routing switch
that acts as the default gateway for the new VLAN.
As mentioned earlier, although the controller is not providing DHCP services, you
should make sure that it supports the APs VLAN so that APs can discover it at Layer
2. In this example, the MSM760 is managed on VLAN 11, the VLAN for wired
infrastructure devices. The controllers IP address on this subnet is assigned to its
Internet port IP interface. However, the controller will manage the APs on VLAN 10.
You can add VLAN 10 as a tagged VLAN on either controller port; here, you see it
added to the Internet port. You must also remember to create an IP interface for the
network.
254
Rev. 14.21
Controller DHCP server

Although not the typical recommendation, you can use the controllers DHCP server
to assign IP addresses to APs. You might use the controllers DHCP server in
environments such as these:
The company receives DHCP addresses from a device outside of its control (such
as an ISP router).
The company has a complicated or time-consuming procedure for adding new
scopes to the DHCP server.
In this case, you must configure the controllers LAN port with an IP address in the
subnet reserved for the APs, and APs must reside in a single subnet. The controller
LAN port must connect to a switch port that has an untagged VLAN assignment in
the APs VLAN. For an MSM720, you configure the IP address on the Access
network. You can assign this profile to one or more controller ports as tagged or
untagged, matching the VLAN assignments on the connected switch ports.
Remember to isolate the controller LAN port (or Access network) and the APs from
the rest of the network. In other words, do not add other endpoints and servers to the
VLAN.
Note
Later, if the company requires an access-controlled VSC, you should remember to
set up the solution so that the controller assigns guests IP addresses in a different
subnet. Otherwise, guests might use up the APs addresses.
Figure 2-34: Using DHCP to assign IP addresses to APs (controller DHCP)
Rev. 14.21
255
2Deploying
APsan
in an
existing VLAN
Solution 2:Solution
Deploying
APs in
existing
VLAN
2
Existing VLAN
Less recommended
but allows quick
AP deployment
when a DHCP
scope already
exists for the VLAN
36
Rev. 12.31
Figure 2-35: Solution 2: Deploying APs in an existing VLAN
Some companies do not want you to change the network infrastructure by adding a
new VLAN for the APs. In this case, you must determine which VLAN or VLANs can
handle the AP and controller communications most securely. For example, you might
use the same subnet on which other network infrastructure devices have their IP
addresses, as illustrated in the figure. You must then verify that the selected VLAN is
available on the edge switches to which APs connect and configure the AP ports
appropriately.
Similarly, you should assign the VLAN to the switch port connected to the MSM
Controller porttypically, the Internet port, as you learned earlier.
If the network DHCP server already has a scope for this VLAN, it can use the existing
scope to assign APs their IP addresses. Do not enable the controller DHCP server on
a VLAN that already has DHCP services.
If the VLAN is not DHCP enabled, use one of the strategies outlined on the previous
slide to provide APs with their addresses. If at all possible, the network DHCP server
administrator should add a scope.
Note
Although you could enable DHCP services on the controller untagged LAN port
or Access network interface, this method is not generally recommended. It is
better to isolate this port and use it for access-controlled guests. For example, if
the company later decides to add network DHCP services to this VLAN without
informing you, conflicts could arise.
In a variation on this strategy, you could deploy the APs on a new subnet reserved
for them, following the guidelines outlined for Solution 1. However, you configure the
MSM Controllers management IP address on the same subnet.
256
Rev. 14.21
Layer 2 AP
discovery
Layer
2 AP discovery
Make sure step 2 succeeds by enabling discovery on the correct interface.
37
Rev. 12.31
Figure 2-36: Layer 2 AP discovery
You now have at your disposal several strategies for deploying APs and ensuring that
they receive IP addresses. You can now turn to the process by which the AP discovers
the MSM Controller and the controller begins to manage the AP. In the deployments
that you have examined, this process occurs automatically with just one setting that
you might need to configure.
An MSM AP, assuming that it is operating at factory default settings, boots in
controlled mode. The AP first attempts to obtain an IP address using DHCP, which,
assuming that you configured the solution according to the guidelines, it obtains.
After obtaining the IP settings, the AP begins the Layer 2 discovery process:
1.
AP transmits a discovery requestThe AP broadcasts discovery requests, which

are UDP messages with the source and destination port set to 38212.
2.
Controller verifies discovery is enabled on the interface and process the

requestThe controller has an IP interface on the same VLAN, so it receives the
discovery broadcasts. Whether the controller can process the message depends
on whether AP discovery is enabled on the receiving interfacethe setting that
you might need to configure to support Layer 2 discovery.
For MSM760s and MSM775 zls, discovery is enabled by default on the LAN
interface, enabling the controller to process discovery messages received on the
untagged LAN port interface or any IP interface mapped to the LAN port. You
can also enable discovery on the Internet interface, which enables discovery on
the untagged Internet port interface or any IP interface mapped to the Internet
port.
Rev. 14.21
257
Because you often connect only the Internet port, enabling discovery on the
Internet interface is an important step.
On the MSM720, discovery is enabled by default on the Access network. You
can enable discovery on other network profiles associated with IP interfaces.
Once the controller has processed the discovery request, it sets the APs status to
Pending; the AP is discovered but not yet controlled. The controller also adds
the AP to its list of Discovered APs if this is the first time that it has detected the
AP.
3.
Controller accepts the discovery requestThe controller directs its response to

the APs IP address on UDP port 38212, indicating that it has accepted the APs
request to be controlled. It changes the APs status to Waiting for acceptance.
Later you will learn how to control whether the controller responds to the APs
discovery request or not. For now, assume that the controller responds to all
processed requests, which is the default behavior.
258
4.
AP requests to join the controllerThe AP sends a unicast message to the

controller, indicating that it has selected it as its controller. (Later, you will
examine how an AP chooses between multiple controllers.)
5.
Controller processes the request and adds the AP to a groupThe controller

processes the request and assumes control of the AP. The controller places new
APs in the Default Group. If the controller already knew about the AP, it would
add the AP to the controlled AP group to which it was previously assigned.
6.
Controller checks the APs softwareThe controller changes the APs status to
Verifying capabilities and sends a request for the APs software version.
7.
Controller updates the APs softwareThis step only occurs if the AP responds
with a different version from the controllers.
a.
The controller changes the APs status to Updating software and informs
the AP that it must update its software.
b.
The AP downloads the software from the controller, installs the software,
and reboots.
c.
The AP discovers the controller again (steps 2 through 6).
8.
AP and controller establish a management tunnelThe AP sends a TCP

message on port 1194 to initiate the tunnel. The controller changes the APs
status to Initiating management tunnel and sends a response. The devices
exchange a few more messages, which are not indicated in the figure, and the
tunnel establishes.
9.
Controller updates the APs configurationThe controller changes the AP status

to Updating configuration and applies the APs configuration to it. The
messages pass over the management tunnel; however, as the figure illustrates,
the configuration updates use UDP. (The figure illustrates just one packet from the
controller and one from the AP. In reality, many packets are exchanged.)
Rev. 14.21
At the end of the process, the APs status is synchronized.

The tables on the next page provide more information about APs status and about
monitoring this process.
Table 2-4: AP statuses

AP status in the Summary
section of the controller interface
Synchronized
Description
Synchronized APs are controlled, have been configured,
and their configuration is up-to-date. A synchronized AP is
always detected and configured.
A detected AP has contacted the controller with a discovery
message and the controller can reach it. However, the AP
and controller might or might not have established a
management tunnel, and the AP might or might not have
been configured by the controller.
The controller stores a configuration for Configured APs.
However, the AP might or might not be currently detected
and synchronized with that configuration.
Detected
Configured
Table 2-5: AP LEDs

AP LED behavior
Description
Power light blinks every

two seconds.
Power and Radio lights
blink slowly.
The AP is starting up.
Power and Ethernet

lights blink slowly.
The AP is attempting to
establish wired connectivity.
Power light blinks once

per second.
Power, Ethernet, and
Radio lights blink in
sequence from left to
right.
Rev. 14.21
The AP is attempting to
establish a local mesh link
to a master node.
The AP is looking for an IP

address or building a list of
VLANs on which to perform
discovery.
The AP has obtained an IP

address and is attempting
to discover a controller.
Step in the
discovery process
Pre-discovery (initial
connection process)
Pre-discovery
(initial connection
process)
Or post-discovery
mesh establishment
connection process)
Diagnostic in the
Controller Web
browser interface
Not shown
Not shown
Or synchronized
Not shown
connection process)
Not shown
Step 1 and, if the

request arrives,
Step 2
If the request arrives,

Waiting for
acceptance
259
AP LED behavior
Power light is on.

Ethernet and Radio
lights blink alternately.
Power and Ethernet

lights blink alternately
and quickly. Radio
lights are off.
260
Description
The AP has found a
controller and is
attempting to establish a
secure management tunnel
with it.
The AP has received a
discovery reply from two
or more controllers with
the same priority setting. It
is unable to connect with
either controller until the
conflict is resolved
Step in the
discovery process
Diagnostic in the
Controller Web
browser interface
Step 3
Establishing tunnel
Step 2
Waiting for
acceptance
Rev. 14.21
AP management
AP management
The controller stores a configuration for each AP.
The configuration includes group- and AP-level settings.

Synchronize the AP to apply configuration changes.
38
Rev. 12.31
Figure 2-37: AP management
Here you see in more detail how the MSM Controller constructs the configuration that
it applies to a controlled AP. Some of the more advanced AP deployment options,
which are covered in the next section, require you to configure settings on the APs. A
basic understanding of how the controller manages AP configurations will help.
AP configuration settings
The MSM Controller stores a configuration for each controlled AP, tracking the AP by
MAC address. The APs configuration includes three basic types of settings:
Rev. 14.21
AP settings such as radio settings and settings for other AP features:
Country code (Module 3 discusses this setting)
Radio settings (Module 3 discusses these settings)
802.1X settings and RADIUS profiles (Module 4 discusses security options)
Settings that determine how the AP behaves if it cannot reach the controller
VLANs for MSM317 switch ports
STP settings for APs, such as MSM317s, with more than one Ethernet port
Multicast settings (IGMP snooping helps the APs forward multicasts more
efficiently and is enabled by default)
Sensor settings (some APs can act as sensors and work with HP RF
Manager, a wireless Intrusion Detection System/Intrusion Prevention System
[IDS/IPS]; sensors are covered at the MASE-level)
Local network settings (these settings are used for Mobility Traffic Manager
[MTM], which is covered at the MASE-level)
261
Provisioning settings, which help the APs to connect to the network and become
controlled
Often APs do not require provisioning settings because the default plug-and-play
deployment works for themas you have seen in the two deployment solutions
outlined in this section. Sometimes, however, the environment demands
provisioning, as you will see in the next section.
Note also, that you must specifically enable the controller to replace APs
provisioning settings.
AP-relevant VSC settings

Some settings in a VSC affect the APs configuration. For example, the VSC
includes the SSID for the WLAN, the setting for 802.11n beam forming, the
supported data rates on the radio, the configuration for security filters enforced
by the AP, and so forth. The controller communicates these settings to the AP in
the APs configuration.
AP configuration levels
The figure illustrates how the controller obtains the settings for each component of the
AP configuration. You can configure the AP and provisioning settings at three levels:
Controlled APs
This level always applies to all controlled APs.
AP group
You create the groups; initially, the only group is Default Group. Each AP
belongs to one and only one group. When unknown APs are first discovered,
they belong to the Default Group.
AP
You can configure individual settings for controlled APs as required.
All default settings are configured at the Controlled APs level and inherited at the
group and individual AP levels. That is, if you change a setting at the Controlled APs
level, it extends down the hierarchy to each group and AP.
To configure a setting at the group level, you break the inheritance (as you will see in
the lab, you simply clear a check box labeled Inherited). You can then change any
of the settings for which you broke the inheritance. Similarly, you can break the
inheritance between the group and AP settings.
The settings at the lower level always take precedence.
262
Rev. 14.21
The figure illustrates these rules in a simplified manner. It shows three parameters, A,
B, and C. These parameters represent radio settings, local mesh profiles, and a
country code. You can configure more settings than those; they were simply selected
as examples. These parameters have particular settings at the Controlled APs level,
which are represented as A1, B1, and C1. For example, Radio 1 for MSM460s radios
might be set to transmit power 16, all local mesh profiles might be set to disabled,
and the country code might be United States.
An APs groupthe Default Group would be the group that you configure to affect
APs when they first become controlledinherits the settings. However, the group
breaks the inheritance for the radio settings and applies a new setting, A2. For
example, the group might specify that the MSM460 Radio 1 uses transmit power 18
and channel 36.
An AP within the group inherits the AP group settings, but breaks inheritance for
another setting of settingsfor example, the administrator configures and enables
one of the local mesh profiles. The APs final configuration includes the radio settings
configured at the AP group level, the local mesh profiles configured at the individual
AP level, and the country code configured at the Controlled APs level. The controller
applies those settings when it updates the APs configuration.
The AP-relevant VSC settings always derive from the global VSC profiles. Only VSCs
bound to the AP affect the APs configuration, and the VSC binding also specifies
which AP radios support the VSC. VSC bindings differ from other AP settings in that
you must bind VSCs at the group level.
AP configuration synchronization
The controller updates the AP configuration when:
The AP is discovered, including after it is rediscovered after it reboots or after an

administrator chooses to remove and rediscover it
An administrator synchronizes the AP
As you make changes in the controller interface, APs continue to implement their
current configuration without interruption. However, the controller tracks configuration
changes that affect each AP. When an AP is not implementing the most current
configuration, the APs status becomes unsynchronized. This simply means that the
AP is implementing a previous configuration. You can finish configuring a complete
feature and, only when you are ready, synchronize the AP and let it begin
implementing the new feature.
It is very important to remember to resynchronize APs whenever you want to apply
your configuration changes. As you will observe, the controller Web browser
interface helps you to remember by pointing out unsynchronized APs in several ways.
You will practice synchronizing APs in the lab.
Rev. 14.21
263
Lab ActivityLab2.2
Activity 2.2
Deploy, discover, and begin to manage the MSM APs.

39
Rev. 12.31
You will now practice deploying MSM APs that discover the controller at Layer 2. You
will also set up AP groups for your APs and assign discovered APs to them.
Consult your Lab Activity Guide for instructions for this activity.
264
Rev. 14.21

Use the space below to record your answers to questions in Lab Activity 2.2.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
265
Solution 3: Deploying APs across Layer 3

boundariesSolution 3Deploying APs across Layer 3 boundaries
3
APs across Layer 3 boundaries

Allows you to
deploy APs across
routed segments but
requires Layer 3
discovery
Can use Layer 3 for
all APs or for some
41
Figure 2-39: Solution 3: Deploying APs across Layer 3 boundaries
Rev. 12.31
In the network environments that you have examined so far, you can extend a single
VLAN for the APs throughout the site. In other environments, you need to deploy APs
across Layer 3 boundaries. For example, you might deploy an MSM Controller at the
network core and APs at several branch offices. In this case, you would need to
create a different VLAN and subnet for the APs in each segment.
Note
Just as with Layer 2 discovery solutions, you can deploy the APs in an existing
VLAN instead of a new VLANalthough a VLAN reserved for the APs is
recommended. This choice affects the changes required in the network
infrastructure but does not affect the Layer 3 discovery solution.
266
Rev. 14.21
Assigning IP addresses to MSM APs in multiple

IP addresses to MSM APs in multiple
subnets Assigning
subnets
3A
Recommended: Network DHCP

server
Most flexible and efficient option but

setup required on the DHCP server
42
3B Static assignments
Gives you complete control over APs IP

addresses but requires pre-provisioning
and introduces room for error
Figure 2-40: Assigning IP addresses to MSM APs in multiple subnets
Rev. 12.31
Network DHCP server

It is usually simplest to assign APs their IP addresses through DHCP. A centralized
network DHCP server could assign IP addresses to APs in several subnets, provided,
of course, that DHCP relay is implemented in the network infrastructure. Alternatively,
the company might have DHCP servers deployed in various network segments. For
example, an HP 5400 zl or 8200 zl Series switch at a branch might host an HP
Advanced Services zl Module with Microsoft Windows Server 2008 R2
Standard, which can provide DHCP and other services. Some HP switches also
provide built-in DHCP services.
Whether the company uses a centralized or distributed DHCP server scheme,
assigning DHCP addresses to the APs will speed the deployment. It will also allow
you to use DHCP for Layer 3 discovery, as you will see.
Note that you cannot use the controllers DHCP server for this solution. The
controllers DHCP server is tied to the LAN port network or, for MSM720s, the
Access network. Therefore, the controller can only assign DHCP addresses to APs on
one VLAN. In this solution, however, APs connect on multiple VLANs, some of which
are not available on the controller in any case.
Static assignment
You can assign APs their IP addresses statically. This approach provides a way for
APs to obtain IP addresses when a network DHCP server cannot provide them nor
can the MSM Controllerbecause the APs connect on multiple VLANs not supported
on the controller.
Rev. 14.21
267
Use controller-based preprovisioning to assign static IP addresses to controlled MSM

APs most quickly. Essentially, you have the APs discover the controller at Layer 2
before you install the APs in their final locations. You then provision the APs with their
static IP addresses. You might need to preprovision APs with several other settings;
you will examine the complete process for preprovisioning APs later in the module.
This option is generally less recommended than using a network DHCP server. It
takes time to configure the static IP addresses and human error can be introduced. In
addition, updating IP addresses becomes difficult. Also remember that you cannot
contact controlled APs directed after they establish a management tunnel with a
controller. Therefore, you must be careful to configure the correct settings on APs
through the controller. If an error causes the AP to lose contact with the controller,
you must reset it manually and then reprovision it.
Note
Although not discussed for earlier AP deployment solutions, you can use static IP
address assignment for any solution. This approach gives you complete control
over the APs IP settings; however, it does involve more initial setup and can
introduce room for error.
268
Rev. 14.21
Solution 3 requires Layer 3 discovery:
Delivers the controllers IP address to the AP:
Choose an IP address that the AP can reach
Make sure discovery is enabled on the interface
Requires initial setup on APs, network services, or both

Requires you to double-check routes
Three methods:
DHCP
DNS
Static pre-provisioning
Figure 2-41: Layer 3 AP discovery
When you deploy APs across Layer 3 boundaries, you cannot configure an IP
interface on the MSM Controller for each APs VLAN. Thus the controller cannot
receive and respond to at least some of the APs discovery broadcasts. In these
Rev. 12.31
43
cases, you must set
up
one of three forms of Layer 3 discovery:
DHCP
DNS
Static (preprovisioning)
Some Layer 3 discovery solutions require configuration of network services, others

require preprovisioning of APs, and others might require both. All methods deliver a
controller IP address to the AP, which the AP can then contact with a unicast
discovery message on UDP port 38212.
All discovery methods also require that the AP has received its IP settings, as
described earlier:
An IP address and subnet mask
Its default router IP address
A DNS server address (recommended but only required for DNS discovery)
Note
All three methods allow APs to learn the IP addresses for multiple controllers, as
you will learn. However, this section focuses on using these methods with a single
controller. You will look at strategies for enabling APs to discover more than one
controller in Module 7: Teaming.
The APs default router must be able to reach the controller IP address that you
specify in the discovery settings. The controller must also support discovery on the
interface.
Rev. 14.21
269
Note
Remember that traffic directed to an MSM Controller IP address must arrive on
the interface associated with that address. The controller will not receive a packet
on one interface and route it to its own address on another interface.
Similarly, the MSM Controller requires a route back to the APsor its default router
must be able to reach the APs subnet. If the APs can reach the controller, but the
controller cannot reach the APs, you will see the APs appear and disappear in the
Web browser interface. You should verify connectivity by pinging the APs or their
default gateway.
APs could actually discover the controller on one IP address and the controller route
traffic back to them on another interface. However, this is not a recommended set up.
For example, if discovery were enabled on one interface but not the other, the
controller and AP would not be able to establish a management tunnel. If the
controller has more than one IP address, configure the APs to discover the controller
on the interface on which the controller reaches the APs.
Order of discovery methods

When you set up a Layer 3 discovery method, the AP actually implements it before it
attempts Layer 2 discovery. The AP uses methods in this order:
StaticIf the AP has been statically provisioned with a controller IP address, it

sends a unicast discovery message to that address as soon as it has an IP
address.
Similarly, if the AP used to be controlled, it sends a unicast request to that
controller.
An AP continues to use a statically provisioned discovery setting until success (or
until it is reset to default settings). However, if this setting has not been
configured, the AP moves on to the next method.
270
DHCPThe AP checks whether it has received a controller IP address with its

DHCP settings in option 43. If so, the AP sends a unicast discovery message to
that address (and, if that address fails to respond, to a second address included
in option 43).
DNSWhen it first obtains IP connectivity, the AP sends DNS requests for up to
six controller hostnames. It stores the IP addresses indicated in any DNS server
responses. If other methods have failed, the AP now sends a discovery request to
the first resolved IP address (and then, if that discovery fails, to the next and so
forth).
Layer 2If all other methods fail, the AP sends discovery broadcasts.
Layer 2 (tagged VLANs)If untagged discovery broadcasts do not succeed, the
AP tries sending broadcasts on tagged VLANs that might exist on its switch port.
(The AP does require an IP address before it sends the tagged broadcasts.
Therefore, if it is using DHCP, it sends tagged DHCP discovery broadcasts first.)
Rev. 14.21
Layer 3 AP discovery: DHCP

Option 43 on the DCHP server:
Vendor class =
Colubris-AP (ASCII)
Class option:
Name = Name
Type = IP address (array)
Code = 1
Option in pool =
Controller addresses
44
Rev. 12.31
Figure 2-42: Layer 3 AP discovery: DHCP
APs can receive controllers IP addresses with their DHCP settings. APs that use DHCP
always request option 43, a vendor-specific option that specifies controllers IP
address. If the APs do not receive this option, they simply apply the other settings
and attempt to discover the controller in a different way. To implement DHCP Layer 3
discovery, simply configure the APs DHCP scope with option 43.
In more detail, the DHCP administrator follows this process:
1.
Optionally, create the DHCP vendor class, which uses ASCII format. The ASCII
string is Colubris-AP.
The DHCP server uses the vendor class to determine whether to send the option
to clients, only sending it if the client requests the Colubris-AP option. Therefore,
you would need to create this class if other devices, such as VoIP phones, are
also using the scope and also use option 43. The server can then send the
correct option to each type of client.
2.
3.
Rev. 14.21
Create an option for the vendor class or, if you did not create the option, for
option 43. The option has these settings:
Option nameYou can choose any name that you want for the option.
Data typeSelect IP address (array).
CodeThe code is 1.
Add the option to the APs pool or scope. When adding the option, define one
or more IP addresses at which the APs can contact an MSM Controller.
271
The HP MSM7xx Controllers Configuration Guide provides detailed steps for

configuring the correct option on a Windows Server 2003 DHCP server or an ISC
DHCP server. In Lab Activity 2.3, you will configure the option on Windows Server
2008 R2.
DHCP discovery can work quite well in an environment with a DHCP server under
the companys control. The APs do not require any extra configuration, and the
DHCP server administrator only needs to create the Colubris-AP vendor class and
option once. Any DHCP administrator can then create that option for any scope as
required.
In addition, if you need to update the controllers IP address, you simply update the
address in the DHCP scope. When the APs obtain their IP addresses, they will obtain
the new address.
When prompted by your facilitator, fill in the table.
Table 2-6: DHCP Layer 3 discovery method

DHCP
How APs obtain the
controllers IP address
Steps for the MSM
administrator
Steps for network
administrators
272
Rev. 14.21
Layer 3 AP discovery:
DNS
DNS
The DNS server requires an entry that resolves the controller hostname.
45
Rev. 12.31
Figure 2-43: Layer 3 AP discovery: DNS
To implement this method, the AP sends a DNS request to its DNS server for the
controllers hostname.
By default, MSM APs use cnsrv1, cnsrv2, cnsrv3, cnsrv4, cnsrv5, and cnsrv6 for the
controller hostnames. The network DNS server administrator should configure an
entry that maps one of these hostnames to the controller IP address that you want the
APs to discover.
You might not have a choice in the hostname for the MSM Controller. In this case,
rather than have APs use the default hostnames, you can preprovision the APs with
the proper hostname or hostnames.
The DNS discovery method requires the company to have its own DNS server and
the DNS server administrator to create a DNS entry for the controller. However,
creating such an entry can be relatively easy and might be required for another
purpose in any case. As another advantage of this method, you might be able to
implement it without preprovisioning APsbut only if the company is willing to use
the default hostnames for the controllers.
When prompted by your facilitator, complete the table.
Table 2-7: DNS Layer 3 discovery method

DNS
How APs obtain the
Steps for the MSM
administrator
Steps for network
administrators
Rev. 14.21
273
Layer 3 discovery:
Static
Static
No changes to network services required, but you must pre-provision APs.
46
Rev. 12.31
Figure 2-44: Layer 3 discovery: Static
You learned that you can provision APs with connectivity settings such as static IP
addresses. You can also provision the APs with their discovery settings, which are the
IP addresses or hostnames that the APs use for Layer 3 discovery. If you specify IP
addresses in the discovery settings, the APs are ready for Layer 3 discovery after
provisioning. APs provisioned with hostnames require a DNS server that can resolve
those hostnames to valid controller IP addresses, as you learned on the previous
slide.
This Layer 3 discovery method is generally recommended only as a last resort when
the company does not have a DNS or DHCP server that you can configure instead.
For example, in some environments, an ISP might provide these services.
Potential disadvantages with this method include:
274
You must statically provision the APs with the controllers IP address initially, and,
if you ever want to update the address, you must statically provision them again.
Once you have provisioned an AP with a static controller address or addresses,
the AP continues to uses that setting rather than try another method. Therefore, if
an error occurs, the AP might not ever become managed. You must manually
reset the AP following the procedure in the APs Installation and Getting Started
Guide. This troubleshooting procedure might be beyond the resources of the
staff at APs site.
Rev. 14.21
When prompted by your facilitator, complete the table.
Table 2-8: Static Layer 3 discovery method

Static
How APs obtain the
Steps for the MSM
administrator
Steps for network
administrators
Rev. 14.21
275
Provisioning
APs APs
Provisioning
Controller-based provisioning (typically preferred):
1.
2.
Discover the APs at Layer 2.

Configure the provisioning settings:
Discovery
3.
4.
5.
Connectivity
Enable controlled AP provisioning.
Resynchronize the APs.
Install the APs in their final locations.
Individual AP, or non-staged provisioning, is possible until the AP

becomes managed.
Figure 2-45: Provisioning APs
You have learned several reasons for preprovisioning an AP; that is, for establishing
settings on the AP before installing the AP in its final location. These reasons are:
The AP needs a static IP address.

47
Rev. 12.31
The AP needs a non-default hostname for the MSM Controller to implement DNS
Layer 3 discovery.
The AP needs an IP address for the MSM Controller to implement Layer 3
discovery.
You will learn a few more reasons throughout this course.

Whatever the reason for preprovisioning the AP, follow the same basic steps:
1.
2.
Discover the APs at Layer 2.

a.
Create an isolated VLAN that consists of only the controller LAN port (or the
MSM720 Access network) and APs. For example, you could connect the
controller LAN port and multiple MSM APs to a switch without any
configuration.
b.
Enable the DHCP server on the controller. At this point, the controller is
using its default IP address on its LAN port and assigning IP addresses in
this subnet. You can leave these default settings because the APs will only
use these IP addresses temporarily.
c.
The APs receive IP addresses and become discovered.
Configure the provisioning settings:
Use discovery settings to set the controller hostname or IP address for Layer
3 discovery.
You can configure the discovery settings at the Controlled AP level. Or, if
APs at different sites require different settings, you can assign APs to groups
and then configure the settings at the group level.
276
Rev. 14.21
Use connectivity settings to set static IP addresses for APs.

You must configure the static IP address at the individual AP level.
Important
The windows for both the discovery settings and the connectivity settings feature
a check box at the top. This check box determines whether the settings
configured in the window are applied or not. Be careful to select the check box;
otherwise, APs will not implement the provisioned configurations.
3.
You must enable controlled AP provisioning for these settings to apply. The Web
browser interface will warn you if you forget this step.
4.
Resynchronize the APs to apply the new settings.
5.
After the APs synchronize, you can deploy them in their final locations, and the
controller will discover them again.
Non-staged or individual AP provisioning

You can also provision APs individually, sometimes called non-staged provisioning.
At its factory default settings, you can contact the AP directly and login to page with
provisioning settings. You might find the individual provisioning process burdensome
if you have many APs; however, if only a couple of those APs require
preprovisioning, you might prefer this method.
To provision an AP individually, follow these steps:
1.
Connect the AP to a switch port in a VLAN in which the AP can obtain an IP

address from a DHCP server.
The DHCP administrator might want to create a DHCP reservation so that

you know the address.
Make sure that the controller does not have an IP address on the same
VLAN. After the AP discovers the controller and establishes a management
tunnel, you can no longer connect to the AP itself.
Note
You can return an AP to factory default settings in the controller interface or
manually, following the directions in the APs Installation and Getting Started
Guide. You can then connect to the APs provisioning page.
Rev. 14.21
2.
Determine the APs IP address. Open a Web browser and navigate to that
address.
3.
Log in to the interface using the default credentials (admin and admin).
277
4.
You can convert an AP to autonomous mode in this interface. You can also
provision a controlled mode APs connectivity settings, discovery settings, or
both.
Follow similar guidelines for configuring the settings at this level as for
configuring them on the controller. Remember to select the check box at the top
of the window to apply the settings.
5.
The AP will begin to implement the provisioned settings after it reboots. It will
then discover the controller. Before you initiate this process, double-check the
controller configuration.
If the controller is configured to replace APs provisioned settings with its own, it
will apply whatever settings are configured for the Default Group to the AP when
the AP becomes controlled. The next time that the AP reboots, the AP will
implement those settings. Be careful not to erase the APs pre-provisioned
connectivity or discovery settings unintentionally. Doing so could cause you to
lose contact with the AP, perhaps forcing you to perform a manual reset and
provision the AP again.
6.
278
When you are certain that the settings on both the AP and the controller are as
you desire, reboot the AP. It should obtain an IP address and discover the
controller.
Rev. 14.21
Provisioning
APs with
settings
Provisioning
APsother
with other
settings
Acting as an 802.1X supplicant
Helps to protect the network against rogue endpoints or APs
Connecting with a tagged VLAN

Prevents issues if the AP fails to receive an IP address
Figure 2-46: Provisioning APs with other settings
MSM APs can connect to tagged ports instead of untagged ports. In some cases,
you might want to use this ability. First, if the AP is deployed in a public place, the
measure might act as a deterrent against casual users who might try to connect to its
port. Of course, true security would involve implementing 802.1X on the switch port,
and MSM APs support this capability as well. In the AP connectivity settings, you
simply select the 802.1X check box and assign the APs the correct EAP method and
credentials.
The primary benefit of deploying APs on tagged VLANs, therefore, is gaining more
Rev. 12.31
48
precise control
over the APs connection.
As part of its plug-and-play features, you can connect an MSM AP that has no prior
configuration to a switch port that is tagged rather than untagged for the VLAN in
which Layer 2 discovery is possible. The APs attempt to receive an IP address will
fail. The AP will then begin sending DHCP discovery broadcasts tagged for VLAN 1.
If the process times out again, the AP will send broadcasts in VLAN 2, and so forth.
The AP continues until it receives an address and then begins the discovery process.
This behavior can help the AP become discovered in some environments where you
have little knowledge or control of the infrastructure.
However, in a well-designed solution, you typically want to control APs precise
VLAN. In addition, this behavior can cause issues if a brief interruption in network
services causes an AP to lose its IP address. The APs DHCP requests time out, so the
AP begins to send tagged messages. The AP might receive an IP address in a user
VLAN, or it might continue to try tagged VLANs after network services have been
restored.
Deploying APs in a tagged VLAN helps you to avoid such unexpected behavior.
To deploy APs on tagged VLANs, first discover the APs on untagged VLANs. Then
assign the APs their VLAN ID in their provisioning connectivity settings. (Of course, if
you had to preprovision APs for another reason, you could apply the VLAN ID at the
same time.) You can quickly provision many APs with the correct VLAN ID by
applying the setting to the controlled APs or AP group level.
In more detail, follow this process:
Rev. 14.21
1.
Configure APs switch ports with untagged VLAN assignments.
2.
Deploy APs as planned.

279
3.
After APs are discovered, divide them into groups. Try to create groups such that
every AP in the group is in the same VLAN.
4.
Provision APs at the AP group level with the tagged VLAN assignments. Make
sure that controlled AP provisioning is enabled.
5.
Resynchronize the APs. You will not see the resynchronization process complete
because APs can no longer reach the controller.
6.
Configure APs switch ports with the tagged VLAN assignments.
7.
The APs should become discovered and controlled again.
At this point, the MSM APs will only send out DHCP requests on the tagged VLAN,
so you can be certain that it always remains on its own VLAN even if its DHCP
requests time out. However, if you choose this solution, make sure that the tag is
correct. To remove the incorrect tag, you must somehow connect the AP to the
controller on the tagged VLAN or reset the AP manually.
280
Rev. 14.21
Lab ActivityLab
2.3
Activity 2.3
Enable MSM APs to discover the controller at Layer 3.
49
Rev. 12.31
You will now practice more advanced deployment options for MSM APs, focusing on
Layer 3 discovery options.
Consult your Lab Activity Guide for instructions for this activity.
Rev. 14.21
281

Activity 2.3.

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
282
Rev. 14.21
Review: Planning an MSM Controller and AP

Review: Planning an MSM Controller and AP
deploymentdeployment
51
Rev. 12.31
Figure 2-48: Review: Planning an MSM Controller and AP deployment
You can now bring together all that you have learned throughout this module.
You have learned how to create VLANs and IP interfaces assigned to MSM
Controller ports, whether an MSM720s routing switch ports or other controllers
router ports. You have also learned about how the controller handles traffic based on
the interface on which it arrives. With this knowledge as a foundation, you examined
strategies for deploying the MSM Controller and for deploying APs.
As part of these strategies, you learned about planning VLANs on which to deploy
APs. It is generally recommended that you dedicate new VLANs for your APs.
However, you might choose to deploy APs on an existing VLAN when you want to
manage them on the same VLAN as wired infrastructure devices or when you find it
difficult to make changes to the network infrastructure.
You also learned about configuring VLANs and IP interfaces on the MSM Controller
ports for two functions:
AP discovery/management interface or interfacesThe IP interfaces on which

the controller discovers and controls APs
Rev. 14.21
Sometimes the company desires Layer 2 discovery. In this case, the AP

discovery/management VLAN or VLANs must match the AP deployment
VLAN or VLANs. This solution is only possible when all AP VLANs can be
extended to the MSM Controller.
283
When Layer 3 discovery is required, the AP discovery/management

interface is the interface through which the controller reaches the APs. If the
controller only knows its connected routes and a default route through the
interface on which you manage it, it will discover all APs on its
management interface. This solution usually works well.
You could if you wanted, however, use a different interface or even different
interfaces to managed different APs. (In Module 5: Guest Solutions, you
will discover that the AP management interface can affect the flow of traffic
for access-controlled clients.) To control the interface, simply create a static
route to the APs subnet through the desired interface. Make sure that the
next hop router can reach the APs and that AP discovery is enabled on the
port to which the interface is mapped.
Often, when a company uses Layer 3 discovery for some APs, it prefers to
use the same method for all APs. The flowcharts on the next pages assume
that all APs are discovered at either Layer 2 or Layer 3. However, you can
also easily combine the solutions.
Controller managementThe VLAN on which you reach the MSM Controllers

Web browser interface
You might want to manage the controller on the same new VLAN created for
APs, or you might want to manage the controller on the VLAN on which wired
infrastructure devices are managed.
You can sometimes use the same interfaces for both functions, and sometimes your
choices in one area will affect your choices in another. The figure on the following
page provides some guidelines for choosing VLANs depending on:
Whether APs are deployed on dedicated or existing VLANs
Whether you want to manage the controller and APs on the same VLAN
284
Whether some APs must be deployed across a Layer 3 boundary from the
controller
Rev. 14.21
Rev. 14.21
285
After choosing VLANs for these functions, you must plan how to configure network
profiles on the controller so that the controller supports the proper AP
discovery/management and controller management interface. As the figure on the
previous page shows, you might use the same interface for all functions or create
new interfaces.
The flowchart on the following page provides some guidelines for selecting network
profiles to use for the IP interfaces on MSM760 and MSM775 zl Controllers. The
ovals indicate suggestions designed for a simple setup, favoring an Internet port only
deployment. For example, they mostly suggest that you configure the controller
management interface on the Internet port network so that you can use the wizard for
quick setup. The bottom of the flow chart lists alternatives, which you could certainly
choose instead.
286
Rev. 14.21
R
e
m
e
m
b
e
r
t
h
e
g
u
i
d
e
l
i
n
e
s
f
o
r
c
o
n
n
e
c
t
i
n
g
t
h
e
c
Rev. 14.21
287
ontroller and configuring the connecting switch ports:
Connect only the controller ports that are required. Often, this means that you
only connect the Internet port.
The exception is that you must always enable the internal <slot>2 port that
connects to the MSM775 zl LAN port. However, you can isolate the untagged
LAN port interface by assigning <slot>2 an unused ID for the untagged VLAN.
Place the controllers (untagged) Internet port interface, if used, in a VLAN by

specifying the untagged VLAN assignment for the switch port connected to the
controller Internet port.
Match tagged VLAN assignments for the switch port connected to either
controller port to the VLAN IDs for the IP interfaces mapped to that port.
If the untagged LAN port is not used, but the LAN port is connected, prevent the
switch port from carrying untagged traffic.
Similarly, if the (untagged) Internet port network is not used, but the Internet port
is connected, prevent the switch port from carrying untagged traffic. However,
this design occurs less often.
At this point, you should only be using the controllers untagged LAN port
interface if you need to assign APs IP addresses with the controller DHCP server.
In this case, specify the APs VLAN as the untagged VLAN on the switch port
connected to the controller LAN port. Make sure that other endpoints are not
using this VLAN to connect.
The final flowchart (on the following page) provides similar guidelines for matching a
selected VLAN to a network on the MSM720, whether one of the default network
profiles or a new profile associated with an IP interface. For example, if the flowchart
suggests that you use the Internet network for the controller management VLAN, set
the VLAN ID for this network profile to the VLAN ID that you selected for this purpose
earlier. (Remember that on MSM720s, you must set the VLAN ID for network profiles
that are assigned to ports, whether they are assigned as tagged or untagged
VLANs.)
For the MSM720s, you have complete control over which profiles you assign to each
port as tagged or untagged, so the flowchart does not suggest how to make these
assignments. Simply make sure that:
AP discovery/management interfaces are assigned to ports on which APs reach

the controller (tagged or untagged as you desire and as the port can support).
The controller management interface is assigned to ports on which management
stations and solutions reach the controller (tagged or untagged as you desire
and the port can support).
You do not create a loop on any VLAN.
Match the VLAN assignments on the connecting switch port.

288
Rev. 14.21
Summary
MSM Controller ports and networks
Best practices for controller deployment
Best practices for AP deployment

F
i
g
u
r
e
2
4
9
:
S
u
m
m
a
r
y
52
Rev. 12.31
T
h
r
o
u
g
h
o
u
t
t
Rev. 14.21
289
is module, you have studied and practiced methods for obtaining initial access to the
MSM Controller, configuring its final management settings, and connecting it to the
network. Similarly, you have practiced several ways to deploy APs, including ones
that require Layer 3 discovery. Your knowledge of the controller ports and networks
helped you to follow best practices during these tasks just as it will as you continue to
implement more features in your MSM solution.
290
Rev. 14.21
Learning check
For the learning check for this module, you will now practice using the flowcharts to
plan solutions.
Scenario 1
You are deploying an MSM775 zl Premium Mobility Controller and forty MSM APs
at a customer site, which uses VLAN 2 as the server VLAN, VLAN 20 for users, and
VLAN 11 for switch management. The company will add a dedicated VLAN for the
APs, VLAN 10, with a new subnet, 10.1.10.0/24; the VLAN which will extend
throughout the site, and the routing switch will act as the default gateway. The
company has a DHCP server, and the server administrator is adding a scope for the
APs. The company staff wants to manage the MSM Controller on the same subnet on
which the controller manages the APs.
Use the first flowchart to select VLAN IDs.
1.
What is the AP deployment VLAN or VLANs?
_______________________________________________________________________
_______________________________________________________________________
2.
What is the AP discovery/management interface or interfaces on the controller?
_______________________________________________________________________
_______________________________________________________________________
3.
What is the controller management interface?
_______________________________________________________________________
Next use the second flowchart to find suggested network profiles for the controller
ports. You might use the same profile for more than one purpose.
4.
What is the suggested network profile on the controller for the AP

discovery/management interface or interfaces? If the profile is a non-default
one, note the VLAN ID.
_______________________________________________________________________
5.
What is the suggested network profile on the controller for the controller
management interface? If the profile is a non-default one, note the VLAN ID.
_______________________________________________________________________
Finally, follow the guidelines that you have learned throughout this course for
choosing how the controller connects to the switch.
Rev. 14.21
291
6.
What is the VLAN configuration for the switch ports that connect to the
MSM775 zls internal ports?
_______________________________________________________________________
_______________________________________________________________________
Scenario 2
You are deploying an MSM720 Access Controller and 15 MSM APs at a customer
site, which uses VLAN 2 as the server VLAN, VLAN 20 for users, and VLAN 11 for
switch management. The company wants to deploy the APs on an existing VLAN and
manage the controller on the same VLAN. The controller connects to an HP IRF
group on a link aggregation (trunk) that consists of ports 1 and 2.
You must deploy another five APs at a remote site, which reaches the main site over a
routed connection. Again, the company does not want to add a VLAN for the APs,
the will connect on the remote sites VLAN 30.
The company has a DHCP server, which already provides IP addresses on all VLANs.
1.
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
Next use the third flowchart to find suggested network profiles to use. You might use
the same profile for more than one purpose.
4.

discovery/management interface or interfaces? What is the ID for this profile?
_______________________________________________________________________
_______________________________________________________________________
292
Rev. 14.21
5.
management interface? What is the ID for this profile?
_______________________________________________________________________
_______________________________________________________________________
6.
How will your assign the network profile or profiles to the MSM720 ports 1 and
2? (More than one choice might be valid.)
_______________________________________________________________________
7.
What is the VLAN configuration for the link aggregation group that connects to
the MSM720 ports 1 and 2?
_______________________________________________________________________
Scenario 3
You are deploying an MSM760 Access Controller and 40 MSM APs at a customer
site, which uses VLAN 1 for servers and users and VLAN 2 for switch management.
The company wants to manage the controller in the switches subnet but deploy the
APs on a reserved VLAN, VLAN 3. The new VLAN will extend throughout the site.
The company DHCP server cannot be configured with a new scope for the APs IP
addresses, but you want a quick deployment for the APs.
1.
_______________________________________________________________________
_______________________________________________________________________
2.
_______________________________________________________________________
_______________________________________________________________________
3.
_______________________________________________________________________
Next use the second flowchart to find suggested network profiles for the controller
ports. You might use the same profile for more than one purpose.
Rev. 14.21
293
4.

discovery/management interface or interfaces? If the profile is a non-default
one, note the VLAN ID.
_______________________________________________________________________
_______________________________________________________________________
5.
management interface? If the profile is a non-default one, note the VLAN ID.
_______________________________________________________________________
6.
Which controller port or ports should you connect to a switch?
_______________________________________________________________________
_______________________________________________________________________
7.
What is the VLAN configuration for the switch port or ports?
_______________________________________________________________________
_______________________________________________________________________
294
Rev. 14.21
Wireless Fundamentals
Module 3
Objectives
This module describes the 802.11 standards and the properties of radios as they
relate to wireless communications.
After completing this module, you should be able to:
Given a customers requirements for a wireless LAN (WLAN), select the 802.11
mode (a/b/g/n) that best meets those requirements
Explain the factors, such as Effective Isotropic Radiated Power (EIRP) and
receiver sensitivity, that affect coverage and capacity
Explain the difference between Layer 2 and Layer 3 roaming
Explain how antennas shape the wireless signal
Configure radio settings on HP MultiService Mobility (MSM) APs
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
31
topics topics
802.11 standard
Wireless cells
802.11a/b/g/n
Channels in 2.4 and 5 GHz band
802.11h
802.11n enhancements
802.11n backward compatibility
CTS-to-self
RTS/CTS
Wireless network operating system modes

802.11 authentication and association
Radio properties
Antennas
Roaming
3
Rev. 12.31
You will first learn about the 802.11 standard, which governs how wireless devices
detect, associate, and communicate with each another.
32
Rev. 14.21
Wireless cell
Wireless cell
Area in which the AP and stations can communicate
CSMA/CA
Figure 3-2: Wireless cell

4
Rev. 12.31
The coverage area in which the AP and stations can communicate with each other is
called a wireless cell. To communicate, a station must be able to detect the APs
signal, and the AP must be able to detect the stations signal. Therefore, an APs
exact coverage area might be different for each station, depending on each ones
capabilities.
All the devices within a given cell share the same mediumthe air through which the
radio signals travelbut only one signal can be transmitted at a time on the same
channel, or collisions and data loss occur. When only one user is in a cell, that user
has on-demand access to the medium. When many users are in a cell, they must
compete for airtime, which means decreased network performance.
To prevent loss of data due to simultaneous transmissions, the 802.11 standard
dictate that all wireless communications be half-duplexonly one end of the link may
transmit or receive at a time. Further, the stations use carrier sense multiple access
with collision avoidance (CSMA/CA). Before a station can transmit data, it must first
listen to determine if another station is sending data. If no other station is
transmitting, the station can begin sending its data. If another station is already
transmitting data, however, the original station must wait the amount of time specified
in the slot time parameter before trying to send a frame. (The slot time is a parameter
you can configure on the AP). Although these guidelines allow devices to share the
same medium, they limit the throughput each
The 802.11 standard also requires certain non-negotiable overheaddata required
by the wireless system but which does not form part of the relevant frame payload.
For example, a device must send an ACK frame each time it receives a frame intact.
In addition, the 802.11 header is longer than an Ethernet header; each header may
include destination, origin, and transmitter addresses, initialization vectors (IVs) for
encryption keys, and other Layer 1 and Layer 2 data.
Rev. 14.21
33
Although individual overhead requirements may seem small, the cumulative effect
over large networks with many users is substantial. For example, in practice,
throughput may be half the theoretical value, and that is in the best of circumstances.
34
Rev. 14.21
802.11 a/b/g/n
802.11 a/b/g/n
review review
Frequency band
Which
802.11 modes operate in 2.4 GHz?
Which
802.11 modes operate in 5 GHz?
Transmission speed
Which 802.11 mode supports a maximum of:

11 Mbps?
54 Mbps?
600 Mbps?
Figure 3-3: 802.11 a/b/g/n review
As a networking professional, you are familiar with 802.11 a/b/g/n. Take a few
minutes to review the frequency band in which each of these 802.11 modes operates
and recall each ones advertised transmission speed.
1.
5
Rev. 12.31
Which
802.1
1 modes operate in the 5 GHz range?
_______________________________________________________________________
_______________________________________________________________________
2.
Which 802.11 modes operate in the 2.4 GHz range?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
Which 802.11 mode supports the highest transmission speeds?
_______________________________________________________________________
4.
Record the advertised transmission rate for each 802.11 mode below.
802.11a ________________________________________________________________
802.11b ________________________________________________________________
802.11g ________________________________________________________________
802.11n ________________________________________________________________
Rev. 14.21
35
5.
What are common sources of interference in the 2.4 GHz range? (Refer to the
Supplemental Information about 802.11 a/b/g/n section at the end of the
module for more information.)
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6.
What are common sources of interference in the 5 GHz range?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
In this module, you will examine the difference between the advertised transmission
rate and the actual transmission rates. That is, you will consider the factors that affect
transmission rates.
First, however, you will consider channels and identify the channels that are nonoverlapping, thereby decreasing interference.
36
Rev. 14.21
Channels in the 2.4 GHz band

Channels in
the 2.4 GHz band
Figure 3-4: Channels in the 2.4 GHz band

6
Rev. 12.31
The 2.4 GHz band is divided into 14 channels beginning at 2.412. The first 13
channels are spaced 5 MHz apart. That is, the center frequency of channel 1 is
2.412 GHz; the center frequency of channel 2 is 2.417 GHz, and so forth. Channel
14, designed specifically for Japan, has its center frequency at 2.484 GHz, 12 MHz
from channel 13s.
Of the 14 channels, Europe, Latin America, and Asia Pacific support 1 through 13,
while North America allows only channels up to 11. Japan supports all 14.
You should understand the spectral placement of 2.4 GHz channels, realizing that
signals spread up to 22 MHz from the center frequency. Because channels are
spaced only 5 MHz apart, channels overlap up to 5 channels on each side.
Dividing the spectrum into channels allows wireless APs in the same area to operate
without interfering with each other: radios are simply tuned to transmit on frequencies
that do not overlap one another at the boundaries. Because different regulatory
agencies permit different channels, the non-overlapping channels you can use will
vary, depending on your country.
As shown in the slide, wireless designers in North America typically work with
channels 1, 6, and 11 to avoid interference from overlapping channels. Wireless
designers in other regions can also use those three channels or channels 1, 7, and
13.
As long as you use non-overlapping channels, you can place your APs in close
proximity to each other and not worry about interference.
Rev. 14.21
37
CommonlyCommonly
used channels
in the in5 the
GHz
band
used channels
5 GHz
band
Rev. 12.31
Figure 3-5: Commonly used channels in the 5 GHz band
The 802.11a standard provides more non-overlapping channels and more channels
overall than 802.11b/g. The 5 GHz frequency band is more tightly regulated than
the 2.4 GHz bandprimarily because military radar devices operate in this same
frequency band. As a result, the allowed channels vary, depending on the country
where you are implementing the wireless network.
802.11a channels are spaced every 20 MHz because a single 802.11a standard
encompasses four channel numbers. For example, as the illustration shows, the center
frequency of channel 36 is 20 MHz below the center frequency of channel 40 (5.20
GHz). (Note that the illustration shows only some of the 802.11a channels.)
38
Rev. 14.21
802.11h
802.11h
Defines two specifications for regulatory compliance:
Dynamic
Transmit
frequency selection (DFS)
power control (TPC)
Rev. 12.31
Figure 3-6: 802.11h
Because military radar devices and satellites operate in the 5 GHz frequency band,
it is more tightly regulated than the 2.4 GHz band. To prevent 802.11 devices from
interfering with military radar or satellites, the 802.11 standard was amended to
include 802.11h.
This amendment defines two mechanisms for meeting regulations:
Dynamic Frequency Selection (DFS)
Transmit Power Control (TPC)
Both mechanisms help an AP adapt to changing circumstances, such as significant

interference. They also ensure that your wireless network meets the regulations
enforced in your country.
DFS
To prevent APs from interfering with military radar, DFS is designed to help APs
detect radar and then select its channel dynamically.
The AP solicits reports from stations to monitor the channel.
The AP determines when to change the channel.
Soliciting Reports
When advertising its presence, the AP also advertises its support for DFS. After
connecting to the AP, a station must send the AP the channels it supports. This
information helps the AP to choose the best channel if it must change channels.
At any time, the AP can request that a station monitor various channels for
interference and send information about interference to the AP. This information helps
the AP to determine when it must change channels.
Rev. 14.21
39
Changing Channels
If a stations report indicates that the wireless network is experiencing undue
interference, the AP decides to change the channel. Before changing the channel, the
AP first informs all connected stations of the change and when it will take place. The
AP can also suppress transmissions until the change is final.
TPC
TPC minimizes a wireless networks interference with satellite communications by
allowing you to configure a maximum transmit power for your network. This
maximum is regulated by the AP, which not only complies with the limit but also
forces stations to transmit at or below this maximum.
In addition to enforcing regulatory compliance, TPC helps conserve powera
particularly useful feature for laptops and other stations that have a limited battery
power. The AP monitors the network to ensure that power usage remains just over the
level to maintain adequate signal strength. If the current signal strength falls below
the fade margin (a signal strength slightly above that at which the signal is lost),
stations can raise their power as far as necessary up to the allowed maximum.
Optional activity
Your facilitator may ask you to explore which channels are available in the 5 GHz
range in your country and, of these channels, which are affected by DFS. Turn on
your lab equipment or access the remote labs; then complete the following steps:
1.
Log in to the MSM Controllers Web browser interface, using the following
credentials:
Username: admin
Password: password
(The default password is admin. You changed it in the Module 2Lab 1.)
2.
Navigate to Controlled APs > <Group Name> > <AP Name> >> Configuration >
Radio. (Select an AP that can operate in the 5 GHz range.)
3.
Select the radio that supports the 5 GHz rage.
4.
Select the following:
5.
Operating mode: Access point only
Wireless mode: 802.11n/a
Select the drop-down menu for Channel. List some of the channels that are
marked with an asterisk (*). These are the channels that support DFS.
_______________________________________________________________________
_______________________________________________________________________
310
Rev. 14.21
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6.
Navigate to Controlled APs > <Group Name> >> Configuration > Country.
7.
Clear the Inherited check box.
8.
If you are using a remote lab environment, the country code is probably the
United States. Select the country in which you reside.
9.
Click Save.
10. Navigate to Controlled APs > <Group Name> > <AP Name> >> Configuration >
Radio. (Select an AP that can operate in the 5 GHz range.)
11. Select the radio that supports the 5 GHz rage.
12. Select the drop-down menu for Channel. Have the number of available channels
changed? Are the DFS channels different?
_______________________________________________________________________
_______________________________________________________________________
13. Return the country code to its original setting.
Rev. 14.21
a.
Navigate to Controlled APs > <Group Name> >> Configuration > Country.
b.
Select the appropriate county and click Save.
311
Dual-band standard
Channel bonding
MIMO
Band steering
Beamforming
Figure 3-7: 802.11n enhancements
As you correctly identified, 802.11n is a dual-band standard: it can operate in both

the 2.4 and 5 GHz range. Although the 5 GHz band is recommended for 802.11n
deployments, being able to use the 2.4 GHz band as well gives you more flexibility
in implementing a wireless network. For example, if a particular environment has a
lot of interference in the 5 GHz range, you can move the 802.11n network to the 2.4
9
Rev. 12.31
GHz range.
802.11n has revolutionized wireless networking by increasing performance. To
achieve substantially higher transmission rates, 802.11n employs several new
technologies. In this course, you will focus on the enhancements listed here:
312
Channel bonding
MIMO
Band steering
Beam forming
Rev. 14.21
802.11n: channel bonding
802.11n: channel bonding
Figure 3-8: 802.11n: channel bonding
With 802.11n you can combine two adjacent 20 MHz channels into a single 40
MHz channel. Bandwidth for a particular WLAN is more than doubled because the
10
Rev.
12.31
guard band
between
the two 20 MHz channels can be removed when they are
bonded. (The guard band is used to prevent interference between channels.)
Channel bonding is typically used in the 5 GHz frequency band because it has more
non-overlapping channels. Because the 2.4 GHz frequency band has only three nonoverlapping 20 MHz channels, bonding two 20 MHz channels leaves only one nonoverlapping channel.
Rev. 14.21
313
802.11n:and
MIMO
and spatial
streaming
802.11n: MIMO
spatial
streaming
11
Rev. 12.31
Figure 3-9: 802.11n: MIMO and spatial streaming
Another reason 802.11n can achieve such high transmission rates is its multiple-input,
multiple-output (MIMO) antenna design. MIMO algorithms in a radio chipset send
data out over two to four antennas. Signals from each transmitter can reach the
target receiver via a unique path.
MIMO devices can have two to four transmitters and one to four receivers. For
example, if a device has two transmitters and one receiver, it would be described as
having a 2 x (by) 1 configuration. If a device had three transmitters and three
receivers, it would have a 3 x 3 configuration.
Because APs send data to multiple wireless stations, they typically have three or four
transmitters. Wireless stations, on the other hand, usually receive more data than they
send and thus have a 2 x 3 configuration.
802.11n can use MIMO for several purposes. One important purpose is spatial
multiplexingthat is, sending multiple data streams in the same channel to multiply
the throughput of radio. In Module 1, you learned that HP offers MSM APs that
support two or even three spatial streams. Other factors being equal, a radio
operating with two spatial streams transmits at twice the data rate of a radio using a
single spatial stream. Similarly, three spatial streams triple the data rate.
Spatial multiplexing works best if the paths are spatially distinct, resulting in received
signals that are uncorrelated. Thus, while traditional 802.11 networks degrade in the
presence of multipatha propagation phenomenon by which multiple radio signals
reach receiving antennas by bouncing off of objects along the waymultipath helps
decorrelate the 802.11n channels, enhancing the operation of spatial multiplexing.
The signals are recombined on the receiving side by the MIMO algorithms
dramatically improving wireless performance and reliability.
314
Rev. 14.21
Traditionally, when reflections combine, they distort the signal at the receiver. The
MIMO receivers, however, consistently process each multipath component, thereby
eliminating the mixture of out-of-phase components that would normally result in
signal distortion.
Rev. 14.21
315
802.11n: beamforming
transmit beamforming
802.11n: transmit
Increases throughput by improving the quality of the signal
sent to stations
MSM APs support explicit beamforming:

Use
an array of antennas to send the same data
Receive
direct feedback from the station (which must also support

beamforming)
Use
this feedback to maximize the phase alignment of signals and their

reflections
Figure 3-10: 802.11n: transmit beamforming
Another use for MIMO is beam forming, which is designed to optimize the quality of
the wireless signal for each individual station.
The HP MSM430,
MSM460, and MSM466 support a standards-based
12
Rev. 12.31
implementation of transmit beamforming (which is also called chip-based
beamforming).
With transmit beamforming, the AP radio sends multiple data streams of the same
data from an array of transmitter antennas. However, it adjusts the magnitude and
phase for each transmitter. The AP calculates these adjustments such that, after
following the different paths to the receiver, each signal adds to each other,
increasing the clarity of the signal. Thus, beamforming can increase range; a station
can detect the APs signal further from the AP. Because the quality of the signal also
determines which data rate a station can use, beam forming can also improve
throughput. At the same distance from the AP, the station can transmit and receive
data at a higher rate.
The AP determines how to phase shift the data correctly for a specific receiver using
sounding packets. The AP sends a signal to the station (Where are you?) and
listens for a response (Im right here).
The MSM APs support explicit beamforming. With explicit beamforming, the
transmitter (in this case, the AP) receives direct feedback from the receiverthe
stationand uses this feedback to maximize the phase alignment of signals and their
reflections. The station that is receiving the signal must support beamforming.
Because the station has an open channel to the AP, the station can provide feedback
about how well it is receiving signals (signal path, phase shift, and so on). In this
way, the AP can more quickly and accurately assess the optimal beam to use.
316
Rev. 14.21
Because beamforming requires multiple transmitters that send the same data, those
transmitters cannot be used for different spatial streams at the same time. Therefore,
an MSM430, MSM460, or MSM466 radio can send data over up to two spatial
streams with beamforming (or up to three spatial streams without beamforming). If
range is an issue, the APs can transmit over one or two spatial streams, with
beamforming taking place on the other antenna. In environments where the AP is
running three spatial streams, stations that are closer to the AP can achieve higher
throughput rates without beamforming.
Rev. 14.21
317
802.11n: band
steering
802.11n:
band steering
Encourages stations to use 5 GHz:
AP
must have two radios, which support 802.11n.
When
a station tries to associate with the AP on the 2.4 GHz band, the
AP:
Waits 200ms before responding to a probe request
Denies stations first association request
After
the station is associated with the AP, it does not respond to the
stations probe requests on the 2.4 GHz.
Figure 3-11: 802.11n: band steering
Band steering is designed to help you:
Reduce the number of stations using the more crowded 2.4 GHz band
Ensure that stations are using the band recommended for 802.11n5 GHz
13
Rev. 12.31
To support band steering, APs must have two radios, which support 802.11n. The
MSM430, MSM460, and MSM466 all support band steering.
When you enable band steering, the MSM APs try to encourage stations that support
both 2.4 and 5 GHz to move to the 5 GHz band, as follows:
The AP waits 200ms before responding to the first probe request sent by a
station using the 2.4 GHz band.
If the AP detects that the station is capable of transmitting at 5 GHz, the AP
refuses the first association request sent by the station (which is using the 2.4
GHz band).
Keep in mind that the APs can only encourage the stations to use the 5 GHz band.
The stations control if they actually use the 5 GHz.
After the station has moved to the 5 GHz band and associated with the AP, the AP
will not respond to any 2.4 GHz probes from the station as long as the stations
signal strength at 5 GHz is greater than -80 dBm. If the clients signal strength falls
below -80 dBm, however, the AP will respond to 2.4 GHz probes from the station
without delay.
To support band steering, the VSC must be bound to the MSM430, MSM460, and
MSM466. One radio must be configured for 2.4 GHz operation and the other for 5
GHz operation.
If the radio configured for 5 GHz operation reaches its maximum number of
supported clients, the AP will temporarily stop using band steering.
318
Rev. 14.21
802.11n backward
compatibility
802.11n backward
compatibility
Pure mode
Legacy
stations cannot connect to the AP
Compatibility modes
802.11n/a
mode
802.11n/g
802.11n/b/g
Figure 3-12: 802.11n backward compatibility
When you implement an 802.11n network, you must determine how the AP will
support legacy devices. Because 802.11 a/b/g stations cannot hear 802.11n
stations, these legacy stations may transmit at the same time 802.11n stations are
transmitting.
For the best
performance,
you should use the pure 802.11n mode.
14
Rev. 12.31
Rev. 14.21
Pure 802.11n modeUse this mode if you do not want legacy stations using the
same frequency band set for 802.11n AP. When an MSM AP implements this
mode for an APs radio, legacy stations cannot associate with that radio. The
MSM APs still direct stations to transmit their CTS/Self frames in protected mode;
however, the APs themselves do not do so.
802.11n/a mode, 802.11n/g, or 802.11n/b/gUse one of these modes if you
want the AP to support legacy stations as well as 802.11n stations. The AP
advertises protection in the beacon when legacy clients are associated or
operating on the same channel. Including this notification alerts 802.11n stations
to use protection mechanisms (such as RTS/CTS or CTS-to-self) when sending
802.11n data. These protection mechanisms eliminate disruption that legacy
stations might otherwise cause.
319
CTS-to-self CTS-to-self
CTS-to-self protection frames alert legacy stations to
transmissions.
Figure 3-13: CTS-to-self

15
Rev. 12.31
As part of supporting backward compatibility, you can enable transmit protection on

an MSM AP radio. The MSM AP radio then informs stations when they need to use
protection. A station implementing protection sends a control frame that can be
understood by legacy devices before transmitting its actual data frame. Protection
can use one of these mechanisms:
Clear to Send (CTS)-to-self
Request to Send (RTS)/Clear to Send (CTS)
CTS-to-self introduces less overhead, so you should usually choose it unless you have
a reason otherwise (as explained on the next page).
With CTS-to-self, a station that needs to transmit protected data first sends a CTS
frame to its own MAC address. This CTS frame uses modulation understood by the
legacy standard (802.11b or 802.11g). Thus all stations will then wait the amount of
time specified in the CTS frame before once again contending for control of the
medium.
Even if you do not want the radio itself to support legacy clients (you disable the
legacy supported rates), you might still enable protection. This ensures that
neighboring legacy stations outside of your control do not introduce collisions.
320
Rev. 14.21
RTS/CTS RTS/CTS
Another protection mechanism
Higher overhead
Solution for hidden node
16
Rev. 12.31
Figure 3-14: RTS/CTS
The RTS/CTS mechanism achieves the same goals, but involves more overhead.
Nonetheless, it might be required in some environmentssuch as ones with hidden
node problems.
Hidden node occurs when two stations, which are in range of an AP, are located too
far away from each other to detect each others CTS-to-self frames. This problem can
also occur if a station is located behind a wall. Whatever the cause, the two stations
cannot detect each others CTS frames and transmit simultaneously, causing a
collision at the AP. In the shared wireless medium, the collision causes both stations
to retransmit, resulting in lower throughput.
With RTS/CTS, a station must initiate a transmission by sending an RTS frame to
receiving stationin this case, the AP. The AP responds with a CTS frame, which
signals the sending station that it can begin transmitting its data frame. The CTS
frame also notifies other stations that they cannot transmit for the time period
specified in the CTS frame. While other stations wait for the amount of time specified
in the CTS frame, the station that initiated the RTS/CTS process transmits its data
frame.
Just as for CTS-to-self frames, you must consider whether to use protection for the
RTS/CTS frames. That is, stations and APs might need to send the RTS/CTS frames at
a data rate supported by all stations in the cell (including legacy stations).
Although RTS/CTS eliminates the need for stations to retransmit frames, it imposes its
own overhead on the wireless network. When RTS/CTS is enabled, the throughput
on an 802.11g network might fall below 20 percent of the theoretical maximum
throughput. However, if the collisions and retransmissions have reduced the
maximum throughput even lower, RTS/CTS may affect performance less than the
collisions do.
Rev. 14.21
321
Finding and resolving hidden node issues

A hidden node might cause somewhat lower performance for all stations, but
performance is especially slow for the hidden nodes themselves because they are
causing the collisions. If a cell has areas of very low throughput, the problem might
be caused by a hidden node.
Using a wireless protocol analyzer, you should investigate the problem further by
determining the number of collisions occurring. Because a wireless network is a
shared medium, it will always have some collisions. On average, you should expect
a retransmission rate of approximately 10 percent.
After you enable RTS/CTS to solve a hidden node problem, you should monitor
performance. Is performance better than it was before you enabled RTS/CTS, or is it
worse? If performance is better, you should consider redesigning the wireless cell to
eliminate hidden node and then disable RTS/CTS.
If performance is worse, maybe hidden node is not causing the original slowdown
on the network. In this case, you will need to look for other possible causes of slow
performance.
322
Rev. 14.21
topics topics
802.11 standard
Activity: Identifying modes and IDs

Ad hoc mode
Infrastructure mode
In-cell relay mode
BSS and BSSID
ESS and ESSID
Open versus closed systems
Radio properties
Antennas
Roaming
17
Rev. 12.31
You will now learn about the guidelines the 802.11 standard provides for using the
wireless medium to establish communications among devices
Rev. 14.21
323
Activity: Identifying
modes modes
and IDs
Activity: Identifying
and IDs
18
Rev. 12.31
Figure 3-16: Activity: Identifying modes and IDs
If your facilitator asks you to complete this activity, you will work in a group to
answer one or more of the following questions. You can use the materials in this
section as needed to answer the questions.
1.
What is the difference between infrastructure mode and ad hoc mode? What
kind of danger can ad hoc networks pose for companies?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
324
Rev. 14.21
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
What is in-cell relay mode? What is this feature called on HP MSM APs?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
Draw an ESS and a BSS in the blank space provided below and on the
following page.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
325
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
What is an ESSID?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
What is a closed system? Describe its role in securing a wireless network.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
326
Rev. 14.21
Ad hoc mode
Ad hoc mode
Peer-to-peer connection between two or more stations
Figure 3-17: Ad hoc mode

19
Rev. 12.31
An ad hoc
network
includes two or more stations that communicate directly with
each other through wireless transmissions. Each station in an ad hoc network receives
every packet transmitted.
To prevent loss of data due to simultaneous transmissions, the 802.11 standard

stipulates that stations use the carrier sense multiple access with collision avoidance
(CSMA/CA) mechanism.
Inexpensive and easy to establish, ad hoc networks are used most often for
exchanging files in small meeting areas when access to the wired network is not
necessary or not possible.
Rev. 14.21
327
Infrastructure
Infrastructure
mode mode
AP:
Establishes
Handles
20
Rev. 12.31
the wireless network
all communications from stations that associate with it
Figure 3-18: Infrastructure mode
Infrastructure mode is the most common deployment for wireless networks. In this
mode, stations do not communicate with an AP. The AP handles all communication
among wireless stations and controls the security and speed parameters for the
network.
In addition to connecting wireless stations to each other, the AP is connected to a
wired network. As the interface between the wired and the wireless network, the AP
receives wireless traffic from stations and forwards it on to the wired network.
Likewise, the AP receives and forwards traffic that is being sent from the wired
network to the wireless stations.
328
Rev. 14.21
relay mode
In-cell relayIn-cell
mode
21
Rev. 12.31
Figure 3-19: In-cell relay mode
In-cell relay mode is more commonly called a wireless bridge or wireless distribution
system (WDS). When functioning in this mode, an AP connects two or more network
segments, which can be different segments of a LAN or unconnected wireless
networks.
In infrastructure mode, APs simply bridge traffic to wireless stations; the wired
network provides the distribution system for transmitting traffic from wireless stations
to its ultimate destination. With in-cell relay mode, the wireless medium becomes a
distribution system as well, operating as if it were a wired infrastructure.
You will learn about the MSM APs wireless bridge feature, which is called wireless
mesh, later in this course.
Rev. 14.21
329
BSS and BSSID
BSS and BSSID
Figure 3-20: BSS and BSSID
Any one or more stations and their AP compose a basic service set (BSS). Each BSS
has a unique, 48-bit identifier called the BSSID, which is usually the MAC address of
the APs
wireless
interface (its radio).
22
Rev.
12.31
Every frame transmitted to and from the stations in a BSS contains the BSSID in the
frame header, identifying the frame as belonging to a particular APs coverage area.
The BSSID distinguishes the BSS from others and increases efficiency by allowing the
AP and stations to ignore frames not belonging to their BSS.
When a new station joins a cell, it appends the APs BSSID to all frames as the
receiver address in the 802.11 header.
HP MSM APs logically separate their services. Each radio supports a different BSSID
for each VSC bound to it. For example, when the radios MAC address is
2c:41:38:db:01:00, the BSSID associated with a particular VSC might be
2c:41:38:db:01:01.
330
Rev. 14.21
ESS and ESSID

ESS and ESSID
23
Rev. 12.31
Figure 3-21: ESS and ESSID
Several BSSs, each with its own BSSID specifying the AP, may belong to the same
Extended Service Set (ESS). That is, even though the networks may be spatially
separate, they behave as if they are part of the same network.
This figure illustrates several BSSs composing one ESS. For ease of illustration, the
BSSs are spatially separated, but they need not be. In actual wireless networks, some
overlap is desirable to enable roaming.
Each ESS has a unique, 48-bit identifier called the ESSID, which functions as the
networks name. Although ESSID is more precise, the industry commonly uses the
general term SSID to signify the network name. Because it is the more common term,
this course uses SSID as the identifier for the ESS.
Like the BSSID, the SSID is included in the 802.11 header of every frame transmitted
on a wireless network.
An ESS can also be called a WLAN, which defines various settings for the ESS such
as the SSID and security options. On HP MSM products, you define the WLAN
settings in a VSC, for the most part in the Virtual AP settings. However, you define
the security settings within other sections of the VSC.
Rev. 14.21
331
Figure 3-22: Open versus closed systems

Rev. 12.31
You can 24
configure
a WLAN to operate as an open or closed system.
In an open system WLAN, APs advertise their SSID at regular intervals.

Many APs operate in open system by default. IT managers can configure APs to
operate in closed system mode, disabling the automatic advertisement of the SSID.
In this case, users must already know the SSID to join the WLAN. If an AP supports
only closed system WLANs, stations within range may detect its radio signal, but
their client utilities may not display the supported WLANs. To join a network, users
must manually configure their wireless configuration utility with the correct SSID.
As a security measure, a closed system will deter only the most casual unauthorized
users and should not be considered a reliable protection against attacks. Utilities are
increasingly able to detect and display closed systems, or users can use wireless
sniffers to detect the SSID, which, even in closed systems, is included in plaintext in
the header of every data frame.
332
Rev. 14.21
topics topics
802.11 standard
Passive and active scanning on 802.11 networks
Overview of 802.11 authentication and association
802.11 authentication
802.11 association
Review activity
Radio properties
Antennas
Roaming
25
Rev. 12.31
You will now learn about the 802.11 guidelines that determine how a station
associates with an AP.
Rev. 14.21
333
Passive and active scanning on 802.11 networks

Passive and
active scanning on 802.11 networks
26
Rev. 12.31
Figure 3-24: Passive and active scanning on 802.11 networks
Before a station can authenticate and associate with an AP, it must know the AP is
within range and what WLAN or WLANs the AP supports. To discover this
information, a station uses one of the following processes:
Passive scanning
In passive scanning, stations listen for beacon frames from APs within range. APs
broadcast beacons at regular intervals. These management frames contain
information to help the station begin the 802.11 authentication and association
process. For example, beacons include information such as the following:
SSID
Radio settings, including supported rates
Capabilities, such as type of network (ad hoc or infrastructure) and

encryption requirements (if any)
Timestamps, which allows the station to synch its clock with the APs
Because stations are not transmitting frames for passive scanning, it saves
battery power.
A station can also listen for beacon frames on all supported channels. This type of
passive scanning is called sweeping.
Active scanning
In active scanning (also called probing), stations send probe request frames on
each channel. Stations can send probe request frames to locate a particular
SSID or ask for all supported SSIDs within range.
APs within range operating on that channel send a probe response frame
containing information about their capabilities, data rates, and so on.
334
Rev. 14.21
Preparing to authenticate and associate

As stations detect APs within range, they compile a report, listing all the SSIDs and
APs discovered and their related settings.
If multiple APs that support that desired SSID are within range, the station chooses
which one to associate with based on signal strength. At the same time, the station
builds a table to keep track of SSIDs and other connection data. If the station
changes location, it can more quickly reconnect to another AP that supports the
correct SSID using the data compiled in the table.
Rev. 14.21
335
of 802.11 authentication
and
Overview ofOverview
802.1
1
authentication
and
association
association
27
Rev. 12.31
Figure 3-25: Overview of 802.11 authentication and association
When a station detects that APs are within range and wireless network access is
available, the station begins the process of joining the network.
The station must complete two processes outlined in the 802.11 standard:
802.11 association
When the 802.11 standard was accepted in 1997, it outlined two different types of
authentication:
Open-system authentication
Shared-key authentication
In reality, 802.11 open-system authentication is more a pre-association handshake

than actual authentication: open-system authentication does not establish identity
and legitimacy as the term authentication typically implies.
Shared-key authentication, which was developed to provide actual authentication for
wireless networks, is easily compromised and is no longer a recommended option
for securing a wireless network.
802.11 association
If the 802.11 authentication is successful, the station associates with the AP.
336
Rev. 14.21
Supplemental authentication
Because the two 802.11 authentication options cannot adequately secure wireless
networks, additional, or supplemental, authentication methods are required to:
Ensure that only authorized users are allowed to access the network
Protect wireless communications from eavesdropping and tampering
There are a number of options for enforcing supplemental authenticationsome

more secure than others.
You will now learn more about 802.11 authentication, 802.11 association, and
supplemental authentication.
Rev. 14.21
337
28
Rev. 12.31
Figure 3-26: 802.11 authentication
Open-system authentication
As the name implies, open-system authentication allows any station to be validated
by the AP. The station is not required to submit any login credentials or secrets to
complete this process successfully.
The station always initiates the open-system authentication process, which consists of
two frames. The station sends the AP an authentication request frame, which
contains its MAC address and a value indicating the open-system authentication
method.
The AP responds with an authentication response frame that contains the result of
the request. Typically, the result is successful authentication, and the station can
move to the next step: association.
At this point in the connection process, the station is authenticated but not yet
associated. It cannot yet send data to the wired network.
Shared-key authentication
Shared-key authentication is the original 802.11 authentication, which is also known
as Wired Equivalent Privacy, or WEP. With shared-key authentication, each device
must have the same key, which enables the device to encrypt and decrypt data
contained in frames. To join the network, a station must prove to the AP that it has
the correct key and should therefore be granted network access.
When shared-key authentication is configured, the station and the AP exchange the
following frames:
1.
338
The station issues an authentication request frame, which contains the stations
MAC address and a value indicating shared-key authentication.
Rev. 14.21
2.
The AP issues a response frame, which contains challenge texta 128-byte,

randomly generated data stream.
3.
Using the key it should already possess, the station encrypts the challenge text
from the AP and sends it to the AP.
4.
Using the same key, the AP decrypts the challenge text received from the station.
If the decrypted challenge text matches that sent in the second frame, the
authentication is successful. The AP then sends the final frame in the exchange,
indicating authentication success or failure.
If successful, the station is now authenticated but not yet associated and cannot yet
send data to the wired network. The station can proceed to the 802.11 association
process.
Although the IEEE designed shared-key authentication to provide tight security, it
failed to live up to this promise. WEPs shared-key encryption method was easy to
crack from the beginning, and with widely available freeware circulating on the
Internet, it is even easier to crack today. As a result, IEEE and the Wi-Fi Alliance have
formally disapproved this encryption option, although it remains available as part of
the 802.11 standard to ensure backward compatibility.
In contemporary networks, open-system authentication is the preferred option. You
can then allow stations to associate without imposing any additional authentication
methods, or you can implement some form of supplemental authentication that will
actually secure the wireless communications.
Rev. 14.21
339
802.11 association
802.11 association
Figure 3-27: 802.11 association
If the 802.11 authentication is successful, the station sends an association request

frame to the AP, which can accept or reject the request. If the AP accepts the
association, the AP assigns an association ID (AID) to the station and allocates RAM
and other resources to the connection. The AP registers the station on the network so
that frames destined for the station are sent to the correct AP for processing.
29
Rev. 12.31
If no supplemental authentication is in place, the station is now authenticated and

associated and is a part of the wireless network. The station is allowed to transmit
data frames, and the AP begins to process frames for it.
The association remains active until it is terminated by either the station or the AP.
Stations cannot associate with more than one AP at a time. They can, however, roam
and re-associate to a new AP in the same WLAN.
You will learn more about supplemental authentication options in Module 4.
340
Rev. 14.21
Review activity
Review activity
Answer questions.
Study concepts you

dont understand.
30
Rev. 12.31
Figure 3-28: Review activity
Answer the following questions. If you cannot easily answer a question, review the
material in this section to ensure that you thoroughly understand the related concept.
1.
If a user is trying to conserve battery power on his laptop, which scanning

method should he use?
_______________________________________________________________________
2.
Explain how a station uses active scanning to locate an AP.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
Why did the IEEE formally disapprove WEP?
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
341
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
If you want to require users to authenticate to your companys Active Directory,

what type of 802.11 authentication must you use?
_______________________________________________________________________
342
Rev. 14.21
topics topics
802.11 standard

Radio properties
Coverage and capacity

Factors that affect coverage and capacity
Measuring wireless power
EIRP
Free space path loss
Real-world path loss and obstacles
Basic and supported rates
Activity: planning coverage and capacity
Antennas
Roaming
31
Rev. 12.31
The next section focuses on specific radio properties that you should understand
when implementing a wireless network.
Rev. 14.21
343
and capacity
Coverage Coverage
and capacity
Coverageproviding wireless signal where it is required
Capacityensuring the wireless cell can support the
required throughput
32
Rev. 12.31
Figure 3-30: Coverage and capacity
When implementing a wireless network, you must consider both coverage and
capacity:
CoverageCoverage refers to providing the wireless signal where it is needed.

Likewise, you must identify areas where the company does not want the wireless
signal and try to avoid allowing the signal to leak into those areas.
CapacityCapacity refers to the cells ability to carry a data loadits
throughput. In other words, how much data can the cell reliably support at its
devices configured powers and speeds?
As long as device configurations do not change, cell capacity does not
changeoverall throughput remains the same in the more densely occupied cell
as in the less crowded one. However, the per-user throughput decreases as more
stations join the cell. As the capacity ceiling is approached, users will begin to
notice decreased speed and reliability.
User density is perhaps the most obvious and easily controlled element that
affects capacity. If more users occupy a cell, more bit streams are in the air or in
buffers competing for limited resources.
You will now consider the factors that affect both coverage and capacity.
344
Rev. 14.21

Transmit power
Frequency
Receiver sensitivity
Number of stations
Antenna gain and pattern
Operating mode
Obstacles and interference
How close must the AP

and stations be for the two
to hear each other?
Transmit power
33
Rev. 12.31
Antenna
Antenna
Transmit power
Figure 3-31: Factors that affect coverage and capacity
In this course, wireless cells are shown as a simple circle, with the radio signal
radiating out equally in all directions from the transmitter. In reality, coverage is not
at all uniform. RF signals attenuate, or weaken, while traveling through the air and
change more drastically as they travel through or bounce off objects. You must
consider many factors when calculating coverage and capacity.
Transmit power and receiver sensitivity

The transmit powerthat is, the strength of the signal output by the transmitting
radioand the receiver sensitivitythat is, the ability of the receiver to detect
the signalare the cornerstone determinants for coverage and range. Naturally,
louder signals (those with higher transmit power) are easier to hear, so the
greater the power of the transmitting radio, the larger the cell size. The radio
wave can travel further before degrading to the point that the receiver cannot
detect it.
Similarly, more sophisticated receivers can hear signals at greater distances.
This hearing is called receiver sensitivity, which measures how strong a signal
must be for the receiving device to interpret it. The lower the value for the
receiver sensitivity (the weaker the signal can be), the larger the cell size.
Antenna gain and pattern

Antennason both the transmitter and the receiverboost the signal strength,
allowing a larger area of coverage. The antenna pattern is also a critical
element of the system design.
Obstacles and interference

Obstacles reflect and absorb radio waves and can create a dead space in the
expected coverage area.
Rev. 14.21
345
Consider general interference as well as particular obstacles. Even powerful

signals can become unusable with substantial interference, such as from other
APs or wireless devices. Attempting to increase coverage by raising the transmit
power on all of your APs can actually have the opposite effect because the APs
begin to interfere with each other. Always plan coverage and channels carefully.
Note
You should keep these factors in mind when planning for optimum coverage. It is
important to note that optimum coverage is not always the same as maximum.
For example, extending a radios reach outside of a building can be a security
hazard.
Radio frequency and government regulations

The frequency of the system also impacts the coverage. Higher frequency waves
generally do not travel as far (under equal conditions) as lower frequency
waves. In addition, governments may regulate the total power output by a radio
(when taking into account any antennas). The legal maximum might depend on
your APs:
Frequency (channel)
Placement (indoors or outdoors)
Usepoint-to-multipoint (typical WLAN) or point-to-point (wireless bridge or

WDS connection)
Average number of stations in the cell

In addition to calculating the throughput expected for the cell, you should
estimate the throughput an individual station can expect. You have estimated the
number of users expected in each coverage area at peak usage times. The
anticipated total throughput must be shared among all these users.
If expected per-user throughput seems too low, you can increase capacity by
creating smaller cells and overlapping cells. Dividing stations between
overlapping cells increases the throughput for individual stations.
Operating mode
The operating mode can affects capacity because 802.11n provides higher data
rates than 802.11g or 802.11a, which both provide higher data rates than
802.11b. In addition, 802.11n can sometimes improve coverage through features
such as beam forming.
Together these factors affect the areas where a wireless station can communicate
successfully with the APin effect, the coverage. In addition, they affect the SNR for
stations connections to the AP, which in turn determines the data rates that are
available over a particular area. Thus you must consider these factors when planning
adequate capacity for an area.
346
Rev. 14.21
MeasuringMeasuring
wireless wireless
power power
Measured in decibels (dBm), which
are related to milliwatts (mW)
logarithmically
Rule of 3s: adding 3 dB doubles the
power
Rule of 10s: adding 10 dB increases

the power by 10
34
Rev. 12.31
Figure 3-32: Measuring wireless power
Understanding how power is measured in a wireless environment helps you plan the
correct transmit power based on distances between devices and receiver sensitivity.
The standard measurement in wireless communication power is dBm, which stands
for decibels above one milliwatta ratio measuring the power of a wireless signal
relative to watts, a more familiar power measurement.
In other words, 1 mW is the baseline measurement of power in a wireless network
environment and equals 0 dBm. Positive dBm values are greater than 1 mW, and
negative dBm values are less than 1 mW.
Keep in mind that dBm are relative units. As a result, negative dBm values do not
indicate negative power or signal loss; instead, a negative dBm value simply means
decibels below one mW. (For example, radio receiver sensitivity, which is the lowest
power required for the receiver to distinguish the signal, is often expressed as a
negative dBm value.)
Watts and dBm have a logarithmic relationship, as illustrated in the diagram above.
(The precise equation is 1 dBm = 10logmW.)
An increment of 10 dB equates to a tenfold increase in power. Because the baseline
power is 1 mW, 10 dBm is 10 mW (10 times the power of 1 mW), 30 dBm is 1 W
(1000 times the power of 1 mW), and so forth. Remember these rules:
3 dB doubles the power.

Look at the 1 Watt line, which is equivalent to 30 dBm. Doubling the power
(from 1 Watt to 2 Watts) is equivalent to a 3 dB increase in power to 33 dBm.
Decreasing the power from 33 dBm back to 30 dBm halves the power. So, for
every 3 dBm difference relative to one measurement, there is a doubling or
halving of the power. This is the rule of 3s.
Rev. 14.21
347
10 dB increases the power 10 times.

The next observation you may make is that if you increase the power (in Watts)
by a power of 10 (such as from 1 Watt to 10 Watts) the dBm value increases by
10 (in this example, from 30 dBm to 40 dBm.) This is the rule of 10s.
You might consider memorizing one point in the relationship, such as 1 Watt = 30
dBm, and then using the rule of 10s or the rule of 3s to make rough conversions
without a calculator.
348
Rev. 14.21
EIRP
EIRP
w
Total signal strength output by a radio system
Radio system
EIRP = Transmit power Transmitter cable loss + Transmitter antenna gain

Figure 3-33: EIRP
To begin planning the size of your wireless cells, you use Effective Isotropic Radiated
35
Rev.
12.31
Power (EIRP),
which
is the total signal strength generated by a radio system. The EIRP
derives from the transmitting radios power plus any gain from an antenna. The EIRP
also takes into account any power lost over cables and connectors installed between
the antenna and radio. In other words:
EIRP = Transmit power Transmitter cable loss + Transmitter antenna gain
EIRP is measured in units of decibels over isotropic (dBi), which compares the power
at the point of maximum strength to the power of an isotropic radiator. An isotropic
radiator is a theoretical device emitting energy in all directions equallya spherical
radiation pattern. No antenna is actually an isotropic radiator; for EIRP
measurements, dBi simply provides a basis for consistent comparison between
different radios and antennas.
For example, an AP radio is transmitting at 15 dBm and is connected to a 6.5 dBi
gain antenna. The cable and connector cause a 1 db and .25 dB loss, respectively.
The EIRP is:
15 dBm (1 dB + .25 dB) + 6.5 dBi = 19.75 dBi
You can adjust the EIRP by reducing the transmit power or by adding an external
antenna. Because range depends on many factors, you cannot relate EIRP directly to
an exact range. You can know, however, that adjusting the value changes the relative
cell size. Before examining the effects more precisely, consider the other factors: path
loss and obstacles.
Rev. 14.21
349
space
Free spaceFree
path
losspath loss
Path loss measures the signal attenuation between the
transmitter and the receiver:
Frequency
Distance
between the two devices
Medium
through which the signal travels
Free-space path loss:

Lp = 32.4 + 20 log F + 20 log D
Lp
36
= Path loss in dBm, F = Frequency in GHz, D = Distance in m,
Lp
= 40.0 + 20 log D
2.4GHz
Lp
= 46.4 + 20 log D
5 GHz
Rev. 12.31
Figure 3-34: Free space path loss
After you calculate EIRP, you must figure out how much the signal degrades between
transmitter and receiver; path loss measures that attenuation.
Path loss is based on three general factors:
Frequency
Distance between the transmitter and receiver
Medium through which the signal travels
For example, if the signal must cross a brick wall, it will degrade more than in that
area than it will in an area with no obstacles (free space).
Path loss is calculated based on the following factors:
Distance
Frequency
Free space between the two endpoints
Free space is literal. This equation does not take any obstructions into account,
even the air. The calculated signal loss originates entirely from the spreading of the
signal through space and is related to the distance between the transmitter and
receiver in terms of wavelength.
The equation uses these variables:
350
Lp = free-space path loss
F = frequency in GHz
D = distance, or path length, in meters
Rev. 14.21
Make sure to use the correct units; otherwise, the constant 32.4, which takes these
units (as well as constants related to calculating the surface area of a sphere) into
account, is incorrect.
Wireless networks use one of two frequencies, so you can use these simplified
equations:
For 2.4 GHz, Lp = 40.0 + 20 log10 D
For 5 GHz, Lp = 46.4 + 20 log10 D
For example, calculate free space path lost over 2500 meters
Lp = 40 + (20 * log 2500)
Lp = 40 + (20 * 3.4)
Lp = 40 + 68
Lp = 108 dB
Rev. 14.21
351
and obstacles
Real-worldReal-world
path losspath
andloss
obstacles
In free space, signal strength falls off as a square of
distance.
Scattering
Distance
exponent: 2
component of path loss equation: 20 log D
In a real-world environment, signal strength falls off more

quickly.
The
more cluttered the environment, the higher the scattering exponent.
Scattering
exponent * 10 log D = Distance component of the equation
For significant obstacles, add dB to the equation.

Figure 3-35: Real-world path loss and obstacles
The free space equation may give you an accurate picture for path loss if your
company37setsRev.up
operations in the middle of a desert. But the clutter of the real world
12.31
complicates the model.
The free space equation assumes that power falls off as a square of the distance.
Because dBs are logarithmically related to power, this assumption emerges as the 20
coefficient in the equation: 10 * log D2 = 20 * log D.
Obstacles distributed throughout a coverage area tend to increase scattering
exponentially. Because all real-world environments include obstacles, if only the air, a
more realistic path loss equation would use a different exponent than 2 and a
different coefficient than 20.
Scattering Exponent
The following are scattering exponents for some typical environments. Although these
values are only approximations, you can use them to plan more realistic coverage
areas:
Open outdoors spaces2 for short distances; add .5 for each 200 m to take
into account the effects of the air
Outdoors with trees or buildings (urban areas, parks, and so forth)3 or 4
Indoors with open spaces (warehouses and so forth)2.5
Indoors with cubicles or other partitions3.5
Indoors with walls (fully divided offices, hospitals, houses, and so forth)
4 or 5
Thus, if your company has a building with fully divided offices, you might use this
equation to calculate path loss:
(32.4 + 20 log F) + (40 log D)
352
Rev. 14.21
Far from insignificant, the increase in the scattering exponent from 2 to 4 could
decrease range tenfold and coverage area one hundredfold.
Major obstructions in the signal path

Altering the scattering exponent attempts to account for landscapes as a whole. You
should also add an absolute loss for each major obstruction in the signal path. For
example, add between 3 and 8 dB to the total path loss for floor-to-ceiling partitions
through which the signal must pass.
Antenna type
You should also consider your type of antenna when determining a realistic path loss
equation. Directional antennas, particularly high-gain directional antennas, usually
experience less scattering than omnidirectional antennas. However, an obstruction
directly in the signal path, particularly an obstruction near the antenna, can have a
great effect on the directionally focused signal.
Finally, remember the world is not tidy, and no model or equation is perfect.
Equations such as these can help you to estimate path loss, but nothing can replace
rigorous testing of the signal throughout the desired coverage area.
Rev. 14.21
353
Basic and Basic

supported
rates rates
and supported
Basic rates
Management
Multicast
frames
frames
Broadcast
frames
Supported rates
Unicast
frames
Figure 3-36: Basic and supported rates
The data rate used by stations in the wireless cell determines the theoretical maximum
for capacity. That is, if a station and an AP are communicating at 24 Mbps, the
throughput can be no more than 24 Mbps.
Each 802.11 standard supports multiple data rates. The particular data rate at which
a station 38transmits
is affected by the APs data rate sets:
Rev. 12.31
The basic data rate set includes the rates that a station must support to associate
to the AP. On the MSM APs, you specify the basic rate as the multicast rate in
the radio settings.
The supported data rate set includes any rate that the station can use to send
data after it associates. You specify these rates in the VSCs settings.
A station transmits at the highest data rate that it can support in the APs
supported rate set. (The better the signal, the higher the data rates that the
station can support.) The supported data rate set typically includes more data
rates than the basic set, allowing stations that support faster rates to use them.
Note
If the supported data rate set includes rates that are lower than the basic rates,
stations can use those rates only after they associate. In this way, a station could
move further away from the AP and stay connected.
The table compares data rates to actual throughput. These numbers are provided as
estimates only. Remember also that all stations in the cell must share the throughput.
Therefore, you must adjust your expectations for per-station throughput based on the
number of stations that connect to the AP and the amount of data that they transmit.
Table 3-1: Data rates versus actual throughput per-cell

802.11 mode
802.11b
354
Data rate
(Mbps)
Approximate
throughput per
cell (Mbps)
1
2
5.5
11
.33 to .5
.66 to 1
1.8 to 2.2
3.6 to 5.5
Rev. 14.21
802.11 mode
802.11g
802.11a
Data rate
(Mbps)
Approximate
throughput per
cell (Mbps)
6
9
12
18
24
36
48
54
6
1.5 to 3
2.2 to 4.5
3 to 6
4.5 to 9
6 to 12
9 to 18
12 to 24
14 to 27
2 to 3
9
12
18
24
36
48
54
3 to 4.5
4 to 6
6 to 9
8 to 12
12 to 18
16 to 24
18 to 27
802.11n
One spatial stream
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Rev. 14.21
MCS 0
6.5
7.2
13.5
15
MCS 1
13
14.4
27
30
MCS 2
19.5
21.7
40.5
45
MCS 3
26
28.9
54
60
MCS 4
39
43.3
81
90
MCS 5
52
57.8
108
120
MCS 6
58.5
65
1.6 to 3.2
1.9 to 3.6
3.3 to 6.7
3.8 to 7.5
3.2 to 6.4
3.6 to 7.2
6.5 to 13
7.5 to 15
4.9 to 9.7
5.4 to 11
10 to 20
11 to 22
6.5 to 13
7.2 to 14
14 to 27
15 to 30
10 to 19
11 to 22
20 to 40
22 to 45
13 to 26
15 to 29
22 to 44
30 to 60
15 to 29
16 to 32
355
802.11 mode
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Data rate
(Mbps)
121.5
135
MCS 7
65
72.5
135
150
Approximate
throughput per
cell (Mbps)
30 to 60
34 to 67
16 to 32
18 to 36
34 to 67
38 to 75
Two spatial streams

Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
356
MCS 8
13
14.4
27
30
MCS 9
26
28.9
54
60
MCS 10
39
43.3
81
90
MCS 11
52
57.8
108
120
MCS 12
78
86.7
162
180
MCS 13
104
115.6
216
240
MCS 14
117
130
243
270
MCS 15
130
144.4
270
300
3.2 to 6.4
3.6 to 7.2
6.5 to 13
7.5 to 15
6.5 to 13
7.2 to 14
14 to 27
15 to 30
10 to 19
11 to 22
20 to 40
22 to 45
13 to 26
15 to 29
22 to 44
30 to 60
20 to 39
22 to 43
40 to 81
45 to 90
26 to 52
29 to 58
55 to 110
60 to 120
29 to 58
32 to 65
60 to 120
68 to 130
32 to 65
36 to 72
68 to 130
75 to 150
Rev. 14.21
802.11 mode
Data rate
(Mbps)
Approximate
throughput per
cell (Mbps)
Three spatial streams

Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Long GI, 20 MHz:
Short GI, 20 MHz:
Long GI, 40 MHz:
Short GI, 40 MHz:
Rev. 14.21
MCS 16
19.5
21.6
40.5
45
MCS 17
39
43.4
81
90
MCS 18
58.5
65
121.5
135
MCS 19
78
86.7
162
180
MCS 20
117
130.7
243
270
MCS 21
156
173.3
324
360
MCS 22
175.5
195
364.5
405
MCS 23
195
216.7
405
450
4.9 to 9.7
5.4 to 11
10 to 20
11 to 22
10 to 19
11 to 22
20 to 40
22 to 45
15 to 29
16 to 32
30 to 60
34 to 67
20 to 39
22 to 43
40 to 81
45 to 90
29 to 58
32 to 65
60 to 120
68 to 130
39 to 78
43 to 87
81 to 160
90 to 180
44 to 88
49 to 98
91 to 180
100 to 200
49 to 98
54 to 110
100 to 200
110 to 220
357
Activity: planning
coverage
and capacity
Activity: Planning
coverage
and capacity
When do you plan small or large
cells?
Why should the cells overlap?
Figure 3-37: Activity: planning coverage and capacity

39
Rev. 12.31
Now that you know how to create larger and smaller cells, you must consider why.
That is, you must begin to understand how changing the size of a cell helps you meet
a companys requirements for the network.
For this activity, your facilitator will assign you to a group and ask you to consider
the following scenarios:
1. A university is planning a wireless network in its library. Students will be using
the following applications: databases, proprietary library application, videostreaming applications, and the Internet. Hundreds of users go to the library to
study, and for the most part, they use their own devices. To summarize, the
library users typically have high-bandwidth requirements, and the library is a
high-user density environment.
Although you will not try to determine the exact size cells should be, consider
which of the following cell designs would probably be better suited for the
universitys library. Why is it better?
358
Rev. 14.21
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2. A large bookstore wants to provide Internet access for its customers. Essentially,
the bookstore management team wants customers to be able to access its Web
site and get more information about books or actually purchase books (both
print and electronic books). Currently, no more than 15 customers sit in the
bookstore caf area at a given time. An additional 10 to 15 customers sit in
chairs provided throughout the bookstore. However, the bookstore management
team believes that when the bookstore offers Internet access, these numbers will
increase. To summarize, bookstore customers will have low bandwidth
requirements. The bookstore will have a low-user density. Even projecting for
future growth, the bookstore management team wants to implement a wireless
network that will support 50 to 60 customers.
Again, you will not determine the exact size cells should be. Given the
bookstores requirements, which of the following cell designs would probably be
better suited for the bookstore? Why?
Rev. 14.21
359
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3. Why do you think wireless cells should overlap?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Conclusion
Plan large or small cells based on your companys needs. Generally, large cells
provide more extensive coverage while small cells provide greater speed within the
limited coverage area. In todays and tomorrows computing environment, where
user density, application complexity, and intolerance for latency can only grow, IT
administrators must carefully weigh range and speed.
Wireless cells must overlap to prevent dead zonesareas where no wireless signal
is available. Overlap also enables stations to roam between cells. For applications
that require low latency (such as VoIP), overlap is particularly important so that
stations can roam smoothly without interrupting service.
360
Rev. 14.21
topics topics
802.11 standard

Radio properties
Antennas
Antennas
Three-dimensional coverage
Omnidirectional antenna
Directional antenna
Diversity antenna
Yagi antenna
Roaming
40
Rev. 12.31
This section explains how different types of antennas shape the radio signal.
Rev. 14.21
361
Antennas Antennas
Focus, or direct, the signal
Add gain along the directed propagation path
OmnidirectionalHorizontal plane
41
Rev. 12.31
DirectionalHorizontal plane
Figure 3-39: Antennas
An antenna is a device that focuses radio waves in particular patterns when

transmitting or when receiving. (For efficiency, this section uses the language of
signal transmission, but the same concepts apply to signal reception.)
An antenna does not actually add power to a radio system. Rather it adds gain: by
focusing the signal, the antenna boosts signal strength along the directed
propagation path (at the cost of weakening the signal in other areas).
An antennas gain, measured in dBi, compares the strength of the focused signal to
the strength of the signal produced by an isotropic antenna if connected to an equal
power transmitter. An isotropic antenna (a theoretical construct that does not actually
exist) is an antenna that does not focus the signal at all.
For example, an isotropic antenna connected to a 100 mW radio would propagate
a 10 dBm signal in all directions. The signal from a 4 dBi-gain antenna would begin
at 14 dBm. However, that signal would propagate in a certain direction; in areas
outside the antennas propagation path, the signal would be weaker or non-existent.
Thus antennas provide very different coverage depending on:
The pattern in which the antenna directs the signal
The gain the antenna provides in the area of highest focus
A wide variety of antennas answer most environmental challenges you will confront
as you build and maintain your wireless network. Antennas carefully deployed to
take full advantage of gain and radiation patterns can increase connection reliability
and extend coverage into specific desired areas, overcoming physical obstacles and
interference.
362
Rev. 14.21
The two basic types of antennas are omnidirectional and directional. (Either type can
also be a diversity antenna, which is another type of antenna about which you will
learn later.)
Rev. 14.21
363
Three-dimensional coverage
Three-dimensional
coverage
Magnetic (H-plane)
Horizontal
Electric (E-plane)
Vertical
Three-dimensional pattern
42
Rev. 12.31
Figure 3-40: Three-dimensional coverage
Antenna radiation plots (including those on the previous page) often show only the
horizontal planeas if you were looking down on the antenna and its pattern from
directly above it. In reality, radio signals propagate in three dimensions, so coverage
can be plotted on a vertical plane as well.
A radio wave is electromagnetic radiation. Stated precisely, the E-plane is the plane
in which the electrical component radiates, and the H-plane, the one in which the
magnetic component radiates. The two radiate at ninety-degree angles to each other,
so when the antenna is polarized vertically, the E-plane is oriented vertically and the
H-plane horizontally. This course will assume that you have positioned the antenna in
this way and refer to the E-plane as vertical coverage and the H-plane as horizontal
coverage. You should always be sure to orient your antenna correctly.
The three-dimensional nature of radio signals is important to remember when placing
APs; the signal from an omnidirectional antenna, for example, could interfere with
coverage on another floor of the building.
364
Rev. 14.21
Omnidirectional
Omnidirectional
antennaantenna
Radiates equally in each horizontal direction
Provides limited vertical coverage that decreases as gain
increases
Horizontal
43
Rev. 12.31
Vertical
Figure 3-41: Omnidirectional antenna
Omnidirectional antennas like the one shown here are designed to provide
indiscriminate coverage in all directions horizontally. They also have a limited vertical
radiation pattern and could provide coverage to stations almost directly above and
below the antenna.
The vertical coverage decreases, however, as the gain increases because the signal
is focused more strongly horizontally. (Picture a balloon that is being compressed into
a disk. The larger the disk, the flatter it becomes.) Due to the low angle for vertical
coverage, high-gain omnidirectional antennas risk overshooting nearby stations
mounted beneath the AP.
Rev. 14.21
365
DirectionalDirectional
antenna antenna
Directs the signal in a beam
High-gain
antennas10 to 30 beamwidth (angle between the points

at which the signal falls to half strength)
Patch
antennas30 to 60 beamwidth
Wide-angle
antennas60 to 120 beamwidth
120 beamwidth on H-plane

44
Rev. 12.31
34 beamwidth on E-plane
Figure 3-42: Directional antenna
As their name implies, directional antennas focus the signal in a single direction;
different varieties have widely varying beamwidth. In the slides on omnidirectional
antennas, you already encountered varying beamwidths for the E-plane. You must
now learn how to talk about beamwidths more precisely. An antennas beamwidth is
measured by the angle between the points at which the power falls to half the
maximum strength. (This angle is sometimes called the 3 dB beamwidth because a
loss in 3 dB correlates to half power.)
Some directional antennas have very narrow beams, and some have beams up to
120 degrees wide. The broader the beam, the smaller the antennas gain will be.
Because directional antennas can be aimed, they are useful for providing coverage
in specific areas and for establishing point-to-point (wireless bridge) connections over
relatively long distances.
Directional antennas fall into several classes:
366
High-gain antennas, designed to direct a very narrowly focused beam (10 to 30degree beamwidth) over a long range
Patch antennas, with a beamwidth between 30 and 60 degrees, suited for filling
in coverage areas
Wide-angle antennas, often combined to provide well-controlled coverage over
wide areas (beamwidth between 60 and 120 degrees)
Rev. 14.21
Diversity antenna
Diversity antenna
Includes two closely spaced antennas
Uses antenna that provides the best signal for each station
Ideal for cluttered areas
Antenna A
Transceiver A
Antenna B
Transceiver B
Voting processor
45
Rev. 12.31
Figure 3-43: Diversity antenna
Designed to minimize multipath interference, diversity antennas are composed of two

conductive elements positioned with a small gap between them and are easily
identified by the dual pigtailsone for each element.
Diversity antennas may be either directional or omnidirectional and are used for
similar purposes as those antennas. For example, use an omnidirectional diversity
antenna to provide coverage over 360 degrees. However, the two elements in these
antennas add the benefit of evening out coverage.
Both conductive elements are always on, and the AP to which they are attached
chooses which antenna is currently providing the best signal. Due to phase shift and
the very short wavelengths at 2.4 GHz and 5 GHz, even a difference of a few
inches between antennas can make a significant difference in signal strength.
Rev. 14.21
367
Yagi antenna
Yagi antenna
Array of antennas
Narrow beamwidth and high-gain
Often used for point-to-point connections
E-plane
H-plane
46
Rev. 12.31
Figure 3-44: Yagi antenna
The Yagi antenna (named for one of its developers, Hidetsugu Yagi) is a narrowbeam directional antenna with a relatively high gain. Such an antenna is sometimes
called a Yagi phased array because it is composed of three or more dipole antennas
as conductive elements arrayed on a common boom. Roof-mounted television
antennas are typical examples of a Yagi, but those designed for wireless networks
are much smaller and usually enclosed in a protective case. Because of its narrow
beam, a Yagi is ideal for long-distance point-to-point (or wireless bridge)
connections, though careful aiming is required.
368
Rev. 14.21
topics topics
802.11 standard

Radio properties
Antennas
Roaming
Defining roaming for your company

Factors that affect roaming
Layer 2 roaming
Layer 3 roaming
Fast roaming
Lab Activity 3
47
Rev. 12.31
This section outlines the factors that affect roaming.
Rev. 14.21
369
does roaming
mean
to company?
your company?
What doesWhat
roaming
mean to
your
Where do users need to roam?
Do users need continual access to applications while they

roam?
Can users or applications tolerate a brief interruption?
48
Rev. 12.31
Figure 3-46: What does roaming mean to your company?
What does roaming mean to your company? What behavior do users expect?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Ask your neighbor how his or her company defines roaming. What behavior do the
users expect?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
370
Rev. 14.21
Once users unhook their stations from the wired network, they expect to be able to
roammoving their station from place to place. If the wireless network does not
support this roaming or if users cannot access the applications they need while they
roam, users might get frustrated and begin calling your companys help desk.
To avoid these kinds of issues, you must determine what users need and expect. You
should also clearly define what users and management mean by roaming. What
is the expected or desired behavior?
Because seamless roaming can mean different things to each user, you need to
carefully define what it means to your company. Specifically, where do users want to
roam? From office to office or building to building?
Do users expect to maintain access to applications as they roam? Or, do they just
want continual network access without the hassle of logging in again when they
reach their destination?
What type of applications are they using? If they are using email, brief interruptions
in the signal wont be noticed. If they are using voice over WLAN, however, they
must have a continuous, uninterrupted signal.
After you understand what users mean by seamless roaming, you need to evaluate
the factors that affect roaming. For example, how do your companys stations and
wireless client handle roaming? How resilient are your applications to latency that
might result from roaming? Can roaming be limited to Layer 2, or RF, roaming? Or,
do users need to roam between subnets, which is called Layer 3, or network,
roaming? And finally, if you are using 802.1X (as you should for the highest levels of
security), how can you mitigate the delay 802.1X authentication incurs during the
roaming process?
Rev. 14.21
371
affect roaming
Factors thatFactors
affectthat
roaming
Stations determine when to roam.
Other factors that affect roaming:
Wireless
Layer
2 or 3 roaming
802.1X
49
client, OS, and applications
Rev. 12.31
authentication
Figure 3-47: Factors that affect roaming
The 802.11 standard assigns wireless stations the responsibility of determining when
they should roam to another AP. However, the standard does not mandate the factors
that a station should use to determine whether or not it should roam from one AP to
another. To provide more flexibility, the 802.11 standard allows each vendor to
determine the criteria for when its wireless NICs initiate roaming. These criteria are
programmed as algorithms on the wireless NIC.
Although specific implementations are left to the vendor, roaming decisions are
typically based on factors such as the APs signal strength and missed beacons. For
example, a station will usually roam to another AP under the following circumstances:
The user moves the station; the station either loses the APs signal (moves out of
range) or detects another AP that supports the same SSID but has a stronger
signal.
Interference decreases an APs signal, and the station detects an AP that
supports the same SSID and has a stronger signal.
An AP becomes unavailable, and the station detects another AP that supports
the same SSID.
Roaming to a new AP
After a station associates with an AP, it constantly monitors that APs signal-to-noise
ratio (SNR). The SNR is a comparison between the strength of a radios signal and
the background noise. (For example, if a radios signal strength is -58 dBm and the
background noise is -94 dBm, the SNR is 36 dB.)
The higher the SNR, the clearer the signal, and the easier it is for a station to receive
and use the signal. Conversely, the lower the SNR, the weaker the signal, and the
harder it is for the station to distinguish the signal. The ability to use the signal is also
372
Rev. 14.21
dependent upon the sensitivity of the stations radio. The point at which the station
can no longer detect and use the signal is that stations receiver sensitivity threshold.
However, a station should not wait to roam until the absolute minimum threshold is
reached. Instead, vendors typically define a NICs cell search threshold, which is
above the minimum threshold. When the SNR falls below the cell search threshold,
most stations begin to search for another AP. If another AP is within range, a station
begins to compare the SNR of both APs. The point at which the second AP has a
higher SNR is called the delta SNR. If a station detects the delta SNR and the second
AP meets the requirements for roaming, the station begins the reassociation process
to move to another AP.
Rev. 14.21
373
Layer 2 roaming
Layer 2 roaming
APs support the same:
SSID
and ESS
Security
Subnet
50
setting for the WLAN
and VLAN
Rev. 12.31
Figure 3-48: Layer 2 roaming
Layer 2, or RF, roaming is sometimes called simple roaming because most 802.11compliant APs natively support it. (The 802.11 standard provides general guidelines
for Layer 2 roaming.) The APs can hand off the roaming stations association at the
Data Link Layer; no additional solution is required to enable a station to move from
one AP to another.
If you want users to be able to roam between two APs, you must deploy those APs in
such a way that they support Layer 2 roaming between each other.
APs must be in the same ESS

Layer 2 roaming requires the station to move within an ESS, which establishes a
wireless broadcast domain. An ESS consists of one or more basic service sets (BSSs)
in which the APs support the same WLAN with the same SSID. The station simply
moves its association from one AP in the ESS to another AP in the ESS.
Consider what would happen if a station tried to roam to an AP that did not support
the WLAN with which the station is already associated. The second APs WLANs
would undoubtedly have different security requirements and might not even support
the same users. In this case, the second AP would rightly require a new association.
The station would have to associate with a new WLAN and comply with its security
requirements.
The APs must support the same VLAN and subnet

In addition to supporting the same WLAN, Layer 2 roaming requires the two APs to
support the same VLAN (which defines the broadcast domain in the wired network).
A roaming station needs to stay within the same VLAN so that it can maintain its IP
address and active sessions.
374
Rev. 14.21
For example, the station shown in the slide moves easily from one AP to another
because both APs support the Faculty SSID and both APs are on the same VLAN, or
subnet.
When you plan your wireless services and deploy APs and RPs, you should
determine the areas in which you want to support roaming. In these areas, you
should ensure that the APs and the RPs support the same SSIDs and the same
subnets. Stations can then roam easily between APs.
Supplemental authentication, such as 802.1X, will slow down the roaming process
because the station must re-authenticate to the new AP. The steps you can take to
mitigate the latency introduced by 802.1X are described later in this module.
Rev. 14.21
375
Layer 3 roaming
Layer 3 roaming
APs support the same SSID, ESS, and security setting, but
have different subnet and VLAN.
Station cannot use its current IP address after roaming

unless a solution, such as Mobility Traffic Manager, is used.
51
Rev. 12.31
Figure 3-49: Layer 3 roaming
Like Layer 2 roaming, Layer 3 roaming requires that the station roam between two
APs that support the same SSID (WLAN). However, Layer 3 roaming becomes
necessary if a station tries to move between two APs that support the same WLAN
but are on different VLANs (or subnets).
When a station successfully authenticates and associates with a WLAN on the first
AP, it typically receives a valid IP address through a Dynamic Host Configuration
Protocol (DHCP) server. (Alternatively, the station could be configured to use a static
IP address that is on the same subnet as the AP.) The AP also puts the station into the
VLAN assigned to that WLAN or into the dynamic VLAN assigned to the user.
If this station then tries to move to another AP on a different subnet, it cannot use the
IP address valid for its association with the first AP. In this case, the handoff between
the two APs must include the Network Layer as well as the Data Link Layer. Because
most APs do not have the capability to handle Layer 3 roaming, the reassociation
fails, and the user loses access to his or her applications. The user will then have to
reinitiate the wireless connection and restart the applications.
376
Rev. 14.21
Fast roaming
Fast roaming
802.1X with WPA2 is the most secure option, but slows the
roaming process
MSM Mobility and Premium Mobility Controllers support

opportunistic key caching:
APs
send encryption keys for clients that might need to roam to other
APs.
When
the client roams, the new AP checks the key instead for enforces
authentication.
Figure 3-50: Fast roaming
Although WPA with 802.1X strengthens security for wireless communications, it has
one drawback: it increases the time required to roam from one AP to another
because the station must reauthenticate with the new AP and agree on encryption
52
Rev.
12.31
keys. In fact,
802.1X
re-authentication is the most time-intensive part of the roaming
process.
To reduce this latency, an MSM Mobility or Premium Mobility Controller applies
opportunistic key caching. When a client sends a disassociation frame to its AP to
signal that is going to roam away from it, the AP sends the clients key (more
precisely, its pairwise master key [PMK], as you will learn in the next module) to
neighboring APs through the backed Ethernet network. The new AP receives the
clients association request. Rather than implement the full 802.1X authentication
process, the AP proceeds directly to a brief handshake in which it verifies that the
client is using the correct PMK. The client must also support opportunistic key caching
so that it keeps the key for the new association.
Opportunistic key caching provides the following benefits to clients that support it:
Eliminates delays associated with reauthentication

Provides hand-offs in less than 50 ms, as required for time-sensitive services such
as voice
Preserves a users RADIUS-assigned parameters such as security, QoS, and
VLAN, enabling a smooth transition of all services to which the user has access
Note that VSCs that do not implement 802.1X authentication neither supportnor
requireopportunistic key caching for achieving roams under 50 ms. For example,
in a VSC with no authentication and encryption, the client simply needs to associate
to the new AP. For a VSC that enforces WPA/WPA2-PSK, all APs and clients already
know the PMK.
Rev. 14.21
377
Lab ActivityLab
3 Activity 3
53
Rev. 12.31
Figure 3-51: Lab Activity 3
In this lab, you will configure the following radio settings on the MSM APs:
378
Non-overlapping channels manually and using automatic channel select (ACS)
802.11n-specific settings
Backward compatibility between 802.11n and 802.11b/g
Transmit power
Rev. 14.21
Lab Activity 3 debrief

Use the space below to record your Key Insights and Challenges from Lab Activity 3.
Table 3-2: Debrief for Lab Activity 3

Challenges
Key Insights
that you explored during Lab Activity 3.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
379
Summary Summary
You should understand:
802.11
standards govern how wireless stations associate and

communicate with the AP
The
factors that affect coverage and capacity
Antennas
shape the wireless signal
Roaming
Figure 3-52: Summary
In this module you learned about the main 802.11 standards that determine how
wireless stations associate and communicate with APs. Specifically, you reviewed
802.11 modes802.11 a/b/g/nand learned more about the 802.11n
enhancements that increase speed and reliability. You also learned about 802.11h,
which enables APs and stations to comply with regulations governing the 5 GHz
frequency band. In addition, you reviewed the actual process stations use to
55
Rev. 12.31
complete the 802.11 authentication and association process.
You then examined how antennas shape the RF signal and delved into radio
properties, focusing on how those properties affect coverage and capacity.
Finally, you reviewed how stations determine to roam and examined the different
types of roaming:
380
Layer 2 roaming
Layer 3 roaming
Fast roaming
Rev. 14.21
Learning check
Answer the following questions:
1.
What factors affect how far away a client can be from an AP and still connect to
the WLAN?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
What benefits does a 3x3 MIMO radios such as that on an MSM460 or

MSM466 AP provide?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
381
Supplemental information about 802.11 a/b/g/n
Supplemental information
about 802.11 a/b/g/n
Figure 3-53: Supplemental information about 802.11 a/b/g/n
This section provides additional information about 802.11 a/b/g/n.
382
Rev. 14.21
802.11b
802.11b, the first widely adopted 802.11

standard
RF range: 2.4 GHz
Transmission speeds: up to 11 Mbps
Rev. XX
Figure 3-54: 802.11b
Now that you understand the basic physical properties that are defined in the 802.11
standard, you can see how the specific subsets within the standard have evolved over
the years. The IEEE published the first wireless networking standard, 802.11, in 1997,
but the standard supported transmission rates of only 2 Mbps, making it too slow for
practical application. The 1999 revision, 802.11b, operates in the 2.4 GHz range
and advertises transmission speeds of up to 11 Mbps.
Because 802.11b equipment operates in the 2.4 GHz range, it does not require
special licensing. This is one reason vendors were able to produce and sell APs and
wireless network interface cards (NICs) based on this standard at affordable prices.
As a result, many companies built their first wireless networks using products that
supported 802.11b. Today, however, most companies have updated their wireless
networks to support standards that enable higher transmission speeds.
802.11b networks may incur interference from the following devices, which operate in
the same RF band:
Rev. 14.21
Microwave ovens
Some cordless phones
Some wireless phones
Bluetooth devices
383
802.11a
Adding speed with 802.11a

RF range: 5 GHz
Rev. XX
Figure 3-55: 802.11a
Knowing that companies needed better performance, the IEEE next ratified the
802.11a standard. In fact the IEEE had been working on 802.11a in tandem with
802.11b. However, 802.11b was approved firsthence the order in which they are
presented in this module.
802.11a increases the slow rates offered by 802.11b, supports from 6 to 54 Mbps.
802.11a radios operate in the 5 GHz band. Because this band is less crowded than
the 2.4 GHz band, 802.11a-compliant wireless products encounter less interference
from other electronic devices. However, some radar, HiperLAN devices, and wireless
phones use the 5 GHz band. The generally less crowded band comes at a costthe
5 GHz band is more tightly regulated.
Due to the nature of radio communication, 802.11a also requires that devices are in
closer proximity to achieve the faster possible rates. Devices operating on this
standard must be 25 to 50 percent closer together than 802.11b devices to achieve
their maximum speeds. As a result, 802.11a is a more practical option when high
throughput is more important than wide coverage.
802.11a is incompatible with 802.11b devices, which were widely adopted by both
home and business users. Because of the earlier popularity of 802.11b, users were
often reluctant to reinvest in the new hardware required to take advantage of the
greater speed offered by 802.11a-compliant devices. 802.11a never achieve the same
popularity as 802.11b, but it provided a good option for companies that wanted to
increase throughput and decrease interference.
384
Rev. 14.21
802.11g
Providing speed and compatibility with

802.11g
Range: 2.4 GHz range
10
Rev. XX
Figure 3-56: 802.11g
802.11g matches the higher speed of 802.11a, with advertised rates of up to 54

Mbps. However, 802.11g-compliant radios operate in the 2.4 GHz band. Using the
2.4 GHz range, 802.11g offers a larger range than 802.11a, although stations must
be closer to the AP to take advantage of the higher speeds.
802.11g devices are not compatible with 802.11a. Because 802.11g devices operate
on a different frequency, they do not cause interference with 802.11a devices.
Because 802.11g is compatible with legacy 802.11b equipment, APs operating at
802.11g speeds can transparently adapt to 802.11b stations in their coverage area
and provide access at 802.11b speeds. However, when 802.11g APs detect 802.11b
stations or APs in the vicinity, they adapt to accommodate those stations. As a result,
802.11g stations in the coverage area will not operate at speeds that users may
expect. To guarantee higher throughput for 802.11g stations, you can configure
802.11g APs to ignore legacy equipment in the vicinity.
Rev. 14.21
385
802.11n
Dramatically increasing performance with

802.11n
RF range: 2.4 or 5 GHz
Advertised transmission speeds: up to 600 Mbps
12
Rev. XX
Figure 3-57: 802.11n
Although802.11a and g improved the performance of wireless networks, users

demands have outpaced what the two subsets could deliver. Users want wireless
networks to support the same bandwidth-intensive applications they use on a wired
network. In fact, many users want to replace their wired connection with the more
convenient wireless connection.
802.11n was designed to meet these demands. It increases transmission speeds,
supporting up to 600 Mbps. This is the theoretical transmission speed possible with
802.11n, but not all 802.11n-compliant APs support it. You must check each AP to
determine the maximum transmission speed it supports.
Because 802.11n can operate in either the 2.4 or 5 GHz band, 802.11n is backward
compatible with 802.11a/b/g.
In addition, 802.11n improves reliability and extends the operating distance of
wireless networks.
386
Rev. 14.21
Wireless Security
Module 4
Objectives
Although wireless networks have become required equipment for most companies,
they are not without their challenges. Perhaps the most critical issue is security.
Because radio waves are shared media, anyone can eavesdrop on wireless
transmissions or tamper with the data wireless devices transmit.
To secure these transmissions, you must address three aspects of wireless security:
Authentication, which ensures that only authorized users access the network
Confidentiality, which hides data from other users of the shared wireless medium
Integrity, which protects data from tampering
After you complete this module, you should be able to:
Describe the differences between 802.11 authentication and supplemental

authentication
Explain how 802.1X functions in a wireless network
Explain how Extensible Authentication Protocol (EAP) works and describe the
differences between EAP-TLS, EAP-TTLS, and PEAP
Compare the encryption Wired Equivalent Privacy (WEP) provides with Wi-Fi
Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) encryption
Explain how MAC authentication (MAC-Auth) and Web authentication (WebAuth) function in a wireless network
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
41
Supplemental
authentication
options
Supplemental
authentication
options
802.1X with:
WPA
WPA2
Dynamic WEP (not recommended)
Pre-shared keys:
WPA
WPA2
WEP (not recommended)
Web-Auth
MAC-Auth
Figure 4-1: Supplemental authentication options

3
Rev. 12.31
As you learned in Module 3, the original 802.11 standard does not provide true
authentication. To protect the wireless transmissions, supplemental authentication
options were developed.
The 802.11 standard also supports several encryption options, each of which
corresponds to one or more authentication options. The following summarizes the
authentication and encryption options that are available for securing wireless-network
access and wireless communications.
802.1X with WPA, WPA2, or dynamic WEP

802.1X, the most secure authentication method, can be used with either WPA,
WPA2, or WEP encryption. WPA2 provides the strongest encryption and is,
therefore, preferred.
WEP with 802.1X is called dynamic WEP because the authentication server sends
different keys to different users. Even this implementation of WEP is inherently
insecure, and therefore, it is not recommended.
Shared key
WPA-PSK, WPA2-PSK , and static WEP are the authentication options that use
shared keys.
WPA and WPA2-PSK

WPA-PSK and WPA2-PSK require users to submit the correct key before connecting to
a WLAN. WPA and WPA2 PSKs are altered before they actually encrypt data,
making these options much more secure than static WEP.
Although these shared-key options provide much better security than static WEP, they
are better suited only for small companies. Because so many users know the shared
42
Rev. 14.21
Wireless Security
key, it can be easily compromised, and this authentication method does not provide
true user authentication.
Static WEP
Static WEP requires users to submit the correct shared key to connect to the WLAN. It
uses the same shared key for encryption. Because both the key and encryption
algorithm can be cracked, IEEE has disapproved this option except in
implementations that require backward compatibility.
Web-Auth
As the name applies, Web authentication (Web-Auth) allows users to submit login
credentials through a Web browser interface. Because Web-Auth is typically used for
guest access, it does not require encryption to protect the wireless transmissions
between the station and the AP. The responsibility for protecting the wireless
communications is left to the guest users, who can use HTTPS or VPN access to
secure the transmissions.
MAC-Auth
MAC authentication (MAC-Auth) allows you to authenticate devices that do not
support other security measures. For example, you may need to implement MAC-Auth
for some printers that do not support an 802.1X client. MAC-Auth can also be used
in conjunction with other security measures to provide an additional check. However,
MAC addresses can be easily spoofed, so this authentication method is ultimately not
very secure. In addition, this authentication method requires the network
administrator to know and track the MAC addresses of the devices that will access
the network, creating a high-level of administrative overhead.
You can use MAC-Auth with other authentication methods and encryption.
Rev. 14.21
43
topics topics
802.1X with WPA/WPA2 or dynamic WEP
802.1X
Roles in the 802.1X authentication process
802.1X ports
Controlled port states
EAP process and EAP methods
802.1X requirements
Certificates required for 802.1X
Installing certificates on MSM Controllers
Advantages and disadvantages of using 802.1X
802.1X encryption options: WPA, WPA2, and dynamic WEP
Activity: Advantages of using WPA and WPA2
Configuring 802.1X on the MSM Controllers
Lab Activity 4.1
WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
Additional security measures
4
Rev. 12.31
The first section focuses on the most secure authentication option: 802.1X. It also
covers the encryption options that can be combined with 802.1X.
44
Rev. 14.21
Wireless Security
802.1X
802.1X
Requires a user to authenticate to a RADIUS server as soon as the users
station associates to a WLAN
Figure 4-3: 802.1X

Rev. 12.31
5
You should
now
understand why you should not consider 802.11 authentication to be
true authentication: even if the AP does not actually accept all requests, hackers can
find and usurp keys relatively easily. To secure wireless networks, you must implement
supplemental authentication, and the most secure supplemental authentication
method is 802.1X.
802.1X forces users to authenticate as soon as the Data Link Layer establishes a
connection. This is when the station associates with the APhaving first passed
through the 802.11 open authentication phase. 802.1X then manages the process by
which users authenticate to the network and gain access.
The basic sequence for initiating 802.1X is outlined below.
1.
The station passes open-system 802.11 authentication and associates with the AP.
2.
Depending on how the VSC is configured, the AP or controller blocks all traffic
from the association and initiates the 802.1X authentication process.
As you learned in Module 1, an MSM solution supports both distributed forwarding

and centralized control. You can configure how you want traffic to be authenticated
and forwarded for each VSC. For the purposes of explaining the 802.1X
authentication process, the examples will focus on distributed forwarding, which
means the AP will handle the authentication process. At the end of this section, you
will learn more about configuring the controller to handle authentication. You will
also learn more about the controllers internal RADIUS server.
Rev. 14.21
45
Figure 4-4: Roles in the 802.1X authentication process
To understand
802.1X authentication, you must understand the devices involved in
Rev. 12.31
6
the process and the role each device plays:
What does the device expect from the process?
What responsibilities does the device assume?
What protocols does the device use to communicate?
Keep these questions in mind as you learn about the three devices involved in the
802.1X authentication process:
Supplicant
Authenticator
Authentication server
Supplicant
On a wireless network, the station is the supplicant, or more precisely, the port
access entity (PAE), which implements 802.1X on the station.
The supplicant requests access to the network and proves that it deserves this access
by authenticatingtypically in response to a challenge from the far end of the
connection (for example, an AP).
In addition to responding to a challenge, the supplicant may also initiate the
authentication process on its own behalf (by transmitting an EAP-Start packet). This
mechanism protects supplicants that receive the challenge before the station has
entirely booted, causing authentication to time out before the user can submit his or
her credentials.
46
Rev. 14.21
Wireless Security
Authenticator
The authenticator is the PAE on the far end of the supplicants connection. In an
MSM solution, the authenticator can be the AP or the controlleragain depending
on how the VSC is configured. An AP or controller has as many PAEs as it has
associations with stations.
The authenticator controls network access, forcing a supplicant to authenticate before
it can send any non-EAP traffic over the connection. The authenticator initiates the
authentication process but then relays authentication messages between the
supplicant and the authentication server.
After the authentication is completed, the authenticator decides how to control the
connection. If the authentication server has accepted the users request, the
authenticator activates the virtual port created for the wireless association. In other
words, the station is now completely connected to the wireless network. If the
authentication server rejects the users request, the authenticator enforces this denial
and keeps the virtual port closed.
Authentication server
The authentication server makes decisions about whether or not users can access the
network. These decisions are based on whether or not the user:
Can prove his or her identity (the users credentials are correct)
Is connecting in the proper time and location
For example, an authorized employee might be prohibited from using wireless access
after regular work hours.
The server also submits its own credentials to the supplicant. In essence, the
supplicant and the server authenticate each other, although the authenticator always
acts as a proxy in this process.
The authentication server can be any Authentication, Authorization, and Accounting
(AAA) server; however, it is typically a RADIUS server and will be referred to as such
in this module.
The authenticator and authentication server use RADIUS messages to communicate.
The authenticator encapsulates the supplicants EAP messages in this protocol.
Rev. 14.21
47
802.1X ports
802.1X ports
Controlled port:
Used to control network access, based on the stations authentication state
Disabled by default
Uncontrolled port:
Used to transport authentication messages
Always enabled but allows only EAP
Figure 4-5: 802.1X ports
To restrict an unauthenticated user so that the users station can send only
authentication messages, 802.1X divides the association between the AP and the
station into
two
virtual ports.
Rev. 12.31
7
Controlled port
The controlled port allows all types of traffic, but it can be disabled and, by default,
is. Both the authenticator PAE and the supplicant PAE control the port, based on the
supplicants authentication state. The controlled port allows the authenticator to block
network access by unauthenticated users.
Uncontrolled port
802.1X secures the network from the moment the supplicant connects by deactivating
the controlled port. The uncontrolled port is always active, but it can carry only the
EAP packets used for authentication.
Without the uncontrolled port, this high level of security would shut out all traffic from
users, preventing even authorized users from proving that that they are authorized.
48
Rev. 14.21
Wireless Security
Controlled Controlled
port states
port states
Disabled
Enabled
Rev. 12.31
Figure 4-6: Controlled port states
Because 802.1X considers all peers untrusted by default, the controlled port is
disabled as soon as the connection is established. By the end of the authentication
process, however, the authentication state of the supplicant, the authentication server,
or both may have changedand the controlled ports status will reflect that change.
Both the authenticator and the supplicant PAEs leave the controlled port disabled if
the far ends authentication fails. In other words, the authenticator PAE protects your
network from unauthorized users. The supplicant PAE protects the user from man-inthe-middle attacks and rogue APs.
If the user authenticates successfully, the authenticator enables the controlled port and
allows the user to access the network. Similarly, the supplicant enables the controlled
port if the server authenticates successfully. (For example, the Windows Wireless Zero
Configuration utility now lists the connections status as Connected.)
Unlike the authenticator, the supplicant also enables the port if EAP times out; it
assumes the network does not require 802.1X.
Rev. 14.21
49
EAP process
EAP process
Rev. 12.31
Figure 4-7: EAP process
You will now examine the authentication process for 802.1X in more detail.
EAP, the protocol 802.1X uses for authentication, defines a flexible framework into
which you can fit authentication methods that meet your companys environment and
security policies.
The illustration above shows this general framework. As you follow the process,
remember that the authenticator relays all messages from the station to the RADIUS
server, translating them as necessary. The vertical line underneath the AP shows the
point at which the authenticator translates frames. The horizontal dashed lines show
frames after they have been translated to the new format.
1.
The station associates with the AP.

The AP shuts down the controlled port, blocking all traffic except EAP, and issues
a challenge. The challenge is an EAP Request/Identity packet. Basically, this
frame initiates the authentication process and asks the station to identify itself but
not to send any other information.
2.
The station responds with an EAP Response/Identity packet, which typically

includes a username.
The authenticator includes the users identity in all future frames so that the
server can keep track of which EAP messages belong to which user. The users
identity also marks any accounting frames for the connectionwhich are
important for wireless hotspots and other networks that require devices to track
billing information.
410
Rev. 14.21
Wireless Security
3.
Depending on the EAP method, the station and RADIUS server exchange a
particular series of messages, which might contain one of many types of
authentication credentials.
Because EAP is so flexible, it supports a variety of different EAP methods. This
module will describe some of the more common EAP methods used on wireless
networks.
4.
Rev. 14.21
Based on information received in step 3, the authentication server determines

whether or not the station has authenticated successfully. The AP then either
activates the connection and transmits an EAP-Success or leaves the connection
deactivated and transmits an EAP-Failure.
411
Negotiating the EAP method
Negotiating the EAP method
Figure 4-8: Negotiating the EAP method

Rev. 12.31
The EAP 10method
determines how the user proves his or her identity. Different methods
dictate different steps, so the station and the RADIUS server must agree upon the
method.
The first step in the exchangethe servers EAP Request/METHOD packetboth

starts the process and indicates the method that the server requires. (Depending on
your RADIUS server, you can program it to select methods according to conditions
such as user identity and location.)
If the station supports the requested method, it continues the exchange. Otherwise,
the station sends an EAP NAK packet, which can suggest a different method. The
server, if it supports the alternative method, may then initiate the exchange with the
new method.
412
Rev. 14.21
Wireless Security
EAP methods:
TLS TLS
EAP methods:
11
Rev. 12.31
Figure 4-9: EAP methods: TLS
Considered one of the most secure EAP methods, EAP-TLS uses a three-way TLS
handshake to exchange digital certificates and to generate encryption keys. By the
end of the process, not only are the connection endpoints authenticated, but the
connection itself is secured with encryption.
The EAP Request/TLS and EAP Response/TLS packets include information such as:
Digital certificates and certificate verifications
Supported encryption suites
Values for generating encryption keys (not the keys themselves)
Advantages
EAP-TLS is one of the most secure EAP methods because it provides mutual
authentication with Public Key Infrastructure (PKI) digital certificates. (Digital
certificates rely on extremely strong asymmetric keys and trusted certificate authorities
[CAs].) In addition, the process has built-in key distribution, making a secure option
for wireless networks.
With TLS, authentication is based on a digital certificatesomething the user has
rather than on a shared secretsomething the user knows. The digital certificate is
typically stored on a laptop or a smart cardproviding stronger security. Although
you can set up requirements to force users to create stronger, and therefore more
secure, passwords, you cannot prevent users from telling people their password or
writing it on a paper displayed in plain sight.
Someone who steals a laptop or smart card can gain access to certificates installed
on that laptop, but the user can immediately report the theft, allowing you to disable
the related account.
Rev. 14.21
413
EAP-TLS is impervious to the attacks that affect less secure EAP methods such as EAPMD5, but security comes at the cost of purchasing and managing the digital
certificatessubstantially more expensive than managing passwords. Maintaining a
large number of certificates requires specialized software and trained IT staff.
Another barrier to adopting EAP-TLS is the requirement for digital certificates on all
stationsan impossibility in some environments.
414
Rev. 14.21
Wireless Security
EAP methods:
TTLS and
PEAP
EAP methods:
TTLS and
PEAP
12
Rev. 12.31
Figure 4-10: EAP methods: TTLS and PEAP
Tunneled Transport Layer Security (TTLS) and Protected EAP (PEAP) were developed to
provide much of the security of EAP-TLS without forcing stations to use digital
certificatesdrastically reducing implementation costs. For this reason, these are
among the most commonly used EAP methods. (TTLS was developed by Funk
Software and Certicom; PEAP was developed by Microsoft, Cisco Systems, and RSA
Security.)
TTLS and PEAP function in very similar ways. Both methods involve a two-step
authentication process; in the first step, the outer method creates a secure tunnel in
which the second step takes place.
Step 1outer method

Like EAP-TLS, TTLS and PEAP use a three-way TLS handshake to generate encryption
keys and negotiate a tunnel secured by those keys. However, only the server
authenticates itself with a digital certificate during this exchange. (Encryption keys for
the tunnel are derived from the public key in this certificate.)
Step 2inner method

The station authenticates itself in the second step; it uses a weakerand so more
easily implementedauthentication method, protected by the secure tunnel in which
it takes place.
For the inner authentication method, TTLS can use a weaker EAP method, such as
EAP-GTC, or a legacy RADIUS method, such as CHAP, PAP, or Microsoft CHAP
variants (MS-CHAP v1 or MS-CHAP v2). PEAP supports methods such as MS-CHAP
v2, EAP-GTC, and TLS. Because Windows wireless clients support PEAP with MSCHAP v2, this is by far the most prevalent EAP method; all HP products support it.
Rev. 14.21
415
The tunnel is closed after the station authenticates. However, the final RADIUS
Access-Accept packet distributes new keying information for the wireless association.
Benefits
Like EAP-TLS, EAP-TTLS and PEAP provide strong, mutual authentication and dynamic
key distribution. Because TTLS and PEAP use encrypted tunnels to secure usernames
and passwords (rather than requiring digital certificates on stations), you can
implement these methods more easily than you can TLS.
TTLS has one unique benefit: it always protects the username. Depending on how
PEAP is implemented, the username might be transmitted in plain text, allowing a
hacker to detect the users identity and possibly lock the user out of his or her
account.
416
Rev. 14.21
Wireless Security
Complete 802.1X
process
Complete 802.1X
process
13
Rev. 12.31
Figure 4-11: Complete 802.1X process
This illustration outlines the entire 802.1X process. The authenticator initiates the
process when the station is associated with the AP. The authenticator then relays EAP
messages between the station and the RADIUS server, encapsulating the messages in
RADIUS format for the server. (This illustration and the steps below use an AP as the
authenticator, but the authenticator could also be an MSM Controller.)
More precisely, the steps are as follows:
1.
The station associates to the AP. 802.1X requires 802.11 open-system

authentication, so all stations can authenticate and associate. An AP that
implements 802.1X blocks network access as soon as the 802.11 association is
established.
2.
Either the AP or the station can initiate EAP: the AP sends an EAP Request/
Identity packet to initiate the process; the station sends an EAPOL Start packet.
3.
After the AP issues an EAP Request/Identity packet, the station responds with its
identity (either its MAC address or a username).
The AP relays the EAP Response/Identity to the RADIUS server to initiate the
authentication process. The AP copies this message into the EAP field of a
RADIUS NAS Access-Request and also adds information such as its own MAC
address and the stations WLAN.
4.
The RADIUS server selects a particular EAP method based on the users identity
and other criteria. The server initiates this EAP method, requesting credentials
from the station. The AP relays the EAP message to the station, decapsulating it
from the RADIUS packet.
The station sends a reply, and the exchange proceeds as dictated by the
particular EAP method.
Rev. 14.21
417
EAP methods appropriate for wireless networks include the exchange of key
material. By the time the authentication is completed, the station should have all
the material necessary for generating a shared encryption key.
5.
If the station authenticates successfully, the RADIUS server transmits an AccessAccept packet, including an encapsulated EAP-Success packet.
When the AP receives the Access-Accept packet, it enables the controlled port
and relays the EAP-Success packet to the station. The station now has network
access (although the users rights might be limited by access control lists, or
ACLs).
6.
The RADIUS server transmits an EAPOL Key packet to the AP so that it can
generate the same key that the station has generated. You will learn more about
these keys in the next section, which describes the encryption options for wireless
networks that use 802.1X. For now, you should simply remember that 802.1X
authentication has become an integral part of the secure generation of
encryption keys.
RADIUS protocol
Figure 4-12: Using the RADIUS protocol
This module has referred to the fundamental exchange between the supplicant and
the authentication server. In reality, the supplicant and the server do not communicate
directly. Instead, the authenticator (the AP or controller) acts as a proxy to the
RADIUS server.
As mentioned earlier, an 802.1X authenticator can use any AAA protocol to
communicate with the authentication server. RADIUS is an industry-standard protocol
for communications between a device that grants users network access and a device
that authenticates, authorizes, and tracks the users. As such, it is ideal for 802.1X.
The RADIUS standard sends calls to the entity that 802.1X refers to as the
authenticator, which is also called a network access server (NAS). The NAS enforces
the RADIUS servers policy decisions. For example, acting as a NAS, an AP receives
a RADIUS message that a user is allowed to connect. The APs 802.1X PAE activates
the association. The NAS also enforces access controls.
418
Rev. 14.21
Wireless Security
The RADIUS server acts as the policy decision point. It determines whether a user is
who he or she claims to be and decides which policies apply to the user. The server
draws on information stored in a database (either its own database or a directory
service database) to make these decisions.
The NAS and the RADIUS server exchange these packets:
NAS Access-Request
Access-Challenge
Access-Accept
Access-Reject
When used with 802.1X, the NAS acts as a go-between for a station and a RADIUS
server, encapsulating the stations EAP messages into RADIUS format. As mentioned
earlier, the server must support EAPOL, so that it can read these messages.
Rev. 14.21
419
802.1X requirements
802.1X requirements
AP and controller must support 802.1X.
Network must include an EAPOL-compliant RADIUS server.
MSM Controllers include a RADIUS server.
Stations wireless NIC and client utility must support 802.1X with EAPOL.
Native support in Windows 2000 SP1 and above
Figure 4-13: 802.1X requirements
802.1X delivers more than 802.11 authentication, but it also demands more.
First, the AP and the controller must support this authentication standard. As you
learned in Module 1, the MSM APs and MSM Controllers both support 802.1X.
Your network also requires a RADIUS server (or other AAA server) that supports
EAPOL. The MSM Controllers provide an internal RADIUS server, or you can use a
third-party RADIUS server such as Microsoft Network Policy Server (NPS). With the
MSM Controllers, you can also authenticate users to Active Directory.
14
Rev. 12.31
In addition, stations that access the wireless network must support 802.1X with
EAPOL. If a legacy wireless NIC does not support 802.1X, the station can still
authenticate as long as it includes a separate client utility that supports EAPOL. In
other words, the station must include one of the following:
420
A wireless NIC that supports 802.1X with EAPOL
A client utility that supports EAPOL
Rev. 14.21
Wireless Security
required
for 802.1X
CertificatesCertificates
required
for 802.1X
EAP method
RADIUS server
certificate
EAP-TLS
Yes
Yes
EAP-TTLS
Yes
No
PEAP
Yes
No
Supplicant certificate
Certificates required on the MSM Controller when it acts as RADIUS server
EAP method
RADIUS EAP local

certificate
EAP-TLS
Trusted by clients
Includes the CA that signed

clients certificates
EAP-TTLS
Trusted by clients
Does not matter
PEAP
Trusted by clients
Does not matter
15
Rev. 12.31
RADIUS EAP CA
Figure 4-14: Certificates required for 802.1X
Several of the EAP methods about which you have learned use digital certificates as
authentication credentials, as the source for the keys that secure an SSL tunnel
between the client and the server, or both. The table in Figure 4-14 indicates common
EAP methods and which components of the 802.1X process require certificates for
that method. As you see, the RADIUS server requires a certificate for all of these
methods.
When the MSM Controller acts as the RADIUS server, it requires the certificate. The
controller supports multiple certificates; it uses whichever certificate is specified as the
local certificate for the RADIUS EAP usage.
For EAP-TLS, the controller also requires a list of trusted CA certificates. It uses these
certificates to check the signatures on clients certificates. If the certificate is valid,
and if the subject name matches a local user account, the controller accepts the
authentication.
Rev. 14.21
421
Installing certificates
on the
MSM
Installing certificates
on the
MSM Controller
Controller
Local certificate:
Create the certificate request and private key offline.
Have the request signed by a trusted CA.

Combine the signed certificate and private key in a file (PFX).
Install the certificate/private key on the controller.
Set the RADIUS EAP usage.
CA certificate:
Install the CA certificate for the CA that signed clients certificates
Add to the CA list for the RADIUS EAP usage
Only required for EAP-TLS
Figure 4-15: Installing certificates on the MSM Controller
At factory default settings, the controller has a self-signed certificate which its RADIUS
server uses. This certificate enables the controller to support local authentication for
Rev. 12.31
16
802.1X. However,
clients will not trust the certificate and authentication will fail.
Although you can disable validation of the server certificate on the clients, this step is
not generally recommended. It increases administrative burden and decreases
security. Instead you should install a certificate that is signed by a trusted CA on the
MSM Controller. Depending on the companys environment or policies, the trusted
CA might be a Windows domain CA that the company manager or a thirdparty CA.
To install the certificate on the MSM Controller, follow these steps (the companys
certificate administrator might complete steps 1 through 3; you should provide the
guidelines below to that administrator):
1.
Create the certificate request and private key offline.

Several applications for creating certificate requests exist. A common one is
OpenSSL. You can use any application. You simply need to make sure that the
certificate request specifies the correct subject name for the certificate controller.
It should also request these key usages and extended key usages:
Key usages
digitalSignature
keyEncipherment
Extended key usages
serverAuth
clientAuth
However, clientAuth is only required when EAP-TLS is used.
422
Rev. 14.21
Wireless Security
Finally, you need to make sure that the private key is saved in a way in which
you can export it. (You will need to install it on the MSM Controller.) Most
certificate request applications will prompt you to secure a reproducible key with
a password; you should use a strong one (with random alphanumeric
characters).
If you are using a Windows CA, you can use the Web request windows or the
Certificate request wizard. Valid certificate templates include the template for
IAS or for Web servers (the latter, only if you are not using EAP-TLS). Make sure,
however, that you can request an exportable private key.
2.
Submit the certificate request to the CA.
3.
After the CA returns the signed certificate, combine the certificate with the saved
private key in a PFX file. Again, you can use an application such as OpenSSL.
If you saved the private key with a password, you will be prompted to enter this
password. Typically, you will also be prompted to save the PFX file with a
password, which administrators must enter when they attempt to install the
certificate. Again, it is recommended that you set a strong password.
4.
5.
Install the PFX file on the MSM Controller.

a.
Navigate to Controller >> Security > Certificate stores.
b.
In the lower section of the window, which includes the controllers local
certificates, click the Browse button.
c.
Open the certificate/private key file.
d.
Type the password set on the PFX file.
e.
Click Install.
Set this certificate for the RADIUS EAP usage.

a.
Click the Certificate usage tab.
b.
Click RADIUS EAP.
c.
For Local certificate, select the new certificate.
d.
Click Save.
The RADIUS EAP certificate usage window also includes a section in which you
set the trusted CA certificates. You only need to complete this step when the
MSM Controller is enforcing EAP-TLS.
Rev. 14.21
6.
Obtain the CA certificate for any CA that will sign clients certificates.
7.
Install the CA certificates.

a.
Navigate to Controller >> Security > Certificate stores.
b.
In the upper section of the window, which includes the controllers CA

certificates, click the Browse button.
c.
Open the CA certificate file.

423
8.
424
d.
Click Install.
e.
Repeat for any other CA certificates.
Add these certificates to the trusted CA list for the RADIUS EAP usage.
a.
Click the Certificate usage tab.
b.
Click RADIUS EAP.
c.
Select your CA certificate in the list at the bottom of the window.
d.
Click Add.
e.
Repeat for other certificate.
f.
Click the Dummy CA and click Remove.
g.
Click Save.
Rev. 14.21
Wireless Security
Activity: Advantages and disadvantages of using

802.1X 802.1X
What are the advantages of using 802.1X?
What are the disadvantages of using 802.1X?

What factors must you consider when selecting an EAP method?
Figure 4-16: Activity: Advantages and disadvantages of using 802.1X

17
Rev. 12.31
Originally designed for Ethernet networks, product developers quickly recognized the
benefits the standard this secure security method would bring to wireless networks.
Your facilitator will organize learners into groups and assign each group a question
to answer. After you discuss the answer with the members of your group, appoint a
member of the group to present your answers to the remainder of the group:
1.
What are the advantages of using 802.1X?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
425
2.
What are the disadvantages of using 802.1X?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
What factors must you consider when selecting an EAP method?

To answer this question, consider the following companies.
Company 1
A medium-sized company wants to implement 802.1X. The EAP method must be
secure but also require a minimal number of hours to implement. The IT staff is
small, and with the current workload, the IT staff members have a limited number
of hours to manage the wireless network. Which EAP method would you
recommend for this company? What are the requirements for implementing it?
Company 2
A large company requires the highest level of both wired and wireless security to
meet regulatory requirements for its industry. Which EAP method would you
recommend for this company? What are the requirements for implementing it?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
426
Rev. 14.21
Wireless Security
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
427
802.1X encryption options

802.1X encryption options
WPA
WPA2
Dynamic WEP
Figure 4-17: 802.1X encryption options
802.1X satisfies the authentication requirement for security for an 802.11 network.
Because most EAP methods allow for securely negotiating encryption keys, 802.1X
can be used with the following encryption standards:
WPA
WPA2 (which complies with the complete 802.11i standard)
Dynamic WEP
As the next section in this module explains, these encryption methods provide
Rev. 12.31
varying degrees of confidentiality18 and
integrity.
428
Rev. 14.21
Wireless Security
WPA
WPA
History
Designed to address WEPs vulnerabilities but run on WEP-capable software
Provided an interim solution before 802.11i (WPA2) was ratified
Authentication options
Preshared keysless secure option
802.1Xtrue user authentication
Figure 4-18: WPA

19
Rev. 12.31
Because WEP was cracked almost as soon as it was released as part of the IEEE
802.11 standard in 1999, the IEEE 802.11i taskforce set to work on a new standard,
which was completed in 2004. In the meantime, however, companies needed an
interim security solutionparticularly since hackers certainly were not waiting years
to attack. The Wi-Fi Alliance designed WPA as an interim solution until the
ratification of 802.11i.
WPA and WPA2 were developed in accordance with the 802.11i standard: WPA
meets only the first part of the standard, which provides for backward compatibility
with WEP equipment, while WPA2 meets the complete standard. You should use
WPA2 unless you have legacy stations that do not support it.
WPA consists of a series of compromises between two overarching goals.
On the one hand, WPA had to address WEPs vulnerabilities, providing:
Per-frame unicast (pairwise) keys and global (group) keys
Encryption-based integrity checks
On the other hand, WPA had be backward compatible with WEP hardware,
eliminating the need for expensive upgrades to equipment.
Temporal Key Integrity Protocol (TKIP)

TKIP replaces WEP with much more secure encryptionmore secure not because
TKIP uses a different encryption algorithm , but because it implements the algorithm
in a more secure fashion. Thus TKIP uses the calculation facilities present on existing
wireless devices. TKIP meets the WPAs requirement for per-frame keys by:
Rev. 14.21
Synchronizing the refreshing of unicast and global keys on APs and stations via
various handshakes
429
Using key mixing to create per-frame keys

Note
WPA allows Advanced Encryption Standard (AES) as an

additional replacement for WEP encryption. However, it does
not require AES because a software upgrade may not be
enough to support this algorithm. Implementation depends on
vendors building devices that support it. AES, which is an
integral part of the complete 802.11i standard, will be
discussed in the WPA2 section of this module.
Michael
Hackers can predict how to alter WEP to conceal tampering. To meet the
requirement for true data integrity, WPA designers introduced Michael. When
transmitting a frame, Michael hashes the frame payload with a MIC key to produce
a cryptographically secure 8-byte message integrity check (MIC), which is then
appended to the payload. When receiving a frame, Michael checks the MIC,
implementing countermeasures if it detects an error.
802.1X provides true user authentication. In addition, 802.1X authentication lays the
foundation on which TKIP builds secure, per-frame keys.
To accommodate home and small-office networks, which may not include an AAA
server, WPA defines a Personal mode that uses preshared keys for authentication.
This mode will be discussed later in this module.
Requirements
Stations must have a wireless card and a wireless client utility that support WPA. The
table below summarizes which versions of Windows include support for Wireless
Zero Configuration, the Windows client utility, and WPA. You might also be able to
obtain a WPA-compliant configuration tool from your wireless NIC vendor.
Table 4-1: WPA support in Windows

Windows Version
Wireless Zero
Configuration
Requirement for WPA
Vista or 7
XP with Service Pack 2 (SP2) or
above
2000
Yes
Yes
None; WPA support included

WPA supported included in SP2 or above
Not applicable
WPA-compliant utility for NIC
Of course, the AP must be configured to beacon the WPA informational element,

indicating its support of this security option. (You will learn how to configure WPA2
in Lab Activity 4.1.)
430
Rev. 14.21
Wireless Security
TKIP
TKIP
Figure 4-19: TKIP

20
Rev. 12.31
TKIP uses WEP-capable hardware to generate and distribute an impressive array of

keys both for encrypting and authenticating data.
Like WEP, TKIP uses RC4 encryption with 128-bit keys. One of the main problems
with WEP is that frequently reused secret keys cease to remain secret. A priority for
TKIP, then, is to encrypt each frame with a new key.
Pairwise keys, used for unicast traffic, are completely unique. Group keys, used for
beacons, broadcasts, and multicasts, must, of course, be available to all stations in a
WLAN. However, key mixing still produces per-frame keys for broadcast traffic.
To derive per-frame keys, TKIP:
1.
Receives pairwise master keys (PMKs) from a RADIUS server when it is used in
conjunction with 802.1X authentication
2.
Distributes refreshed pairwise and global keys, called transient keys, through
periodic handshakes
3.
Creates per-frame keys using key mixing
Securely generated master keys

TKIPs master keys do not actually encrypt any traffic. They provide a common,
shared base from which stations and APs can eventually derive identical perframe keys:
The AP shares a unique PMK with each station. The station and RADIUS server
generate this key securely by exchanging random values during 802.1X
authentication.
The AP maintains a group master key (GMK) for all stations. It generates the key
randomly.
Rev. 14.21
431
Because keys are generated randomly and never transmitted unsecured over the
network, they are not vulnerable to leaks and dictionary attacks in the way WEP keys
are.
Key rotation with transient keys

The AP periodically completes a handshake with each station to create a new
pairwise transient key (PTK). The AP also periodically sends a new group transient
key (GTK) to every station. The periodic refreshing ensures that the same key is never
reused.
Key mixing for per-frame keys

TKIPs key mixing was designed with the same basic goal as WEPs IVthe creation
of per-frame keysbut has been far more successful at meeting this goal. TKIP:
432
Expands the IV to allow nearly 300 billion (248) unique values

Performs bit-swaps and other easily processed operations on the IV and
temporal key rather than simply adding the IV to the beginning of the key
Rev. 14.21
Wireless Security
TKIP key distribution: four-way handshake for a

TKIP key distribution: four-way handshake for a
pairwise key
pairwise key
21
Rev. 12.31 4-20: TKIP key distribution: four-way handshake for a pairwise key
Figure
Distributing keys
TKIPs dynamic distribution system significantly enhances the security of the network
by:
Periodically refreshing keys so that no key is ever re-used

The station and the AP complete handshakes to agree on new transient keys.
Although based on the master keys, each new transient key is unpredictable and
unique.
Encrypting packets involved in key distribution

The AP initiates a four-way handshake and refreshes PTKs at these times:
After 802.1X authentication or reauthentication
After a certain amount of time
The following section describes the handshake between an AP and a station.
Completing the four-way handshake

The four-way handshake proceeds with the following EAPOL-Key messages:
1.
The AP transmits a random value, or nonce, to the station. (A nonce is a random

value used to create unique temporal keys from a master key.)
The station then has all the information it needs to generate a new 512-bit PTK
from its PMK:
Rev. 14.21
433
Its own and the APs nonceThe randomly generated nonces, which are
different for each new handshake, make transient keys unique.
Its own and the APs MAC address
The station splits the PTK into four 128-bit keys:
Key confirmation key (KCK)
Key encryption key (KEK)
Temporal key (TK)
Message integrity check (MIC) key
The first two keys serve only to secure the exchange of keys.
The station transmits the TK to TKIP for generating per-frame keys. Michael uses
the MIC key to preserve data integrity.
434
2.
The station transmits its nonce to the AP, so the AP can follow the same process
to generate identical keys. The station also creates a MIC with the KCK and
appends it to the packet. After the AP generates the KCK itself, it verifies the
packet. An incorrect MIC indicates a man-in-the-middle attack, so the AP
terminates the handshake.
3.
The AP acknowledges that it has installed the new keys. The packet the AP sends
can optionally include a GTK encrypted with the KEK to refresh the global key.
4.
The station acknowledges the last message, completing the handshake.
Rev. 14.21
Wireless Security
TKIP key distribution: two-way handshake for group

TKIP key distribution: two-way handshake for group key
key
Figure 4-21: TKIP key distribution: two-way handshake for group key
22
Rev. 12.31
By itself, 802.1X provides no mechanism for refreshing global encryption keys.

Instead of, or in addition to, transmitting the GTK as part of the four-way handshake,
the AP can complete a two-way handshake to refresh this key.
The AP initiates the handshake to distribute an existing GTK whenever a station
authenticates and completes the four-way handshake.
You can configure MSM APs to rotate the GTK periodically. The AP creates a new
GTK and initiates the two-way handshake to distribute it. You enable this setting in
the Controlled APs >> Configuration > 802.1X. Select the Group Key Update check
box and choose the interval for updates.
Distributing the GTK requires only two steps because the AP and station do not have
to exchange nonces. The AP simply secures the exchange using the previously
established KEK and KCK. The station acknowledges the key.
Rev. 14.21
435
WPA2 (802.11i)
WPA2 (802.11i)
Recommended encryption option
Highly secure
Meets 802.11i standard

EncryptionCCMP-AES
IntegrityCBC-MAC
802.1Xtrue user authentication
Preshared keysless secure option
Figure 4-22: WPA2 (802.11i)
WPA supports a subset of 802.11i and provides backward compatibility with WEP
equipment. WPA2, on the other hand, is fully compatible with 802.11i. You should
use WPA for the following reasons:
802.11nIf you want to take advantage of the higher transmission speeds of

Rev. 12.31
802.11n, you must use
802.11n requires it.
23 WPA2.
Faster roamingWith WPA, generating PTK and GTK requires two separate
operations. As you will learn in the next few pages, generating PTK and GTK
can occur in the same operation with WPA2. (Remember that to support fast
roaming, the MSM Controllers require a mobility or premium mobility license.)
More secureIn concept, WPA2 functions much as WPA does. It provides:
Per-frame pairwise (unicast) keys and per-frame group (global) keys
Encryption-based integrity checks
However, WPA 2 is based on the Advanced Encryption Standard (AES) block

cipher and raises security to a higher level.
Strong encryption
AES operates under the Counter Mode with Cipher Block Chaining Message
Authentication Code (CBC-MAC) Protocol (CCMP). Using handshakes similar to
TKIPs, CCMP also distributes and refreshes the keys necessary for AES.
The bulk of WPA2s added security originates in the strength of the AES block cipher.
For WPA2, AES operates in counter mode, a mode that:
Allows each 128-bit block of data to be encrypted with a unique keystream
Minimizes the effects of data corrupted in transmission
In addition to CCMP/AES, WPA2 supports TKIP for backward compatibility with

older stations that cannot support AES.
Encryption-based integrity
CCMP/AES creates a cryptographically secure, 8-byte hash, or MIC, to verify a
frames authenticity. The protocol calculates the MIC by operating on the frame
436
Rev. 14.21
Wireless Security
payload, as well as information from the frames header, with the same temporal key
used to encrypt the payload. However, this operation uses Cipher Block Chaining
(CBC) rather than AES counter mode.
The most important concepts for you to understand are:
CBC-MAC is a secure protocol that creates hashes unpredictable to anyone

without the correct key.
The information added from the frames header protects against replay attacks.
Authentication
Because 802.1X currently provides industry-standard secure authentication, WPA2
relies on the same authentication as WPA. In addition to 802.1X, WPA2, like WPA,
can use preshared keys, an option described later in this module.
Requirements
Stations must have a wireless card and a wireless client utility that support WPA2.
The table below summarizes which Windows versions support Wireless Zero
Configuration and WPA2. You might also be able to obtain a WPA2-compliant
configuration tool from your wireless NIC vendor.
Table 4-2: WPA2 support in Windows

Windows Version
Wireless Zero
Configuration
Requirement for WPA2
Vista or 7
Windows XP with SP3
Server 2003
2000
Yes
Yes
No
Not applicable
None; WPA2 support included

WPA2 support included in SP3
WPA2-compliant utility for wireless NIC
WPA2-compliant utility for wireless NIC
Of course, the AP must be configured to beacon the WPA2 informational element,

indicating its support of this security option.
Rev. 14.21
437
CCMP/AES
CCMP/AES
Figure 4-23: CCMP/AES
The main24difference
between CCMP/AES and TKIP is the greater security of the
Rev. 12.31
encryption method. The key hierarchy and distribution process, however, are quite
similar:
Each station generates its PMK, preferably as part of the 802.1X authentication
to a RADIUS server. The AP also knows the PMK.
The AP periodically expands each PMK into a new PTK, which it distributes to
the station via a four-way handshake. The AP uses either the four-way handshake
or a two-way handshake to distribute refreshed GTKs to all stations.
Unlike TKIP, CCMP uses the same key to secure data and the MIC. As a result,
CCMP requires only 128 bits for the GTK and 384 bits for the PTK. The entire GTK is
used to create the per-frame keys for global traffic while the PTK first divides into
three 128-bit keys:
438
The KCK and the KEK for securing the key distribution handshakes
The TK for deriving per-frame keys for unicast traffic
Rev. 14.21
Wireless Security
CCMP/AES
(cont.) (cont.)
CCMP/AES
34
Rev. 12.31
Figure 4-24: CCMP/AES (cont.)
An entire book could be devoted to the intricacies of WPA2 and CCMP/AES. This
guide focuses on explaining WPA2s improvements at a relatively high-level:
Operating in counter mode, AES generates unique key streams and encrypts
data. AES is the most important security enhancement of WPA2 over WPA. This
algorithm is simply stronger than the algorithm used by WEP and TKIP, despite
all of TKIPs fixes.
CCMPs method of calculating the MIC relies on encryption and is tamperresistant.
AES counter mode encryption

A block cipher such as AES performs a fixed series of operations on equal-sized
blocks of text. AES uses the Rijndael key schedule and a 128-bit key to transform a
128-bit input block into an encrypted block.
WPA2 specifies that AES functions in counter mode, which means that, rather than
actually encrypting data, the block cipher creates a series of 128-bit key streams. In
other words, instead of using the block cipher and TK to encrypt the data itself,
counter mode AES applies the block cipher and TK to a counter block.
A counter block includes information such as:
CounterThe counter increments for each iteration of the block cipher.

Packet number and sender addressIncluding the sender address allows
different stations to use the same packet numbers but always creates different key
streams.
The output is a 128-bit keystream, which then encrypts plain-text data in much the
same way as a stream cipher, using a simple XOR operation.
Rev. 14.21
439
Note
An binary exclusive OR (XOR) operation for binary numbers takes two inputsin
this case, the plain-text data and the keystreamand produces an output, which
is the encrypted text. The XOR operation produces a 1 if the binary numbers are
different and 0 if the binary numbers are the same. For example, if the plain-text
bit is 0 and the keystream bit is 0, the encrypted bit is 0.
The next 128-bit block of data will be XORed with a different key stream, the one
created by encrypting the second counter block with the block cipher and TK.
Because each block of data is encrypted with a unique, securely generated key
stream, the same block of plain text never produces the same block of cipher text,
and encrypted data remains quite secure (vastly more secure than WEP-encrypted
data).
Using a block cipher that mimics a stream cipher makes CCMP more resistant to
errorsan important advantage in the wireless medium. A bit corrupted during
transmission only affects one decrypted bit instead of an entire block of data.
MIC for data integrity

CCMP calculates the MIC using the CBC-MAC method. This AES mode encrypts
data using the block cipher and a TK. It then XORs the encrypted block with the next
block of plain text before encrypting that new block. The final encrypted block is the
MIC. All previous blocks are forgotten: as with most integrity checks, validating the
final result is important, but preserving the actual data used to encrypt is not.
With CBC-MAC, changing even one bit in the message produces a totally different
result, a result that cannot be predicted without the temporal key used to perform the
CBC encryption. Consequently, hackers cannot tamper with data without invalidating
the MIC, unlike WEPs easily circumvented ICV.
As you can see in the illustration on the previous page, the first block (or blocks) of
data to be authenticated are called additional authentication data (AAD). These are
bits taken from the 802.11 header. If a hacker tampers with the header (which must,
of course, be transmitted in plain text), the MIC check fails. Securing the 802.11
header protects you from replay attacks in which a hacker hijacks the AP to decrypt
intercepted and re-addressed frames.
Hole 196
GTKs in WPA/WPA2 open a vulnerability called Hole 196:
All stations and the AP share the same GTKs, and these keys do not provide
data authenticity.
A malicious authorized user can send a message encrypted with the GTK to
other stations, spoofing the AP MAC address (BSSID, or Basic Service Set
Identifier).
With this message, the hacker can implement a number of attacks. One of the most
dangerous is an ARP poisoning attack. ARP poisoning occurs when a hacker forges
440
Rev. 14.21
Wireless Security
an ARP response that binds the wrong MAC address to an IP address. Other devices
then send traffic to the wrong location.
Hole 196 is not a weakness in the encryption, and WPA2 has not been cracked.
Instead Hole 196 is a vulnerabilityexploitable by authorized users onlyof the
way WPA/WPA2 works. If you are concerned that authorized users could launch
such an attack, you can implement a wireless IDS/IPS, such as HP RF Manager
Controller and the MSM415 sensor, which detects stations spoofing the AP MAC
address.
Rev. 14.21
441
WPA/WPA2
compatibility
WPA/WPA2
compatibility
WPA and WPA2 stations can join
the same WLAN but must use the
required encryption.
802.11i Mixed mode allows both
types of encryption:
Station can use either a TKIP or
an AES pairwise key.
AP distributes a TKIP group key.
Figure 4-25: WPA/WPA2 compatibility
The two WPA versions correspond loosely to encryption protocols. WPA stations
Rev. 12.31
26
always support TKIP, and WPA2 stations always support CCMP/AES. However,
WPA stations, with the proper software and hardware, can use AES. WPA2 stations
support backward compatibility with TKIP.
Because WPA and WPA2 overlap in many ways, stations of both types can join the
same WLAN. However, all stations in the WLAN must use the required encryption
standard. For example, if the WLAN requires AES encryption, WPA stations can join
only if they support such encryption, even though AES is optional under WPA.
802.11i Mixed Mode allows simultaneous support for multiple encryption standards
so that networks can migrate from TKIP with WPA to CCMP/AES with WPA2. Mixed
Mode allows stations to choose either a TKIP or AES key for unicast traffic.
The Mixed Mode group key is always a TKIP key. Because both WPA and WPA2
stations must support this standard, all stations can encrypt and decrypt broadcasts
and multicasts.
442
Rev. 14.21
Wireless Security
Dynamic WEP
Dynamic WEP
Generates keys as part of the 802.1X authentication process
Narrows the window for an attack with per-session and rotating keys
Remains vulnerable to attack
27
Rev. 12.31
Figure 4-26: Dynamic WEP
WEP defines a process for encrypting data with a symmetric key. It does not dictate
how wireless stations receive this key. Static WEP encryption is weak because it uses
the same key again and again.
Two closely related barriers stand in the way of changing WEP keys often enough for
any level of security:
The administrative overhead of changing the key on every AP

The administrative overhead of informing every user about the new key so he or
she can authenticate
Dynamic WEP overcomes both of those barriers with 802.1X. First, 802.1X
authentication frees the encryption key from its double-duty of providing both
confidentiality and authentication. Second, the 802.1X process is co-opted for
generating a unique, per-session key at the beginning of each association.
Per-session unicast keys and securely distributed global keys greatly increase security.
Periodic key rotation helps to prevent hackers from collecting enough packets encrypted
by the same key to crack the key. 802.1X centralizes key distribution, making dynamic
WEP not only more secure, but also easier to manage than static WEP.
Despite all these improvements, dynamic WEP is vulnerable to all the attacks that
have compromised static WEP (although the windows of vulnerability are much
narrower with dynamic WEP). Consequently, per-session keys can be cracked. Perframe keys, a more secure option, would require excessively frequent key rotation
and a prohibitive amount of overhead. Periodically rotating both session and global
keys is usually a better solution for dynamic WEP than per-packet keys, and this is
how the HP mobility infrastructure solutions implement dynamic WEP.
Rev. 14.21
443
Note
Because dynamic WEP can be compromised relatively easily, it

is not recommended as an encryption method for 802.1X.
444
Rev. 14.21
Wireless Security
Activity: Advantages
of using
WPA2
Activity: Advantages
of using
WPA/WPA2
What are the advantages of using WPA2?
Why should you use WPA2, rather than WPA, whenever possible?
Figure 4-27: Activity: Advantages of using WPA2

28
Rev. 12.31
What are the advantages of using WPA2? Why should you use WPA2, rather than
WPA, whenever possible
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
445
on the MSM Controller

Configure Configure
802.1X 802.1X
on the
MSM Controller
Configuration decisions:
Will you use an external RADIUS server or the controllers internal RADIUS server?
Will the AP or the MSM Controller handle authentication?
Will you use a static VLAN, user-assigned (dynamic) VLANs, or both?
Best practices:
Use WPA2 (particularly for 802.11n) or WPA encryption
Disable Access Control
Enable Fast Roaming
Access the Add New VSC Profile window to configure VSC settings.
Figure 4-28: Configure 802.1X on the MSM Controller
Configuration decisions
Before you begin configuring 802.1X as the security for a VSC, you must make some
decisions. For example, you must determine if you will use the controllers internal
Rev. 12.31
RADIUS 29
server
or an external RADIUS server. If you have an existing RADIUS server,
you will probably want to configure that RADIUS server to support authentication
requests from wireless users. (The configuration steps vary, depending on what
RADIUS server you are using.)
If your company does not have an existing network RADIUS server, you may want to
use the controllers internal RADIUS server. Keep in mind, however, that the RADIUS
server is intended for small hotspots or enterprise networks. If you have a large-scale
wireless network, you should probably deploy a network RADIUS server. You can
then extend 802.1X authentication to all users on the wired network and
management access for network infrastructure devices.
In addition, you must determine if you want the AP or the controller to handle the
authentication process for wireless users. The Use Controller for Authentication setting
in the VSC enforces your decision. If you clear the check box, the AP handles
authentication; if you select the check box, the controller handles it.
You must have the controller handle the authentication process if you are using the
controllers internal RADIUS database to authenticate users. You may also want the
controller to handle authentication if you using an external RADIUS server and you
want the controller to be the only RADIUS client for wireless traffic. This setup will
simplify configuration on the RADIUS server. (However, there are other ways to
simplify this setup. For example, you can configure an external RADIUS server to
support all RADIUS clients on a subnet.)
Although the MSM APs are sending only authentication traffic (which is a relatively
small amount of traffic) to the MSM Controller, you must still evaluate the impact of
that traffic. For example, how will the authentication traffic affect traffic flow on the
wired network? You must also ensure that the wired network does not introduce
latency to the authentication process.
446
Rev. 14.21
Wireless Security
Next, you must decide if you want all the VSC traffic to be placed into the same
VLAN or if you want the RADIUS server to send the AP or controller a user-assigned
(dynamic) VLAN assignment. For example, you may want all the users who access a
VSC and authenticate successfully to be assigned to VLAN 10. Alternatively, you may
want the RADIUS server to send a dynamic VLAN assignment when users
authenticate successfully. You could have the RADIUS server send all marketing users
a dynamic VLAN of 70 and all manufacturing users a dynamic VLAN assignment of
80.
Dynamic VLAN assignments override a static VLAN. (You will learn how to configure
a static VLAN by binding a VSC to an AP group on the following page. You will also
practice configuring VSC bindings in the lab.)
Best practices
When configuring 802.1X, keep in mind the following best practices:
Enforce WPA2---As mentioned earlier in this module, you should use WPA2 to
protect wireless communications. This is particularly important for 802.11n
because the standard requires it.
Use a non-access-controlled VSCDisable the Use the Controller for access
control option, as shown in the figure below.
Figure 4-29: Configure 802.1X on the MSM Controller

Rev. 14.21
447
Enable fast roamingAs you learned in Module 3, the 802.1X authentication

process slows roaming. The MSM Controller supports WPA2 opportunistic key
caching, which helps eliminate the delays associated with 802.1X
reauthentication when stations roam between APs at Layer 2. The MSM
Controller manages key distribution between the APs so that when wireless users
roam between APs, reauthentication is not delayed because the station and the
new AP have to renegotiate key values. When you configure fast roaming for a
VSC, you must:
Install a mobility or premium mobility license on the controller.
Disable the Use controller for Access control option
Ensure that stations can roam at Layer 2
To configure a VSC, you click Controller > VSCs >> Overview > Add New VSC
Profile (as shown in the figure above). You will practice configuring a VSC that is
secured with 802.1X and WPA2 in Lab Activity 4.1.
448
Rev. 14.21
Wireless Security
Bind the VSC to an AP group
Bind the VSC to an AP group
Figure 4-30: Bind the VSC to an AP group
If you want all VSC traffic placed into the same VLAN, you bind the VSC to an AP
group. As you would expect, the VSC is then bound to all the APs that are part of
Rev. 12.31
30
that AP group.
To access the VSC binding window, select an AP group in the navigation tree and
click VSC bindings. Then click Add New Binding.
You then configure the following settings:
VSC profileUse the drop-down menu to select the VSC you want to bind to this
group.
Egress networkUse the drop-down menu to select the network profile that
defines the VLAN.
Dual-radio behaviorSpecify if the VSC will be active on one or both radios.
Group nameEnsure the correct AP group is selected.
You will practice binding a VSC to an AP group in Lab Activity 4.1.
Rev. 14.21
449
Lab ActivityLab4.1
Activity 4.1
Use the automated workflow to implement a VSC with WPA/WPA2 and
802.1X.
31
Rev. 12.31
In this lab, you will configure a VSC that is secured with 802.1X and WPA/WPA2.
You will first configure the VSC to use the internal RADIUS server and test the
configuration by authenticating a wireless user. You will then change the VSC settings
to use an external RADIUS server.
Your lab guide contains the instructions for performing this lab activity.
450
Rev. 14.21
Wireless Security

Activity 4.1.

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
451
topics topics
WPA/WPA2-PSK
WPA/WPA2-PSK (personal mode)

Failed WPA/WPA2-PSK handshake
Activity: Advantages and disadvantages of using WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
This section describes a less secure option for authentication: using WPA/WPA2 with
preshared keys.
33
452
Rev. 12.31
Rev. 14.21
Wireless Security
WPA/WPA2-PSK
(personal
mode)
WPA/WPA2PSK (personal
mode)
Less secure than 802.1X
Preshared key provides:
Authentication
Master keys for TKIP or CCMP/AES encryption
Figure 4-33: WPA/WPA2- PSK (personal mode)

34
Rev. 12.31
As mentioned earlier, both WPA/WPA2 and the 802.11i standard on which they are
based specify an exception for the 802.1X requirement. Instead of authenticating
through 802.1X, all users can authenticate by entering the same preshared key. Wi-Fi
also calls this option Personal mode.
WPA/WPA2-PSK allows small businesses without an EAPOL-compatible RADIUS
server to take advantage of the stronger encryption offered by TKIP or CCMP/AES.
You might also select this variant of WPA/WPA2 if you must configure a WLAN for
guests with stations that might not support 802.1X.
802.1X typically helps APs and stations derive unique keys from which other keys are
derived. For WPA/WPA2-PSK, all keys are derived from the preshared key instead.
However, each station still computes its own per-frame keys.
Like open-system WEP, WPA/WPA2-PSK institutes a de facto, rather than formal,
authentication. A user who enters the incorrect preshared key completes the 802.11
association, but the TKIP or CCMP handshake fails, and the station cannot forward
data.
Rev. 14.21
453
Figure 4-34: Failed WPA/WPA2-PSK handshake

35
Rev. 12.31
Now that you understand TKIP (or CCMP) handshakes, you should understand how a
WPA preshared key enforces de facto authentication. The preshared key acts as the
PMK for WPA-PSK.
If a station and an AP have different preshared keys, or PMKs, they derive different
PTKs. From the PTKs, they in turn derive different KCKs. When the AP uses its KCK to
check the stations response in the four-way handshake, the check fails. The AP drops
the response, and the station, although formally associated with the AP, can never
complete the handshake. Typically, the station then disassociates itself.
454
Rev. 14.21
Wireless Security

WPA/WPA2-PSK
WPA/WPA2-PSK
What are the advantages of using WPA/WPA2-PSK?
What are the disadvantages of using WPA/WPA2-PSK?
Figure 4-35: Activity: Advantages and disadvantages of using WPA/WPA2-PSK
1.
36
Rev. 12.31
What are the advantages of using WPA/WPA2-PSK?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
What are the disadvantages of using WPA/WPA2-PSK?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
455
topics topics
WPA/WPA-PSK
Web-Auth
Web-Auth overview
Web-Auth advantages and disadvantages
MAC-Auth
WEP

You will now learn about Web-Auth, an authentication option that is typically used
for guests.
37
456
Rev. 12.31
Rev. 14.21
Wireless Security
Web-Auth overviewWeb-Auth overview

Authenticates users without requiring:
802.1X supplicant
Special configuration on the client
Used for:
Guest access
Public wireless networks
Small-to-medium organizations
Figure 4-37: Web-Auth overview
Wireless network access used to be a perk. Today, however, users expect it. Now, in
addition to accommodating regular employees, companies need to provide wireless
access for guests or partners. Customers and other guests request network services
such as Internet access, and if companies do not provide these network services to
them, their competition will.
In these situations, you 38
cannot
be sure that all users stations will support 802.1X or
Rev. 12.31
particular EAP methods. You cannot help the users configure their stations correctly to
complete the authentication. On the other hand, you do not want to open your
wireless and wired network to anyone with a wireless NIC.
Web-Auth is one solution for this type of network access. As the name suggests,
Web-Auth makes it easy for users to access the network through their familiar Web
browser interface. They can then connect to the Internet with a minimum of hassle.
Rev. 14.21
457

Web-Auth Web-Auth
Advantages
Requires only a Web browser interface
Provides a good solution for guests
Disadvantages
Does not require encryption
Requires input from users
39
Figure 4-38: Activity: Advantages and disadvantages of using Web-Auth
Rev. 12.31
Advantages of Web-Auth
Security solutions such as WPA/WPA2 require specific capabilities, but any station
can authenticate to a wireless network that uses Web-Auth as long as the user has a
legitimate username and password and a Web browser.
Web-Auth also allows you to open parts of your network to guests by providing
limited access to unauthenticated users. Choose Web-Auth when you want to provide
limited network rights or simple Internet access to the public. For example, suppose
your company is a retail store with wireless network access for managers and
support staff. Customers, however, can bring their own devices and reach a Web
page that provides information about products and upcoming promotions.
Other environments with external users who may benefit from Web-Auth include:
Hospitals
Universities
Cafs, libraries, hotels, airports, and other businesses that provide courtesy
wireless networks
Disadvantages of Web-auth
Web-Auth does not require encryption.
Because Web-Auth requires interaction with the user, you cannot use it to
authenticate stations or devices without a user interface.
458
Rev. 14.21
Wireless Security
The MSM Controllers provide more for guest access than Web-Auth. You will learn
more about these sophisticated guest solutions and begin configuring them in the
next module.
Rev. 14.21
459
topics topics
WPA/WPA2-PSK
Web-Auth
MAC-Auth
MAC-Auth overview
Local MAC-Auth
Remote MAC-Auth
Activity: Advantages and disadvantages of using MAC-Auth
Configuring MAC-Auth on the MSM Controllers
Lab Activity 4.2
WEP
This section describes MAC-Authone of the least secure authentication methods

Rev. 12.31
40
available.
460
Rev. 14.21
Wireless Security
MAC-Auth MAC-Auth
overview
Access control for stations with limited authentication capabilities
All 802.11 authentication requests include the stations MAC address.
This address is checked against:
MAC address list that is stored on an AP or controller
Login credentials that are configured in a RADIUS server
Provides minimal security

Figure 4-40: MAC-Auth overview
MAC-Auth, which is one of the most basic security options available, adds only
minimal protection to 802.11s open-system authentication.
Although the IEEE 802.11 specification does not require MAC-Authand MAC-Auth
is not as secure as other authentication optionsmany vendors support it because it
is the only option for devices that do not have a user interface or support for 802.1X.
Typically, an AP accepts all 802.11 authentication requests. When MAC-Auth is
Rev. 12.31
enforced,41 however,
the AP or controller (depending on which device is handling
authentication) filters requests according to the source MAC address in the request
frames header. Because all stations must include their MAC address in the request
frame, all stations can be controlled through MAC authentication.
Two types of MAC-Auth are available:
Rev. 14.21
Local MAC-AuthWith local MAC-Auth, a MAC address list is configured and

stored on either the AP or the controller.
RADIUS MAC-AuthRADIUS MAC-Auth relies on a RADIUS server to approve
or reject the authentication request.
461
Local MAC-Auth
Local MAC-Auth
Figure 4-41: Local MAC-Auth
With local MAC-Auth, the AP or controller checks access requests against lists stored
locally. Typically, two types of lists are supported:
462
Allow
Rev. 12.31 list of addresses allowed to associate with the AP. This list might
42 lista
also be called a white list.
Deny lista list of addresses prohibited from associating with the AP. This list
might also be called a block or black list.
Rev. 14.21
Wireless Security
Remote MAC-Auth
RADIUS MAC-Auth
AP or controller translates stations request to RADIUS format and sends it
to a RADIUS server.
Figure 4-42: RADIUS MAC-Auth

Rev. MAC-Auth,
12.31
With RADIUS
the AP or controller submits the stations request to a
43
RADIUS server. In RADIUS terminology, the AP or controller is a Network Access
Server (NAS), and it must create a properly formatted NAS Access-Request packet:
1.
The AP or controller copies the source MAC address of the stations request into
the packets username field. The AP must use the format in which the address is
stored on the RADIUS server. (For example, if the RADIUS server uses delimiters,
the AP must use delimiters.)
2.
The AP or controller can place one of several values in the password field:
Typically, the AP or controller copies the stations MAC address into this
field using the same format that is used for the username.
Alternatively, the AP or controller copies a different value, such as the

Service Set Identifier (SSID) that the station is requesting to join.
The RADIUS server checks the username and password against its database. If the
values match, the RADIUS server issues an Access-Accept, and the AP sends an
authentication-success response to the station. Otherwise, the RADIUS server issues
an Access-Reject, and the AP forwards an authentication-denied response to the
station.
Rev. 14.21
463

Advantages and disadvantages of using
MAC-Auth Activity:
MAC-Auth
1. How secure is MAC-Auth?
2. What does a station need to support MAC-Auth?
3. What is required to implement and manage MAC-Auth?
44
Figure 4-43: Activity: Advantages and disadvantages of using MAC-Auth
Rev. 12.31
For this activity, your facilitator will organize the class into groups and ask each
group to list the advantages and disadvantages of using MAC-Auth to secure
wireless communications. Consider the following questions to determine the
advantages and disadvantages:
1.
How secure is MAC-Auth?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
What does a station need to support MAC-Auth?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
464
Rev. 14.21
Wireless Security
3.
What is required to implement and manage MAC-Auth?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4.
Why might you use RADIUS MAC-Auth as opposed to MAC filters and vice
versa?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 14.21
465
Configuring
MAC-Auth
on the
Controllers
Configuring
MAC-Auth
on theMSM
MSM Controllers
RADIUS
Remote (network) RADIUS server
Local (internal) RADIUS server
Other ways to block or allow

stations based on MAC address
MAC lockout (global)
Wireless MAC filter (VSC-based)
Figure 4-44: Configuring MAC-Auth on the MSM Controllers
The MSM Controller supports MAC-Auth through a network RADIUS server or its own
internal RADIUS server. When configured to support MAC-Auth, the MSM Controller
copies the stations MAC address into the password field, using the same format that
is used for the username.
45
Rev. 12.31
If you want to use a remote, or network, RADIUS server, you have two options for
configuring the VSC:
Enable the Use Controller for Authentication option for a VSCIf you select this
option, the MSM Controller handles MAC-based authentication. The APs
forward all authentication requests to the controller, and you can configure the
controller to validate user login credentials against a network RADIUS server or
the internal RADIUS server (local user accounts).
When configuring a local user account for MAC-Auth, you enter the MAC
address for both the username and password. Specifically, enter the 12
hexadecimal numbers in lowercase without dashes and colons as follows:
0003520a0f01
Disable the Use Controller for Authentication option for a VSCIf you clear this
option, the APs handle MAC-based authentication. The APs send authentication
requests to a network RADIUS server for validation.
You can also configure MAC lockout, which allows you to block particular MAC
addresses. MAC lockout is applied to:
Stations that connect to controlled APs
Wired ports on controlled APs
Local mesh ports
Controllers LAN port
However, MAC lockout is not applied on the controllers Internet port.

In addition, you can allow or block certain MAC addresses by configuring a
Wireless MAC filter for a particular VSC. This feature is explained later in this
module.
466
Rev. 14.21
Wireless Security
Lab ActivityLab4.2
Activity 4.2
Create a VSC that enforces WPA/WPA2-PSK

46
Rev. 12.31
You will now complete a lab in which you configure a VSC that enforces WPA-PSK.
Rev. 14.21
467

Activity 4.2.

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
468
Rev. 14.21
Wireless Security
topics topics
WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
Static WEP
Shared-key WEP
Open-key WEP

Although static WEP is no longer recommended as a security option, you may find
that some companies are using it. This section explains the WEP encryption
algorithm and points out its weaknesses.
48
Rev. 14.21
Rev. 12.31
469
Static WEPStatic WEP

Devices use symmetric keys to encrypt and decrypt data:
Transmitting station encrypts the payload.
Receiving station decrypts the payload.
Key provides both encryption and authentication.

Two types of static WEP:
Shared-key WEP
Open-key WEP
Figure 4-47: Static WEP
WEP was designed to secure wireless networks. Its very nameWired Equivalent
Privacyimplied that it would provide the same privacy for the shared wireless
medium that users enjoyed on a point-to-point wired connection.
How did WEP measure up? As you have learned basic wireless security has three
requirements:
Authentication
Rev. 12.31
49
Confidentiality
Integrity
WEP attempted to meet both authentication and confidentiality needs with a secret
key but, in the end, did not meet either.
Encryption
With WEP, all stations and the AP in a given WLAN must encrypt frames with a
shared key before transmitting them over the wireless medium. The secret key
encrypts the 802.11 payload, not the header. The receiving stations and the AP use
the same key to decrypt the frames. (That is, the key is symmetric.) If the AP receives
a frame it cannot decrypt, it drops the frame.
Encryption occurs between the AP and wireless stations. The AP decrypts traffic
before transmitting it into the wired network, where it travels in plain text.
Authentication
The WEP standard does not mandate how the shared key is established. Static WEP
uses a single key shared between all stations and APs. As a result, the encryption
key also authenticates users: users must know the key in advance for their stations to
associate with the AP.
Two methods are commonly used for sharing the WEP key:
470
Static WEP
Dynamic WEP
Rev. 14.21
Wireless Security
Shared-keyShared-key
WEP WEP
Stations encrypt a challenge to prove they have the key.
Attackers combine plain text challenge and encrypted challenge to derive
the key.
50
Rev. 12.31
Figure 4-48: Shared-key WEP
Shared-key authentication occurs during the 802.11 authentication process. It

requires a station to formally prove that it has the correct secret key before it can
associate to an AP. A station must support WEP encryption to use shared-key
authentication.
Shared-key authentication process

The station initiates the four-step shared-key authentication process:
1.
The station transmits an authentication request specifying the shared-key

authentication subtype.
The station and AP must agree on the authentication subtype. If a station
transmits a shared-key authentication request and the AP supports only open
authentication, the station cannot authenticate.
Rev. 14.21
2.
The AP generates an authentication challenge, which contains a random

challenge string in plain text.
3.
The station copies the challenge text into its response. The station then uses its
shared key to encrypt the frame payload and transmits the encrypted response
back to the AP.
4.
The AP decrypts the encrypted frame. If the challenge text matches the challenge
the AP sent, it knows the station is using the correct WEP key; the AP transmits
an authentication-success response. Otherwise, the AP replies with an
authentication-failed message and prohibits the station from associating.
471
Vulnerability of shared-key WEP

WEP, which is an exclusive OR (XOR) stream cipher, operates on three basic strings:
data, encrypted data, and a key. Just as combining encrypted data and a key
produces the plain text data, combining plain text data and the same encrypted data
produces the key. With this knowledge, you can identify the problem with shared-key
WEP: a hacker can easily intercept the challenge (data in plaintext) and the
response (the same data in encrypted form), perform the XOR function, and discover
the key. (For more information about the vulnerabilities of shared-key WEP, see
Appendix A.)
As mentioned earlier, IEEE has disapproved WEP for securing wireless
communications.
472
Rev. 14.21
Wireless Security
Open-key WEP
Open-key WEP
All stations can authenticate.
AP drops frames encrypted with the wrong key.
Only authorized stations can forward data.
51
Rev. 12.31
Figure 4-49: Open-key WEP
Open-key WEP uses 802.11 open-system authentication. In theory, any station can
authenticate and associate to the AP; in practice, however, only stations with the
correct key can connect to the network.
After associating to a WLAN, stations can send data. At this point, the stations must
encrypt every frame with the shared WEP key before transmitting the frame to the AP.
If the AP can decrypt the frame, the AP accepts it. Otherwise, the AP drops the
frame. Because the AP drops all incorrectly encrypted frames, only stations with the
correct key can send data into the network.
Even though, at first glance, open-key WEP seems less restrictive than shared-key,
most network administrators consider open-key WEP more secure: at least it does not
feed hackers information about the WEP key.
As mentioned earlier, neither shared-key nor open-key WEP is a recommended
security option. Hackers can compromise WEP encryption with readily available
tools:
Finally, because you must configure the WEP keys manually on every AP, static WEP
consumes a disproportionate amount of IT resources for the relatively little security it
offers. Best practices dictate that you change the key not only every time an
employee leaves the organization or a device is potentially compromised, but also
periodically. In reality, many networks use the same key for monthsif not longer.
Rev. 14.21
473
topics topics
WPA/WPA2-PSK
Web-Auth
MAC-Auth
WEP
Security filters for VSCs

Client-to-site and site-to-site VPNs
Lab Activity 4.3
You will now learn about some additional security features that the MSM Controllers
and APs support. These features allow you to control which resources users are
allowed to access on the network.
52
474
Rev. 12.31
Rev. 14.21
Wireless Security
Security filters
forfilters
VSCs
Security
for VSCs
Wireless security filters
Not generally recommended for non-access-controlled VSCs
Wireless MAC filter

Wireless IP filter
Figure 4-51: Security filters for VSCs
With an MSM solution, you can apply additional layers of security in the form of
filter. These filters either restrict wireless traffic or the wireless users allowed on the
network. You configure these filters for individual VSCs.

The wireless security filters force APs to bridge all traffic to a specific upstream device
(such as an MSM Controller or a routing switch.) This allows you to restrict wireless
traffic to the device that will forward that traffic on the wired network. For example, in
many environments,
particularly public access ones, wireless users are placed on
Rev. 12.31
53
their own subnet. They do not need to access other devices in this subnet but only the
Internet and perhaps a limited set of resources in the private network. In such an
environment the wireless users traffic should be bridged to their default router at
Layer 2. (At Layer 3, the traffic might be destined to a variety of valid IP addresses.)
When you enable the Use Controller for Access Control option for a VSC, the
wireless security filter allows the AP to forward only user traffic that is addressed (at
Layer 2) to the controller. It must block all other traffic.
In this case, you must make sure that the controller is the wireless stations default
gateway. Otherwise, all user traffic will be blocked by the AP.
When you disable the Use Controller for Access Control option for a VSC, you have
several options for security filters. You can restrict traffic to:
APs default gatewayIf you select this option, make sure that the wireless
stations have the same default router as the AP. In other words, the stations and
the AP must be on the same subnet (VLAN).
Specified MAC addressSelect this option if wireless stations that connect to
this VSC are placed on a different subnet from their AP default gateway. Enter
the MAC address of the station default gateway on their subnet.
Custom list--You can create a custom list of allowed MAC addresses. For
example, you might select this option when wireless users who connect to this
VSC are placed in several different VLANs. They have different default
gateways, and you must specify the MAC address for each gateway.
If the Use the Controller for Access Control option is selected for a VSC, the wireless
security filters are enforced before any configured authentication options. For
example, if the VSC is configured to support 802.1X, the wireless security filters are
enforced before the wireless station begins the 802.1X authentication process.
Rev. 14.21
475
If the Use the Controller for Access Control option is not selected, however, the station
is authenticated before the wireless security filters are enforced.
Wireless security filters are generally used in access-controlled VSCs in which APs
tunnel all traffic to the controller. You should always be careful when implementing a
wireless security filter on a non-access-controlled VSC. You have to use custom filters
to specify every potential default gateway, and you might make an error, or the MAC
addresses might change. In addition, some applications require particular
broadcasts, or the clients might actually require access to specific resources on their
VLAN.
For these reasons, you should generally use different methods of security and leave
wireless security filters disabled on access-controlled VSCs.
Wireless MAC filter

The wireless MAC filter controls which wireless devices are allowed to connect to the
VSC, based on their MAC address. On each VSC, you can create one of two types
of list:
Allow listUse this type (sometimes called a white list) when you want to create
an exclusive pool of devices allowed to connect. For example, you could specify
the MAC address for each of your companys wireless devices.
Block listThis type (sometimes called a black list) acts much like a MAC
lockout feature. All devices are allowed to connect except the ones specified on
the list, which are blocked by APs.
On each VSC, you can create either an allow list or a block list. You cannot specify
both allowed MAC addresses and blocked MAC addresses on a single VSC.
You can use both MAC-Auth and a Wireless MAC filter for a particular VSC. If the
Use the Controller for Access Control option is selected for a VSC, the Wireless MAC
filter is executed first. If this option is not selected, MAC-Auth is executed first.
Wireless IP filter
With wireless IP filters, you can restrict wireless-to-wired traffic to specific destination
IP addresses or subnets. For example, in a public access VSC (which you will learn
more about in the next module), you could specify the IP address of your public Web
server. APs would drop all other traffic.
Because a wireless IP filter controls the IP addresses to which wireless stations can
send traffic, it offers more granular control of the endpoints (or servers) that wireless
users can access.
A wireless security filter controls the IP addresses to which wireless stations can send
traffic. It controls whether wireless users can communicate with any device in its
subnet (including other wireless devices) or only its default gateway.
If the Use the Controller for Access Control option is selected for a VSC, the wireless
IP filters are enforced before any configured authentication options. For example, if
476
Rev. 14.21
Wireless Security
the VSC is configured to support 802.1X, the wireless IP filters are enforced before
the wireless station begins the 802.1X authentication process.
If the Use the Controller for Access Control option is not selected, however, the station
is authenticated before the wireless IP filters are enforced.
Rev. 14.21
477
Client-to-site
and site-to-site
VPNs
Clients-to-site
and site-to-site
VPNs
Secures wireless communications for a VSC that does not enforce
encryption
Designed to be used with low data applications such as point of sale
terminals
Supports:
IPsec, L2TP, or PPTP VPNs
Client-to-site VPNs
Site-to-site VPNs
54
Rev. 12.31
Figure 4-52: Client-to-site and site-to-site VPNs
A VPN consists of a virtual point-to-point connection between two endpoints; this

virtual connection is called a tunnel. Because the endpoints communicate over an
untrusted network such as the Internet, the tunnel must provide data integrity,
authenticity, and privacy. Such a tunnel is called a secure channel. (A detailed
explanation of VPNs is outside the scope of this course. For more information about
VPNs and other security technologies, complete the HP Network Infrastructure
Security Technologies Web-Based Training course. Visit
ww.hp.com/networking/training for more information.)
The MSM Controller allows you to secure wireless communications using IP Security
(IPsec), L2TP, and PPTP VPNs. This solution is designed for applications that generate
a relatively low volume of data, such as point of sale (POS) terminals.
The MSM Controller supports client-to-site VPNs. Each wired or wireless station
establishes its own tunnel to the controller.
The MSM Controller also supports site-to-site VPNs. It can establish a VPN tunnel
with another VPN gateway.
This course does not include detailed information about VPNs. Keep in mind these
guidelines:
478
Select the Use controller for Access control option

Validate user credentials with internal RADIUS server, network RADIUS server, or
Active Directory
On the wireless client specify the controllers LAN port as the VPN
gateway
On the MSM760 and MSM775 zl a maximum of 50 user sessions are
supported across all VSCs. On the MSM720 the limit is 15 sessions.
Rev. 14.21
Wireless Security
Lab ActivityLab4.3
Activity 4.3
Modify the VSC using WPA/WPA2 and 802.1X to authenticate users to an
external RADIUS server.
55
Rev. 12.31
As a final lab on the security measures that you have learned about throughout the
module, you will alter your X_Marketing VSC to authenticate users to an external
RADIUS server.
Rev. 14.21
479

Activity 4.3.

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
480
Rev. 14.21
Wireless Security
Summary
Summary
Authentication and encryption
Most secure: 802.1X with WPA2
Less secure option for smaller companies: WPA2-PSK
Guest or public access: Web-Auth
No longer recommended: static or dynamic WEP
Least secure: MAC-Auth
Additional security
Wireless MAC filter
Wireless IP filter
VPNs
Figure 4-54: Summary
In an Ethernet network, requiring users to authenticate may be enough to secure the

network. Wireless networks, however, typically require encryption as well. This
module outlined the options most wireless solutions offer for authenticating wireless
Rev. 12.31
users and57 protecting
their wireless transmissions.
As you learned, 802.1x with WPA2 provides the highest level of security. For smaller
companies that do not want to implement an 802.1X solution, WPA2-PSK provides a
less secure option. Because so many users share the preshared key, it is more likely
that the key will be compromised.
This module briefly introduced Web-Auth, which is typically used for guest or public
access. In the next module, you will learn how the MSM Controller goes beyond just
a simple Web-Auth solution, allowing you to control precisely how guests are
allowed access to the network and which network resources they can access.
You also learned that WEP, the first security option provided for wireless networks,
was easily compromised and is not recommended as a security option for any
network.
Likewise, MAC-Auth allows stations with limited capabilities to access the wireless
network. However, MAC-Auth does not provide strong security because it can be
easily spoofed.
You then learned about additional security measures that the MSM wireless solution
provides:
Rev. 14.21
Wireless, MAC, and IP filters
VPN access
481
Learning check
1.
You are creating a VSC that enforces WPA/WPA2 with 802.1X authentication
and authenticates users to accounts configured on the MSM Controller. You want
users to authenticate with certificates. What is the correct EAP method?
_______________________________________________________________________
2.
Describe the advantages of TKIP and AES-CCMP in terms of the encryption keys
that they use.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
You have enabled MAC-Auth on a VSC and enabled local authentication. When
you create the user account and configure the username, in what format do you
specify the MAC address? What do you configure for the password?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
482
Rev. 14.21
To learn more about HP Networking, visit

www.hp.com/networking
2014 Hewlett-Packard Development Company, L.P. The information contained herein is
subject to change without notice. The only warranties for HP products and services are set forth
in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.

MSMv1 PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

MSMv1 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Implementing HP MSM

Learner guide volume 1

Learner guide volume 1

Copyright 2014 Hewlett-Packard Development Company, L.P.

This course is an HP ExpertOne authorized course designed to prepare you for

Course introduction: Implementing HP MSM Wireless Networks

Module 1: HP Mobility Solutions

Implementing HP MSM Wireless Networks

Discussion topics ......................................................................................... 1-36

Module 2: Initial Setup and Configuration

Configuring IP and other initial settings .......................................................... 2-39

Implementing HP MSM Wireless Networks

Review: Planning an MSM Controller and AP deployment.................................2-83

Module 3: Wireless Fundamentals

Discussion topics ........................................................................................ 3-43

Implementing HP MSM Wireless Networks

Module 4: Wireless Security

Implementing HP MSM Wireless Networks

Discussion topics ......................................................................................... 4-74

Implementing HP MSM Wireless Networks

Local meshes (wireless bridges)

Controller teaming for redundancy

Special features available on the HP MSM317 Access Device (which provide

Determine appropriate MSM products and licenses for particular environments

Implementing HP MSM Wireless Networks

Establish secure WLANs using technologies such as WPA/WPA2 encryption

Figure Intro-1: Course agenda

The agenda for this course is listed below.

Module 1: Mobility Solution

Lab 1: Initial Network Setup

Module 2: Initial Setup and Configuration

Lab 2.1: Deploying the MSM Controller

Lab 2.2: Discovering and Managing APs

Lab 2.3: Implementing Layer 3 Discovery

Module 3: Wireless Fundamentals

Module 3: Wireless Fundamentals (cont.)

Lab 3: Configuring Radio Settings

Module 4: Wireless Security

Lab 4.1: Configuring 802.1X with WPA2

Lab 4.2: Configuring WPA2-PSK

Lab 4.3: Configuring WPA2 with 802.1X to Windows NPS

Implementing HP MSM Wireless Networks

Module 5: Guest Solutions

Lab 5.1: Implementing a VSC for Guest Access

Module 5: Guest Solutions (cont.)

Lab 5.2: Enabling Free Access and Applying Subscription Plans

Optional Lab 5.3: Customizing Login Pages

Lab 5.4: Customizing Guest Access

Lab 6.1: Configuring User-Based VLANs and Egress VLANs

Lab 6.2: Implementing DHCP Relay for a Guest VSC

Module 7: Wireless Mesh

Module 8: Controller Teaming

Lab 7: Implementing a Local Mesh

Module 9: HP MSM317 Access Devices

HP ASE - FlexNetwork Architect V2 and HP ASE FlexNetwork Integrator certification

Implementing HP MSM Wireless Networks is designed to help you earn the HP

Given a particular customers wireless requirements, recommend the appropriate

Implementing HP MSM Wireless Networks

Figure 1-1: Product overview

HP MSM Controllers, which enable you to centrally configure, manage, and

Access, mobility, and premium mobility controllers

The first section in this module introduces the HP MSM Controllers.