| This MIB is intended to be implemented on all those
devices operating as Central controllers, that
terminate the Light Weight Access Point Protocol
tunnel from Cisco Light-weight LWAPP Access Points.
Information provided by this MIB is for WLAN security
related features as specified in the CCKM, CKIP
specifications.
The relationship between the controller and the
LWAPP APs is depicted as follows:
+......+ +......+ +......+
+ + + + + +
+ CC + + CC + + CC +
+ + + + + +
+......+ +......+ +......+
.. . .
.. . .
. . . .
. . . .
. . . .
. . . .
+......+ +......+ +......+ +......+
+ + + + + + + +
+ AP + + AP + + AP + + AP +
+ + + + + + + +
+......+ +......+ +......+ +......+
. . .
. . . .
. . . .
. . . .
. . . .
+......+ +......+ +......+ +......+
+ + + + + + + +
+ MN + + MN + + MN + + MN +
+ + + + + + + +
+......+ +......+ +......+ +......+
The LWAPP tunnel exists between the controller and
the APs. The MNs communicate with the APs through
the protocol defined by the 802.11 standard.
LWAPP APs, upon bootup, discover and join one of the
controllers and the controller pushes the configuration,
that includes the WLAN parameters, to the LWAPP APs.
The APs then encapsulate all the 802.11 frames from
wireless clients inside LWAPP frames and forward
the LWAPP frames to the controller.
GLOSSARY
802.1x
The IEEE ratified standard for enforcing port based
access control. This was originally intended for
use on wired LANs and later extended for use in
802.11 WLAN environments. This defines an
architecture with three main parts - a supplicant
(Ex. an 802.11 wireless client), an authenticator
(the AP) and an authentication server(a Radius
server). The authenticator passes messages back
and forth between the supplicant and the
authentication server to enable the supplicant
get authenticated to the network.
Access Point ( AP )
An entity that contains an 802.11 medium access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.
LWAPP APs encapsulate all the 802.11 frames in
LWAPP frames and sends them to the controller to which
it is logically connected.
Advanced Encryption Standard ( AES )
In cryptography, the Advanced Encryption Standard
(AES), also known as Rijndael, is a block cipher
adopted as an encryption standard by the US
government. It is expected to be used worldwide
and analysed extensively, as was the case with its
predecessor, the Data Encryption Standard (DES).
AES was adopted by National Institute of Standards
and Technology (NIST) as US FIPS PUB 197 in
November 2001 after a 5-year standardisation
process.
Central Controller ( CC )
The central entity that terminates the LWAPP protocol
tunnel from the LWAPP APs. Throughout this MIB,
this entity also referred to as 'controller'.
Cisco Centralized Key Management ( CCKM )
Client and AP exchange several EAPOL packets in the
process of EAP authenticaton to determine dynamic
session key (NSK), which is used for encrypting
packets between them.
When client moves to new-AP, it has to mutually
authenticate with the new-AP and derive new NSK. This
is being done by using complete EAP authentication
(which is time consuming and causes noticeable delay
in the voice application). Till that time, no data
packets are being transmitted between new-AP and
client.
CCKM implementation in first controller caches
client's credentials like session, vlanid, ssid, etc.
and propagates the same to other controllers in
mobility group.
Currently a set of controller can be configured as
part of a mobility group. If client roams across
access points associated to this set of controllers,
then with CCKM implementation in place, the L2
authentication will not happen. To make this happen
a CCKM cache is maintained on each controller and the
first controller where client gets associated update
rest of the controllers in mobility group. On later
reassociations, controller validates the CCKM specific
IE present and allow associations.
Wireless LAN Access Points (APs) manufactured by Cisco
Systems have features and capabilities beyond those in
related standards (e.g., IEEE 802.11 suite of
standards, Wi-Fi recommendations by WECA, 802.1X
security suite, etc). A number of features provide
higher performance. For example, Cisco AP transmits a
specific Information Element, which the clients adapt
to for enhanced performance. Similarly, a number of
features are implemented by means of proprietary
Information Elements, which Cisco clients use in
specific ways to carry out tasks above and beyond the
standard.
Other examples of feature categories are roaming and
power saving.
Cisco Key Integrity Protocol ( CKIP )
A proprietary implementation similar to TKIP. CKIP
implements key permutation for protecting the CKIP
key against attacks. Other features of CKIP include
expansion of encryption key to 16 bytes of length for
key protection and MIC to ensure data integrity.
Light Weight Access Point Protocol ( LWAPP )
This is a generic protocol that defines the
communication between the Access Points and the
Central Controller.
Mobile Node ( MN )
A roaming 802.11 wireless device in a wireless
network associated with an access point. Mobile Node
and client are used interchangeably.
Multilinear Modular Hash ( MMH )
This is a message authentication code. The original
message is run through the hash (with a secret key),
and the code is the result. The code is sent along
with the original message. The receiver of the
message calculates the hash over the original message
(also with the secret key) and compares the final
message authentication code with the code sent with
the message. If the two codes match, the receiver can
be assured that the original message is authentic.
Pre-Shared Key ( PSK )
Pre-shared keys are normally used for
interoperability purposes. The basic idea is that
two parties sharing a common secret can communicate
securely. This idea has been used since cryptography
first sprung onto the scene.
Temporal Key Integrity Protocol ( TKIP )
A security protocol defined to enhance the limitations
of WEP. Message Integrity Check and per-packet keying
on all WEP-encrypted frames are two significant
enhancements provided by TKIP to WEP.
Wired Equivalent Privacy ( WEP )
A security method defined by 802.11. WEP uses a
symmetric key stream cipher called RC4 to encrypt the
data packets.
Wi-Fi Protected Access ( WPA )
Wi-Fi Protected Access (WPA and WPA2) are security
systems created in response to several serious
weaknesses found in Wired Equivalent Privacy (WEP).
WPA implements the majority of the IEEE 802.11i
standard, and was intended as an intermediate
measure to take the place of WEP while 802.11i was
prepared. WPA is designed to work with all wireless
network interface cards, but not necessarily with
first generation wireless access points.
Protected Management Frame (PFM)
Authentication, Authorization, and Accounting (AAA)
Remote Authentication Dial In User Service (RADIUS)
REFERENCE
[1] Wireless LAN Medium Access Control ( MAC ) and
Physical Layer ( PHY ) Specifications,
Amendment 6, MAC Security Enhancements.
[2] draft-obara-capwap-lwapp-00.txt, IETF Light
Weight Access Point Protocol |
