Examining the different access point operational modesIUWNE v1.0—2-* © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* All APs > Detail IUWNE v1.0—2-* Data services Monitoring services AP will scan all channels over 180 seconds by default Only management packets are inspected for intrusion detection system (IDS) signature matches Can be used for site surveys © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* Access Point Monitor Mode Software configuration to reduce AP capabilities to perform only WLAN monitoring on a per-AP basis: Trusted AP policies Signatures Both data and management packets are inspected for IDS signature matches AP will scan all channels for 1.1 seconds AP only a beacon device © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* Access Point Sniffer Mode Works in conjunction with products like AiroPeek or AirMagnet to monitor a single wireless channel Requires an external server to capture the packets Gathers the following data IUWNE v1.0—2-* IUWNE v1.0—2-* Access Point Rogue Detector Mode Software configuration to reduce AP capabilities to perform only rogue detection on a per-AP basis Listens for rogue devices on the wired network Compares ARP request heard on the network to rogue MAC address reported by the controller Generates an alarm when a wireless rogue is seen on the wired side Does not allow client connectivity – radios are shut down, 100% of CPU dedicated to rogue detection Does not perform rogue containment © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* Designed to support remote offices Control traffic still LWAPP-encapsulated and sent to Cisco Wireless LAN Controller (WLC); client data can be locally bridged All management control and RF management is available when WAN link is up and connectivity is available to Cisco WLC. H-REAP can remain operational when unable to communicate with a controller during a WAN outage. © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* When operating in LWAPP, H-REAP-compatible APs have two possible modes: Connected mode (connected state): When H-REAP can reach the controller, it gets help from the controller to complete client authentication Standalone mode (disconnected state): When the AP cannot reach the controller, it processes client requests based on local settings and rules © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* H-REAP in Connected Mode Once an AP is configured as H-REAP, the controller will inform the AP of the mode change through an LWAPP control message. The AP saves this information in NVRAM and boots with the new mode. In connected mode, H-REAP traffic can be backhauled to the controller or locally bridged. © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* HREAP in Standalone Mode Standalone mode (disconnected): When the controller is not reachable by H-REAP, it goes into standalone mode and performs client authentication by itself All the following authentication types are supported in standalone mode: Open, WPA-PSK, WPA2-PSK, 802.1X Central-switched WLANs will shut down Local-switched WLANs will remain up: Authentication of local WLANs continues to operate normally Existing 802.1x authenticated clients continue sessions until they roam or trigger session reauthentication New 802.1x clients are authenticated on the AP, from a local user list Unsupported features when in standalone mode: RRM, Cisco Centralized Key Management , WIDS, LBS, AP modes WebAuth, NAC IUWNE v1.0—2-* AP Bridging Mode Available on Cisco 1130, 1240, and 1500 APs Mode used to set up mesh network, either indoor or outdoor Allows AP to act as a wireless LWAPP bridge Only shows up on supported hardware An additional protocol, Adaptive Wireless Path Protocol (AWPP) is used by the AP to determine the best route to the network © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-* Summary An access point can be configured to operate in different modes. In local mode, it provides data services on one channel while still monitoring the other channels. In monitor mode, it scans all the channels permanently. In sniffer mode, it captures frames on one channel and redirects them to a station. In rogue detector mode, it detects wireless rogues on the wired network. Some access points can be configured to H-REAP Mode, where they can provide access without being in the same network as their controller. Some access points can be configured to bridge mode to build mesh networks. © 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-*
