Click here to load reader

Iuwne10 S02 L04

  • View
    594

  • Download
    0

Embed Size (px)

Text of Iuwne10 S02 L04

Examining the different access point operational modesIUWNE v1.0—2-*
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
All APs > Detail
IUWNE v1.0—2-*
Data services
Monitoring services
AP will scan all channels over 180 seconds by default
Only management packets are inspected for intrusion detection system (IDS) signature matches
Can be used for site surveys
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
Access Point Monitor Mode
Software configuration to reduce AP capabilities to perform only WLAN monitoring on a per-AP basis:
Trusted AP policies
Signatures
Both data and management packets are inspected for IDS signature matches
AP will scan all channels for 1.1 seconds
AP only a beacon device
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
Access Point Sniffer Mode
Works in conjunction with products like AiroPeek or AirMagnet to monitor a single wireless channel
Requires an external server to capture the packets
Gathers the following data
IUWNE v1.0—2-*
IUWNE v1.0—2-*
Access Point Rogue Detector Mode
Software configuration to reduce AP capabilities to perform only rogue detection on a per-AP basis
Listens for rogue devices on the wired network
Compares ARP request heard on the network to rogue MAC address reported by the controller
Generates an alarm when a wireless rogue is seen on the wired side
Does not allow client connectivity – radios are shut down, 100% of CPU dedicated to rogue detection
Does not perform rogue containment
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
Designed to support remote offices
Control traffic still LWAPP-encapsulated and sent to Cisco Wireless LAN Controller (WLC); client data can be locally bridged
All management control and RF management is available when WAN link is up and connectivity is available to Cisco WLC.
H-REAP can remain operational when unable to communicate with a controller during a WAN outage.
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
When operating in LWAPP, H-REAP-compatible APs have two possible modes:
Connected mode (connected state): When H-REAP can reach the controller, it gets help from the controller to complete client authentication
Standalone mode (disconnected state): When the AP cannot reach the controller, it processes client requests based on local settings and rules
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
H-REAP in Connected Mode
Once an AP is configured as H-REAP, the controller will inform the AP of the mode change through an LWAPP control message. The AP saves this information in NVRAM and boots with the new mode.
In connected mode, H-REAP traffic can be backhauled to the controller or locally bridged.
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
HREAP in Standalone Mode
Standalone mode (disconnected): When the controller is not reachable by H-REAP, it goes into standalone mode and performs client authentication by itself
All the following authentication types are supported in standalone mode: Open, WPA-PSK, WPA2-PSK, 802.1X
Central-switched WLANs will shut down
Local-switched WLANs will remain up:
Authentication of local WLANs continues to operate normally
Existing 802.1x authenticated clients continue sessions until they roam or trigger session reauthentication
New 802.1x clients are authenticated on the AP, from a local user list
Unsupported features when in standalone mode:
RRM, Cisco Centralized Key Management , WIDS, LBS, AP modes
WebAuth, NAC
IUWNE v1.0—2-*
AP Bridging Mode
Available on Cisco 1130, 1240, and 1500 APs
Mode used to set up mesh network, either indoor or outdoor
Allows AP to act as a wireless LWAPP bridge
Only shows up on supported hardware
An additional protocol, Adaptive Wireless Path Protocol (AWPP) is used by the AP to determine the best route to the network
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*
Summary
An access point can be configured to operate in different modes.
In local mode, it provides data services on one channel while still monitoring the other channels.
In monitor mode, it scans all the channels permanently.
In sniffer mode, it captures frames on one channel and redirects them to a station.
In rogue detector mode, it detects wireless rogues on the wired network.
Some access points can be configured to H-REAP Mode, where they can provide access without being in the same network as their controller.
Some access points can be configured to bridge mode to build mesh networks.
© 2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.0—2-*