Cisco Fast Secure Roaming
Content
Application Note
Cisco Fast Secure Roaming
Cisco Systems® is pleased to introduce Cisco fast secure roaming with Cisco IOS® Software release 12.2(11)JA for Cisco Aironet® 1200 and 1100 Series Access Points and Cisco Aironet Client Adapter Installation Wizard version 1.1. Cisco fast secure roaming, a component of Wireless Domain Services, provides significant enhancements to Layer 2 (L2) roaming performance. With Cisco fast secure roaming, wireless LAN (WLAN) clients can roam between Cisco Aironet access points in fewer than 150ms. This application note examines all aspects of L2 roaming including: the necessity for fast secure roaming, L2 roaming components, fast secure roaming latency improvements, and configuration considerations for fast secure roaming.
Author
Bruce McMurdo, a Cisco enterprise solution design technical marketing engineer, is the author of this application note. Introduction Wireless domain services (WDS) is introduced with the Cisco Structured Wireless-Aware Network (SWAN). WDS is a collection of Cisco IOS Software features that enhance WLAN client mobility and simplify WLAN deployment and management. These services, supported today on access points and client devices, and on specific Cisco LAN switches and routers in 2004, include fast secure roaming and Institute of Electrical and Electronics Engineers (IEEE) 802.1X local authentication. Fast secure roaming is supported by Cisco Aironet 1200 and 1100 Series access points in conjunction with Cisco or Cisco Compatible client devices. With fast secure roaming, authenticated client devices can roam securely at L2 from one access point to another without any perceptible delay during reassociation. Fast secure roaming supports latency-sensitive applications such as wireless voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions (Figure 1). WDS provides fast, secure handoff services to access points, without dropping connections, for fewer than 150ms roaming within a subnet.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 1 of 33
Figure 1 Fast Secure Roaming
WAN AP Based WDS Cisco ACS AAA Server
1. Access Point must now 802.1X authenticate with the WDS Access Point (AP1) to establish a secure session 2. Initial client 802.1X authentication goes to a central AAA server (~500ms) 3. During a client roam, the client signals to the WDS it has roamed and WDS will send the client’s base key to the new Access Point (AP2) 4. The overall roam time is reduced to <150ms, and in most cases, <100ms
AP2
AP1
Note: Because the local WDS device handles roaming and reauthentication, the WAN link is not used
More information on Cisco SWAN is available from the references section at the end of this document and at http://www.cisco.com/go/swan. This document provides details on Cisco fast secure roaming protocol implemented in the following software releases: • Cisco IOS Software release 12.2(11)JA or greater for Cisco Aironet 1200 and 1100 Series access points • Client Aironet Client Utility, firmware, and driver software releases included in Cisco Aironet Client Adaptor Installation Wizard version 1.1 or greater Cisco fast secure roaming enhancements will be included in Version 2 of the Cisco Compatible Extensions program, which will be made available to third-party WLAN network interface card (NIC) vendors. Table 1 and Table 2 summarize the client and infrastructure types that can and cannot utilize Cisco fast secure roaming to roam between upstream access points. Table 1 Client Support for Cisco Fast Secure Roaming
Supports Fast Secure Roaming with Cisco Centralized Key Management (CCKM) Yes Yes Yes
Fast Secure Roaming Client Cisco Aironet 340, 350 wireless LAN client adapter cards Cisco Aironet 5 GHz, 54 Mbps wireless LAN client adapter cards Cisco Compatible Extensions version II compliant NICs (when available)
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 2 of 33
Fast Secure Roaming Client Cisco Aironet 1200 and 1100 Series access points running Cisco IOS Software in repeater mode Cisco Aironet wireless bridge in non-root mode Cisco Aironet workgroup bridge
Supports Fast Secure Roaming with Cisco Centralized Key Management (CCKM) Yes
No No
Table 2 Infrastructure Support For Cisco Fast Secure Roaming
Supports Fast Secure Roaming with Cisco Centralized Key Management (CCKM) Yes
Fast Secure Roaming Infrastructure Cisco Aironet 1200 and 1100 Series access points running Cisco IOS Software in access point mode Cisco Aironet 350 Seres access points running Cisco IOS Software in i access point mode (when available)
Yes
Solution Overview Networks are normally partitioned into discrete L2 domains corresponding to Internet Protocol (IP) subnets. This partitioning and the difference between L2 and Layer 3 (L3) roaming are illustrated in Figure 2.
Figure 2 Layer 2 and Layer 3 Roaming
Distribution Layer Switches
Layer 3
Access Layer Switches Access Points Subnet A QoS QoS
Access Layer Switches Access Points Subnet B
Layer 2 Roaming Inter Access Point Protocol (IAPP)
Layer 3 Roaming (Mobile IP)
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 3 of 33
This application note discusses only L2 roaming. L2 roaming occurs when a WLAN client moves between wireless access points that are part of the same IP subnet. A L3 roam occurs when the client roams to an access point in a different subnet. Mobile IP capability is required to provide seamless roaming across L3 subnet boundaries. Every L3 roam is preceded by a L2 link-layer roam. This document examines L2 roaming in detail. L3 roaming will be addressed in a separate application note. Wireless LANs provide the ability to connect to the network from virtually any location within the enterprise. The desire to move from one location to another while maintaining an application session is a natural extension of this extended network reach. The trend toward wireless IP telephony, wireless laptops, and personal digital assistants (PDAs) will further accelerate the desire for seamless network access for clients moving between locations. Wireless LAN benefits specific to mobility include: • Innovative application deployment—New and innovative applications such as actionable alerts, messaging, and workflow applications that require always-on network connectivity, are now possible • Improved efficiency and productivity—Continuous connectivity allows work to be performed any where, any time without interruption • Increased data accuracy—Data can be captured or updated immediately, from any location, which increases data accuracy. • Ubiquity—Users can remain online at virtually any location at home, at work or on the road General Design Characteristics Cisco AVVID (Architecture for Voice, Video, and Integrated Data) provides comprehensive campus network architecture including WLANs. Where possible, the existing Cisco AVVID L3 architecture should be maintained, with wireless LANs deployed as an additional, dedicated, wireless subnet per wiring closet for WLAN overlays. Detailed enterprise network design guidance is provided on the Cisco Solution Reference Network Design Guides home page, available at http://www.cisco.com/go/srnd Clients not compatible with Cisco Centralized Key Management (CCKM), can be migrated to CCKM by making client use of CCKM optional.
Layer 2 Design
Due to access-point WDS processing and memory limitations, Cisco fast secure roaming currently supports a maximum of 30 access points per L2 domain (subnet). Caveats Deploying WLANs as recommended in this document and in the Cisco AVVID Network Infrastructure Enterprise Wireless LAN Design document may result in multiple L2 subnets on the same floor of a building. As recommended in this document, mobile IP is required to roam seamlessly between these L2 subnets. Layer 2 Roaming Primer This section details WLAN client roaming and explains what happens when a WLAN client roams.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 4 of 33
Introduction A L2 roam occurs when a WLAN client moves from one access point to another within the same subnet. If the client moves to a new access point on a different IP subnet, L3 roaming occurs after the L2 roam has completed. Roaming is always a client station decision. The client station is responsible for detecting, evaluating, and roaming to an alternative access point. Figure 3 Sequence of Events for L2 Roam illustrates a L2 roam.
Figure 3 Sequence of Events for L2 Roam
Wired LAN Connecting APs (Intra-Subnet Roaming) 4 Access Point A
IAPP Inter Access Point Protocol 3 Access Point B 2
1
The arrows in Figure 3 indicate the following events: 1. A client moves from access point A coverage area into access point B coverage area (with both access points in the same subnet). As the client moves out of the range of access point A, a roaming event (for example, maximum retries) is triggered. 2. The client scans all IEEE 802.11 channels for alternative access points. In this case, the client discovers access point B and reauthenticates and reassociates to it. After associating to the new access point B, if it is configured for 802.1X, the client begins IEEE 802.1X authentication. 3. Access point B sends a null media access control (MAC) multicast, on the client’s virtual local area network (VLAN), using the source address of the client. This updates the content addressable memory (CAM) tables of the upstream switch and directs further LAN traffic for the client to access point B and not access point A. 4. Using its own source address, access point B sends a MAC multicast, on the native VLAN, telling access point A that access point B now has the client associated to it. Access point A receives this multicast and removes the client MAC address from its association table. This guide focuses on events 1 and 2 in Figure 3. Events 3 and 4 are post-roam actions taken as part of the Cisco Inter Access Point Protocol (IAPP) and are not discussed in this document. • Event 1 in Figure 3 is discussed in the Roaming Events section of this document that describes the events that cause a client to initiate the roam process. • Event 2 in Figure 3 is discussed in the Fast Secure Roaming section where the process of discovering evaluating and roaming to an alternative access point is reviewed.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 5 of 33
Roaming Events This section reviews the events that cause a client to roam. The roaming process is described in the Fast Secure Roaming section. Roaming is always initiated by the client, and is not defined by IEEE standards. For Cisco clients, roaming is caused by one of the following events. • Maximum data retry count is exceeded • Missed too many beacons • Datarate shift • Initial startup • Periodic client interval (if configured)
Maximum Data Retry Count Exceeded
When a client station retries a packet more often than is acceptable under the max data retry count, the station will initiate a roam. The max data retry count defaults to 16, and is configured in the Aironet Client Utility under the RF Network tab for the currently active profile. A sample screen is shown in Figure 4.
Figure 4 Setting Maximum Data Retries in the Aironet Client Utility
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 6 of 33
Missed Too Many Beacons
All clients associated to an access point receive a periodic beacon. By default, access points send a beacon every 100ms, which is the beacon period setting on an access point as is shown in Figure 5.
Figure 5 Max Data Retries, Beacon Period, and Data Rate Settings
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 7 of 33
Clients learn the access point’s beacon interval from an element in the beacon. If a client misses eight consecutive beacons, a roaming event is deemed to have occurred, and the roam process detailed in the Fast Secure Roaming section is initiated. By continuously monitoring for received beacons, even an otherwise idle client is able to detect a loss of wireless link quality, and will initiate a roam.
Datarate Shift
Packets are normally transmitted at the access points’ default rate. The default rate is the highest rate set to the “require” or “enable” setting on the access point. The configuration of data rate on an access point is shown in Figure 5. Every time a packet has to be retransmitted at a lower rate,1 a retransmit count is increased by three. For each packet successfully transmitted at the default rate, the retransmit count is decreased by one, until it is zero. If the retransmit count reaches 12, one of the following scenarios occurs: • If the client has not attempted to roam in the last 30 seconds then the roam process as described in the fast secure roaming event occurs. • If the client has already attempted to roam in the last 30 seconds, the data rate for that client is set to the next lower rate A client transmitting at less than the default rate will increase the data rate back to the next-higher rate after a short time interval if transmissions are successful.
Periodic Client Interval (If configured)
The ability to configure how often, and at what signal strength threshold, the client will scan for a better access point is available in Aironet Client Utility version 6.1 or greater, included in Cisco Aironet Installation Wizard version 1.1 or greater. This capability is configured in the Aironet Client Utility for the selected profile under the radio frequency (RF) network tab as shown in Figure 6.
1. A rate shift occurs when a frame is retransmitted three times and a request to send/clear to send (RTS/CTS) is used to send the last two retransmissions.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 8 of 33
Figure 6 Aironet Client Utility Configuration – Scan For A Better Access Point
Figure 6 Aironet Client Utility Configuration – Scan For A Better Access Point shows the default Aironet Client Utility settings. With these settings, the client will scan for a better access point when both of the following conditions have been met. • The client has been associated to its current access point for at least 20 seconds. This restriction is to prevent a client “flapping” or switching between access points too rapidly. Valid values are from 5 to 255 seconds • The signal strength is less than 50 percent. Valid values range from zero to 75 percent. The periodic scan is a roaming event that causes the occurrence of the roam process described in the Fast Secure Roaming section.
Initial Client Start-up
When a client starts up it goes through the roam process described in the Roam Process section, to scan for and associate with the most appropriate access point. Roam Process The previous section described the five events that cause a client to decide that it needs to roam. This section discusses what a client station does when it roams. The process of finding and re-associating to a new access point includes: • Scan for available access points • Compile a list of roam targets • Pick the best access point from the list of roam targets
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 9 of 33
When a roaming event occurs, the client station scans each 802.11 channel.2 On each channel the client station sends a probe, and waits for a probe responses or beacons from access points on that channel. The probe responses and beacons received from access points are discarded unless they have matching Service Set Identifier (SSID) and encryption settings. Once the scan is complete and the client has a list of responding access points, it selects the access point to compare the others against. That access point is then referred to as the current access point. The current access point is determined in the following manner: • If this is the clients initial start-up – Current access point = the first access point in the list • If the client is roaming – Current access point = the previously associated access point, if it responded to the probe request • If the client is roaming and the previous access point did not respond to the probe request – Current access point = the first access point in the list The current access point is compared with each of the access points in the list of responding access points. To be considered as a new current access point, each access point must meet all the criteria in Table 3. Table 3 Access Point Conditions that Must Be Met for the Access Point to Be Considered a Roam Target
Client station with Cisco Aironet Extensions Enabled (Probe response / Beacon must satisfy all conditions) • Potential roam target access points signal strength is greater than 20 percent and • If signal strength more than 20 percent weaker than current access point, signal strength must be 50 percent or more If the potential roam target access point is in repeater mode and is more radio hops from the backbone than the current access point, its signal strength must be at least 20 percent greater than the current access point’s signal strength The transmitter load for the potential roam target access point can not be more than 10 percent greater than the transmitter load of the current access point
Client Station without Cisco Aironet Extensions Unknown—implementation dependent
Not applicable—radio hop information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element.
Not applicable—access point transmitter load information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element.
The client compares each access point that meets the base criteria listed in Table 3 with the current access point. If an evaluated access point meets any of the criteria listed in Table 4, then the client selects it as the new current access point, and compares the next access point in the list against this new current access point.
2. The client scans all 802.11 channels valid in the country in which the client is operating The Fast Secure Roaming section describes ways in which the fast secure roaming channel scanning enhancements can reduce the number of channels that are scanned during a roam.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 10 of 33
Table 4 Choosing from Eligible Roam Targets
Client Station with Cisco Aironet Extensions Enabled (Access point must satisfy any condition) Signal strength is 20 percent stronger than current access point Fewer hops to the backbone Client Station without Cisco Aironet Extensions (Access point must satisfy all conditions) Unknown—implementation dependent
Not applicable—Backbone hops information is Cisco element in beacons. Client stations that do not have Aironet extension capability cannot read the Cisco beacon element. Not applicable—access point client association load information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element. Not applicable—access point transmitter load information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element.
At least four (or more) fewer clients associated to it than current access point
20+% less transmitter load1
1. Transmitter load is an indication of how busy the access point radio is.
Fast Secure Roaming The Cisco fast secure roaming implementation in Cisco IOS Software release 12.2(11)JA is comprised of two main enhancements. • Improved 802.11 channel scanning during physical roaming • Improved reauthentication using advanced key management The improved 802.11 channel scanning during physical roaming enhancements speeds up all L2 roaming, regardless of the security method used. The improved reauthentication, using advanced key management enhancements, speeds up Cisco LEAP authentication to provide fast secure roaming. Improved 802.11 Channel Scanning Improved channel scanning is enabled by default on Cisco clients and access points and is not configurable. The fast secure roaming enhancements to channel scanning require communication between the client and access point. Improved channel scanning has the following software dependencies: • Cisco IOS Software release 12.2(11)JA or greater • Cisco Aironet Client Utility, firmware, and driver software, which is included in Cisco Aironet Client Adaptor Installation Wizard version 1.1 or greater.
Channel Scanning Prior to Fast Secure Roaming
Before the release of Cisco IOS Software 12.2(11)JA, Cisco Aironet clients took 37ms to scan for each of the 11 802.11 channels in the United States, for a total scan time of ~400ms. (Eleven channels are used in the United States. Different countries use different channel sets.) For each of the 802.11 channels valid in a specific regulatory domain, the client performed the following steps: • Radio hardware physically moves to a specific WLAN channel
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 11 of 33
• Client listens to avoid a collision • Client transmits a probe frame • Client waits for probe responses or beacon frames
Fast Secure Roaming Channel Scanning Improvements
Improvements to the Cisco channel scanning algorithm introduced with Cisco IOS Software release 12.2(11)JA includes: • Re-associating clients now communicate information to the new access point such as the length of time since they lost association with the previous access point, channel number, and SSID. • Using the information from client associations, an access point builds a list of adjacent access points and the channels these access points were using. If the client reporting an adjacent access point was disassociated from its previous access point for more than 10 seconds its information is not added to the new access points list. • Access points store a maximum list of 30 adjacent access points. This list is aged out over a one-day period. • When a client associates to an access point, the associated access point sends the adjacent access point list to the client as a directed unicast packet. The communication between client and access point is shown in Figure 7.
Figure 7 Client and Access Point Communication During Association
Access Points Channel 1
Channel 6
Channel 11
Adjacent Channel is 1
Adjacent Channels are 1 and 11
Roaming Client
When a client needs to roam, it uses the adjacent access point list it received from its current access point to reduce the number of channels it needs to scan. How the client uses the adjacent access point list depends upon how busy the client is. There are three types of client roams: • Normal Roam: The client has not sent or received a unicast packet in the last 500ms. – The client does not use the adjacent access point list obtained from the previous access point. Instead it scans all channels valid for the operating regulatory domain. • Fast Roam: The client has sent or received a unicast packet in the last 500ms.3 – The client scans the channels on which it has been told there is an adjacent access point. – If no new access points are found after scanning the adjacent access point list, the client reverts to scanning all channels.
3. A typical IP telephony call generates a single packet in each direction every 20ms
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 12 of 33
– The client limits its scan time to 75ms if it is able to find at least 1 better4 access point. • Very Fast Roam: the client has sent or received a unicast packet in the last 500ms,5 and the client is contributing a non-zero percentage to the load of the cell. – Identical to a Fast Roam except the scan is ended as soon as a better6 access point is found. If the client did not receive an adjacent access point list from its previous access point, and it wants to fast roam or very fast roam, then it will use the list of channels on which access points were found during its last full scan. Improved Cisco LEAP Authentication Besides fast 802.11 channel scanning, the fast secure roaming feature provides a fast rekey capability for clients using Cisco LEAP as their 802.1X authentication protocol. Improved Cisco LEAP authentication introduces the new CCKM protocol that is a component of the Cisco Wireless Security Suite.
Cisco LEAP Authentication Prior to Fast Secure Roaming
A Cisco LEAP client using Cisco IOS Software version 12.2(8)JA or earlier needs to perform a full Cisco LEAP reauthentication each time it roams. A Cisco LEAP reauthentication requires: • A minimum of 100ms • An average of ~600ms • Up to 1.2seconds + The timeframes above are in addition to the channel-scanning portion of the L2 roam. Cisco LEAP authentication takes this much time because it requires three roundtrips to a Remote Authentication Dial-In User Service (RADIUS) server using the following process: • Client sends identity, Cisco Secure Access Control Server (ACS) or RADIUS Server sends challenge • Client sends challenge response, Cisco Secure ACS sends success • Client sends challenge, Cisco Secure ACS sends challenge response In addition to network transit times, each of these roundtrip transactions requires time-consuming cryptographic calculations, hence the total times quoted above.
Improved Reauthentication Using Fast Secure Roaming Advanced Key Management
Industry standards such as Wi-Fi Protected Access (WPA) and 802.11i require 802.1X and also introduce a new key hierarchy to WLAN security. Cisco fast secure roaming is based on this new key hierarchy. Cisco fast secure roaming is a WDS feature. Cisco fast secure roaming requires 802.1X authentication of access points and clients to a RADIUS server. This authentication uses a dedicated RADIUS server, or the local authentication service running on a Cisco Aironet access point.
4. As defined in the section on roam processes 5. A typical IP telephony call generates a single packet in each direction every 20ms 6. As defined in the section on roam processes
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 13 of 33
About Wireless Domain Services
Wireless Domain Services (WDS) act as a central authentication entity that supports a fast client rekey, rather than requiring a full RADIUS reauthentication each time the client roams. All access points and clients in a L2 domain 802.1X authenticate to a RADIUS server via the WDS that performs the role of 802.1X authenticator. Because all clients and access points authenticate via the WDS, the WDS is able to establish shared keys between itself and every other entity in the L2 domain. These shared keys enable CCKM fast secure roaming. Figure 8 illustrates access points and clients authenticating to WDS.
Figure 8 Access Points and Clients Authenticating to WDS
802.1X Supplicant
802.1X Authenticator/Supplicant
802.1X Authenticator
802.1X Authentication Server
Client
Access Point
Access Point with WDS
RADIUS
Clients Authenticate via the WDS
Access Points Authenticate via WDS
The WDS function is written in Cisco IOS Software and initially runs on Cisco IOS Software on Cisco Aironet access points only. In the future, WDS be available in Cisco router and switch infrastructure products. At least one WDS is required per L2 domain. The CCKM architecture supports WDS redundancy via a MAC-layer multicast primary WDS election process. If redundant WDS are configured, the WDS with the highest priority is elected to be the primary WDS. If equal or no priorities are configured, a primary is dynamically determined. Redundancy provides a cold backup. If the primary WDS fails, all authenticated clients continue to operate, until a roaming event occurs, at which point the client completes a full initial authentication to the RADIUS server, via the backup WDS. All access points in a L2 domain dynamically learn the address of the active WDS via an L2 multicast. The address of the WDS is not configured in any access point. The WDS supports a single L2 domain with up to 30 access points supported per L2 domain. The 30 access point limit is not a physical limit, but is the maximum recommended by Cisco, and the maximum number supported by Cisco Technical Assistance Center (TAC).
Comparing Cisco Fast Secure Roaming with 802.11i or WPA Security Protocols
While the CCKM protocol is very closely aligned to the 802.11i and WPA security specifications, it adds additional steps to perform fast secure roaming. Currently, 802.11i and WPA have no equivalent fast secure roaming capability. Cisco access points support both WPA and CCKM concurrently. However, only CCKM clients can perform fast secure roaming. Figure 9 provides a high-level overview of the differences between 802.11i or WPA key management schemes and CCKM.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 14 of 33
Figure 9 Comparing CCKM Initial Key Establishment with Industry Standard WPA/802.11i Key Management
WPA/802.11i Supplicant Authenticator Authentication Server Supplicant
CCKM Authenticator/ Supplicant WDS Authenticator Authentication Server
Static Password
Infrastructure Authentication
Beacon/probe RSNIE
Cisco LEAP Authentication CTK
Static Password Derive CTK
Derive CTK Beacon/probe RSNIE
Discovery
EAP Credential EAP Authentication EAP Credential Derive PMK PMK 4-way Handshake (nonces) 4-way Handshake (nonces) Derive PTK Derive BTK/KRK PTK Derive PTK WLCCP Encapsulation BTK Derive BTK/KRK NSK EAP Credential Cisco LEAP Authentication WLCCP Encapsulation EAP Credential Derive NSK
Authentication
Derive PMK
Key Management
Derive PTK
2-way Handshake Decrypt GTK PTK - Unicast Data
2-way Handshake Decrypt GTK PTK - Unicast Data
Data Protection
GTK - Multicast Broadcast
GTK - Multicast Broadcast
Figure 9 outlines the key similarities and differences between 802.11i/WPA and CCKM. The additional steps performed (during initial client authentication only) by CCKM are circled. CCKM derives different, additional keys and introduces WDS between the access points and the RADIUS server. Fast Secure Roaming Stages There are three stages in Cisco fast secure roaming: 1. Infrastructure authentication—All of the access points in a L2 domain 802.1X authenticate, via the WDS, to a RADIUS server. 2. Initial authentication—When a WLAN client first associates to an access point in a new L2 domain, it performs a full 802.1X authentication, via the WDS, to the RADIUS server. This initial authentication has the same latency characteristics as non-CCKM (Cisco LEAP) authentication. Fast secure roaming applies when the client moves to subsequent access points in the same L2 domain. 3. Fast secure roaming—When a client roams to another access point in the same L2 domain, it uses CCKM to perform fast rekeying, without contacting the RADIUS server.
Infrastructure Authentication
During the infrastructure authentication phase, all Cisco Aironet access points, including any running WDS, authenticate using Cisco LEAP7 via the WDS, to a RADIUS server as shown in Figure 10.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 15 of 33
Figure 10 Infrastructure Authentication Phase
Authenticator/ Supplicant Layer 2 Client Access Point
Authenticator Layer 2 or Layer 3 Access Point with WDS
Cisco LEAP Authentication
Authentication Server
RADIUS
Static Password Derive CTK
Static Password RADIUS CTK Derive CTK
All Cisco infrastructure devices in the L2 domain must authenticate to the WDS during the infrastructure authentication phase as noted in Figure 10 above. This allows each access point to establish a shared key with the WDS. This shared key is called the context transfer key (CTK) and is used to pass key material from the WDS to the new access point during a fast secure roam.
Initial Authentication
When a WLAN client first associates to an access point in a new L2 domain, it performs a full 802.1X authentication, via the WDS, to the RADIUS server. This initial authentication has the same latency characteristics as a non-CCKM Cisco LEAP authentication. Initial authentication consists of the following three sub-stages: • Discovery stage • Authentication stage • Key management stage Fast secure roaming occurs after the initial authentication, when the client moves to subsequent access points in the same L2 domain. Initial Authentication—Discovery stage The discovery phase is the same whether WPA/802.11i or CCKM is used (Figure 11) to authenticate the client.
Figure 11 Initial Authentication – Discovery Stage
Layer 2 Client Access Point Access Point with WDS
Layer 2 or Layer 3 RADIUS
Beacon/Probe response RSNIE
7. Currently CCKM supports only Cisco LEAP authentication.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 16 of 33
The access point advertises its security capabilities via the Robust Security Network Information Element (RSNIE) in the access point’s beacons and probe responses. CCKM capability is communicated by a MAC organizationally unique identifier (OUI) value of 00:40:96 and a type value of 0 in the Authenticated Key Management (AKM) suite selector of the RSNIE. Initial Authentication—Authentication Stage In CCKM, the 802.1X Cisco LEAP authenticator functionality is split between the access point to which the client is associated and the WDS. The access point the client is authenticating to blocks all client data traffic until Cisco LEAP authentication is complete–per the standard authentication process. Instead of communicating directly with the RADIUS server to perform the Cisco LEAP authentication, the access point puts a wireless LAN context control protocol (WLCCP) header on the packets, and sends them to the WDS. The WDS communicates with the RADIUS server to complete the Cisco LEAP authentication. A network session key (NSK) is mutually derived on the RADIUS server and the client following successful authentication. (Figure 12).
Figure 12 Initial Authentication – Authentication Stage
Layer 2 Client
EAP Credential
Layer 2 or Layer 3 Access Point with WDS RADIUS
EAP Credential
Access Point
Cisco LEAP Authentication
WLCCP Encapsulation
RADIUS Derive NSK
Initial Authentication—Key Management Stage In the key management stage, the process for CCKM authentication differs significantly from WPA/802.11i authentication. In this stage, an additional key—the base transient key (BTK)—is established on the WDS. In the CCKM scheme, the BTK is used for fast secure roaming. For WPA/802.11i, the BTK does not exist and a full reauthentication is required for roaming WPA/802.11i clients (Figure 13).
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 17 of 33
Figure 13 Initial Authentication – Key Management Stage
Layer 2 Client Access Point Access Point with WDS
Layer 2 or Layer 3 RADIUS
NSK
NSK 4-way Handshake (nonces) Derive BTK/KRK RN=1 Derive PTK BSSID Derive PTK ECTK (BTK RN=1) WLCCP Encapsulation
NSK
Derive BTK/KRK
2-way Handshake Receive GTK Derive GTK
For CCKM clients, the RADIUS server forwards the NSK it derived from the Cisco LEAP authentication process to the WDS (because from the RADIUS server’s viewpoint, the WDS was the 802.1X authenticator). The NSK is used as the basis for deriving all subsequent keys for the lifetime of the client’s association with this extended basic service set (EBSS)8, or until the RADIUS server’s rekey interval changes it. The WDS and the client derive a BTK and a key request key (KRK) by combining the NSK with random numbers (nonces) obtained via a process known as the four-way handshake. The four-way handshake appears to the client to be between the client and the access point it is authenticating to, but the access point puts a WLCCP header on the frames in the four-way handshake, and forwards them to the WDS. After the four-way handshake is complete, WDS forwards the BTK, and a rekey number (RN) to the access point to which the client is authenticating (since this is the initial authentication the WDS sets the RN to one). The access point the client is authenticating to uses the BTK, RN, and basic service set identifier (BSSID)9 to derive a pairwise transient key (PTK) which includes a shared session key for unicast traffic. After the PTK has been successfully derived, the access point sends the group transient key (GTK) that is used for multicast and broadcast traffic to the client, encrypted by an element of the PTK. The process of sending the GTK to the client is called the two-way handshake. The BTK and KRK are used when the client roams to quickly establish a new PTK.
Fast Secure Roaming
The third phase, fast secure roaming, occurs after the client has performed its initial Cisco LEAP authentication. Any subsequent roams to an access point in the same L2 domain will utilize the preestablished key hierarchy to perform a very fast rekey. Comparing a WPA/802.11i Roam with a CCKM Roam
8. The EBSS is equivalent to the L2 domain 9. The BSSID is equivalent to the access point’s MAC address
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 18 of 33
The advantage of CCKM becomes apparent when the WLAN client roams. In Figure 14, the WPA client is shown completing a reauthentication when it roams (including 802.1X re-authentication to a central RADIUS server). In contrast, the CCKM client sends a single reassociate-request frame to the access point and the access point sends a single frame to a local WDS and receives a single frame reply. Table 5 compares a CCKM roam re-establishment with industry standard key management.
Figure 14 Comparing a CCKM Roam Establishment with Industry Standard WPA/802.11i Key Management
WPA/802.11i Supplicant Authenticator Authentication Server Supplicant
CCKM Authenticator/ Supplicant WDS Authenticator Authentication Server
WLCCP Infrastructure
Beacon/Probe RSNIE Beacon/Probe RSNIE
Discovery
EAP Credential EAP Authentication EAP Credential Derive PMK PMK 4-way Handshake (nonces) ReassociateRequest Derive PTK Derive PTK Derive PTK BTK
Authentication
Derive PMK
Key Management
Derive PTK
2-way Handshake Decrypt GTK PTK - Unicast Data PTK - Unicast Data
Data Protection
GTK - Multicast/Broadcast
GTK - Multicast/Broadcast
Table 5 Comparing a CCKM Roam Establishment with Industry Standard Key Management
WPA/802.11i When a WPA/802.11i client roams, it completes a full reauthentication, just as it did in the initial authentication. This includes: • A full Cisco LEAP reauthentication with a central RADIUS server • The complete four-way handshake to derive the PTK • The complete two-way handshake to determine the GTK Cisco CCKM When a CCKM client roams, it sends a reassociate request to its new access point. • The new access point forwards the reassociate request to the WDS • The WDS sends the new access point the client’s BTK • The new access point and the client mutually derive a new PTK • The GTK, encrypted by the PTK, is sent to the client
When a CCKM client roams, it sends a reassociation request message to the new access point. The reassociation request includes:
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 19 of 33
• A message integrity check (MIC) using the KRK • A sequentially incrementing RN Immediately after sending the reassociation request, the client is able to calculate its next PTK. It does this by performing a cryptographic hash of the BTK, the RN, and the BSSID. Figure 15 shows the CCKM key management phase in more detail. The access point passes the reassociation request to the WDS by encapsulating it in the WLCCP protocol. The WDS verifies the MIC. The WDS then encrypts the BTK and the RN with the CTK shared by the WDS and the new access point, and passes the encrypted message to the new access point. The new access point then hashes the BTK, RN and BSSID to calculate the same new PTK as the client. After the PTK has been mutually derived by the access point and the client, the access point uses an element of the PTK to encrypt the GTK. The access point then passes the GTK to the client.
Figure 15 CCKM Fast Rekey
Layer 2 Client
BTK (KRK) Reassociation Request (MICKRK, RN=(RN+1)) Verify MIC Derive PTK BSSID Derive PTK EPTK(GTK) Receive GTK ECTK (BTK, RN=(RN+1)) WLCCP Encapsulation
Layer 2 or Layer 3 Access Point with WDS
BTK (KRK)
Access Point
RADIUS
Note: CCKM roaming requires one roundtrip to a subnet-local WDS. An equivalent Cisco LEAP authentication requires three roundtrips to a RADIUS server located on the network core. Layer 2 Design Recommendations This section provides design guidance for architecting and deploying L2 roaming considerations on a network. Detailed campus wireless LAN design guidance is provided on the Cisco Solution Reference Network Design Guides home page, available at http://www.cisco.com/go/srnd Cisco AVVID Design Cisco provides comprehensive campus network architecture guidance with Cisco AVVID. For wireless LANs used in existing networks as a wireless overlay or as freestanding all-wireless networks, the existing Cisco AVVID Layer 3 architecture should be maintained where possible, with the WLAN deployed as an additional, dedicated, wireless subnet per wiring closet. Figure 16 shows a typical Cisco AVVID architecture to which a WLAN subnet has been added to each access layer switch.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 20 of 33
Figure 16 Adding WLAN to Cisco AVVID Architecture
HSRP Active VLAN 20, 41, 140
Layer 3
HSRP Active VLAN 40, 21, 120
10.1.20.0 10.1.21.0 10.1.120.0
VLAN 20 Data VLAN 21 WLAN VLAN 120 Voice
10.1.40.0 10.1.41.0 10.1.140.0
VLAN 40 Data VLAN 41 WLAN VLAN 140 Voice
Sizing the Layer 2 Domain In Figure 17, each access layer switch represents a separate wiring closet. A dedicated VLAN for each wireless LAN access points is added to each switch. Access points are connected to a dedicated VLAN to minimize the broadcast domain since WLANs are a shared half-duplex media and broadcasts have a bigger impact on access points than on most devises connected to switch ports. Some customers may decide to forgo a L3 architecture, and instead extend the L2 network to provide L2 mobility across a larger section of the enterprise. For these customers, advanced spanning tree features such as Rapid Per VLAN Spanning Tree Plus (Rapid PVST+) are useful. Roaming Cisco Aironet IAPP provides seamless mobility within a single subnet only. In the absence of mobile IP, when a WLAN client moves to an access point on a different subnet, the IP address must be renewed. Windows 2000 and Windows XP automatically renew IP addresses. Renewing the IP address breaks application sessions that are using IP address. Some applications, such as e-mail, and Web-based applications, may recover and continue to operate normally when their IP address is changed (either automatically by Windows 2000 or XP, or manually if using a different operating system). Other applications such as Telnet, File Transfer Protocol (FTP), and other connection-based applications will fail when their IP address is changed and will need to be manually restarted. Mobile IP or proxy mobile IP (PMIP) is the solution for this application problem as it maintains a constant IP address for host applications across L3 subnet boundaries. Configuring Fast Secure Roaming This section illustrates the minimum steps required to configure CCKM fast secure roaming in a lab environment. For more complete configuration details, please refer to the Cisco Aironet installation and configuration guides or the Cisco Aironet release notes at: http://www.cisco.com/en/US/products/hw/wireless/prod_category_positioning_paper0900aecd8009298f.html Note: The graphical user interface (GUI) screen configuration will likely change with different Cisco IOS Software releases. However, the Cisco IOS Software command line interface (CLI) configuration remains consistent across releases.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 21 of 33
Enable Encryption All access points, including the WDS need to enable encryption. CCKM requires the selection of the cipher radio button and one of the cipher modes in the Cisco Aironet access point set-up screen (Figure 17).
Figure 17 Enabling Encryption on Cisco Aironet Access Points
Web GUI
Cisco IOS Software command line interface Dot11Radio0 encryption mode ciphers ckip-cmic
Enable Cisco LEAP for Your SSID All access points, including the WDS require enabling Cisco LEAP for a particular SSID (Figure 18). In the Cisco Aironet access point set-up screen, perform the following steps: 1. Check the “Network EAP” check box (this is the authentication type used by Cisco LEAP) 2. Select the CCKM radio button and choose “Optional” or “Mandatory” from the drop-down menu. (It is possible to choose “Optional” if a mix of CCKM and non-CCKM enabled devices are associating to the VLAN. This option is useful when migrating clients to CCKM.)
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 22 of 33
Figure 18 Enabling Cisco LEAP on Cisco Aironet Access Points
Web GUI
Cisco IOS Software command line Interface dot11 0 ssid <insert SSID> authentication network-eap eap_methods authentication keymanagement cckm
Configuring Access Points with Username/Password to Use when Authenticating to the RADIUS Server Via WDS All access points in the subnet (including the access point running the WDS) authenticate to WDS using Cisco LEAP. To perform this Cisco LEAP authentication, the access points must be statically configured with a Cisco LEAP user name and password (and a matching user name and password must be configured on the RADIUS server). Each access point in a subnet must authenticate to the WDS for that subnet. The username and password are configured as shown in Figure 19. The configuration example uses Cisco as a password. Please ensure a more secure password is chosen for your production deployments.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 23 of 33
Figure 19 Configuring Access Points with User Name and Password for Authentication to WDS
Web GUI
Cisco IOS Software command line wlccp ap username <ap username> password 0 Cisco ! wlccp ap username <ap username> password 0 Cisco
Cisco
Configuring an Access Point as a WDS To configure an access point as a WDS (Figure 20): 1. Select the “Use this access point as Wireless Domain Services” check box, and configure a priority (to deterministically elect a primary WDS if redundant WDS’s are configured; 9 is arbitrarily chosen in this example. The highest priority number will be elected the active WDS.) 2. Type the RADIUS server IP address into the server text-entry box. Ensure that the server type is RADIUS. Type your password into the shared secret text-entry box. For this example “Cisco” is used. (The WDS must be configured as a network access server (NAS) in the RADIUS server with a matching password.) 3. Check the “Infrastructure Authentication” and “Client-Cisco LEAP Authentication” check boxes.
Figure 20 Configuring Access Point1 as WDS
Web GUI
Cisco IOS Software command line wlccp wds priority 9 interface BVI1 ! aaa group server radius wlccp_rad_infra server <Radius IP address> auth-port 1645 acct-port 1646 ! aaa group server radius wlccp_rad_leap server <Radius IP address> auth-port 1645 acct-port 1646
Cisco
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 24 of 33
Verifying and Debugging Fast Secure Roaming Operation Verify the WDS is operational and that the access points are correctly registered to the WDS. The following commands verify the state of the WDS and the access point.
• show wlccp wds • show wlccp ap On access points running WDS only On access point running CCKM key management
The most useful WDS monitoring command is the following command on the WDS:
• show wlccp wds ap On access points running WDS only
Figure 21 shows a sample output from an access point running the WDS.
Figure 21 Monitoring WDS and Access Point Registration State
Testing Roaming
Configuring Client
There are no specific client configuration changes needed in order to use Cisco fast secure roaming. When testing fast secure roaming, ensure the client has installed the Aironet Client Utility, firmware, and driver software releases included in Cisco Aironet Client Adaptor Installation Wizard version 1.1 or greater.
Testing Fast Secure Roaming
Open a Telnet window to two different access points. Enter the terminal monitor command to direct syslog output to the Telnet screen. Use the show dot11 association all command to see which access point your CCKM client is associated to. On the access point your client is associated to, enter the following commands:
Int dot11 0 Shut No shut
Observe the message on the other access point that indicates the client has roamed, using CCKM fast roaming, as shown in Figure 22.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 25 of 33
Figure 22 Fast Roaming Message
Debugging Fast Secure Roaming Trouble Associating If the client is having trouble associating to the access point, use the Aironet Client Utility debugging feature added in Aironet Client Utility release 5.0 or greater to determine where it is failing (Figure 23).
Figure 23 Starting Aironet Client Utility Troubleshooting
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 26 of 33
Trouble Authenticating
The Cisco IOS Software show dot11 association all command provides information about client associations. Figure 24 highlights the client state, key-management type, and encryption type as shown in the output from this command. • show dot11 association all
Figure 24 Client Association Information
Troubleshooting WDS Operation
In addition to the Cisco IOS Software commands shown above, the following debug commands are useful: • debug wlccp wds state • debug dot11 aaa dot1x state • debug dot11 mgmt interface Installing Fast Secure Roaming Software Fast secure roaming requires upgrades of Cisco Aironet client adapter and access point software. Cisco IOS Software release 12.2(11)JA (or greater) must be installed on Cisco Aironet 1200 and 1100 Series access points. Cisco Aironet Client Adaptor Install Wizard version 1.1 (or greater) must be installed on applicable Cisco Aironet WLAN client adapters. Installing Cisco Aironet Client Adaptor Installation Wizard to Enable Fast Secure Roaming To install the Cisco Aironet Client Adaptor Installation Wizard to enable fast secure roaming, follow the steps below (Figure 25) 1. Ensure your 802.11a or 802.11b NIC is inserted or available on your laptop. 2. Downloaded the client installation program. 3. Double-click the “InstallWizard.exe” self-extracting install file. 4. Select the Unzip button from the WinZip pop-up application.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 27 of 33
Figure 25 Installing Cisco Aironet Client Adaptor Installation Wizard
5. All required files will be automatically extracted and the install program shown in Figure 26 will be launched.
Figure 26 Selecting Cisco Aironet Client Adaptor Installation Wizard Installation Type
6. After the installation is complete, restart the client PC. 7. When the PC has restarted, launch the Aironet Client Utility, then click the status icon, and confirm that the firmware version is V5.20.17 or greater as shown in Figure 27.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 28 of 33
Figure 27 Checking the Firmware Version for the Aironet WLAN Client Adapter
Loading the Fast Secure Roaming Cisco Aironet Access Point Software This section describes how to use the Cisco IOS Software command line to upgrade Cisco Aironet 1200 and 1100 Series access points to Cisco IOS Software release 12.2(11)JA or later. The firmware can also be upgraded via the access point GUI. The Cisco IOS Software command line is used here to highlight the difference between Cisco IOS Software upgrades on Cisco Aironet access points and Cisco IOS Software upgrades Cisco routers and switches. 1. Telnet to the access point. 2. Use the following command to install the fast secure roaming software from a TFTP/FTP server. This example uses a FTP server at IP address 10.50.1.50. • Archive download-sw /overwrite /reload ftp://<FTP server IP address>/<image> (where image= the appropriate .tar file for your access point.) A software upgrade in progress is shown in Figure 28. Once the access point finishes loading, it will automatically reboot with the new software.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 29 of 33
Figure 28 Loading Cisco IOS Software on the Cisco Aironet 1100 Series Access Point
References
Cisco Structured Wireless-Aware Network Overview
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_brochure09186a0080184925.html
WLAN Design Guide
http://www.cisco.com/go/srnd
VLAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
Quality of Service (QoS) Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080144498.html
SAFE White Papers
http://www.cisco.com/go/safe
Cisco Aironet Wireless LAN Security Overview
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_brochure09186a00801f7d0b.html
802.11 Wireless LAN Security White Paper
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 30 of 33
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 31 of 33
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 32 of 33
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883
Asia Pacific Headquarters Cisco Systems, Inc. Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
Cisco Web site at www.cisco.com/go/offices
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden S w i t z e r l a n d • Ta i w a n • T h a i l a n d • Tu r k e y • U k r a i n e • U n i t e d K i n g d o m • U n i t e d S t a t e s • Ve n e z u e l a • Vi e t n a m • Z i m b a b w e
All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Aironet, Catalyst, Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R) 204113_ETMG_LS_12.04
Cisco Fast Secure Roaming
Cisco Systems® is pleased to introduce Cisco fast secure roaming with Cisco IOS® Software release 12.2(11)JA for Cisco Aironet® 1200 and 1100 Series Access Points and Cisco Aironet Client Adapter Installation Wizard version 1.1. Cisco fast secure roaming, a component of Wireless Domain Services, provides significant enhancements to Layer 2 (L2) roaming performance. With Cisco fast secure roaming, wireless LAN (WLAN) clients can roam between Cisco Aironet access points in fewer than 150ms. This application note examines all aspects of L2 roaming including: the necessity for fast secure roaming, L2 roaming components, fast secure roaming latency improvements, and configuration considerations for fast secure roaming.
Author
Bruce McMurdo, a Cisco enterprise solution design technical marketing engineer, is the author of this application note. Introduction Wireless domain services (WDS) is introduced with the Cisco Structured Wireless-Aware Network (SWAN). WDS is a collection of Cisco IOS Software features that enhance WLAN client mobility and simplify WLAN deployment and management. These services, supported today on access points and client devices, and on specific Cisco LAN switches and routers in 2004, include fast secure roaming and Institute of Electrical and Electronics Engineers (IEEE) 802.1X local authentication. Fast secure roaming is supported by Cisco Aironet 1200 and 1100 Series access points in conjunction with Cisco or Cisco Compatible client devices. With fast secure roaming, authenticated client devices can roam securely at L2 from one access point to another without any perceptible delay during reassociation. Fast secure roaming supports latency-sensitive applications such as wireless voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions (Figure 1). WDS provides fast, secure handoff services to access points, without dropping connections, for fewer than 150ms roaming within a subnet.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 1 of 33
Figure 1 Fast Secure Roaming
WAN AP Based WDS Cisco ACS AAA Server
1. Access Point must now 802.1X authenticate with the WDS Access Point (AP1) to establish a secure session 2. Initial client 802.1X authentication goes to a central AAA server (~500ms) 3. During a client roam, the client signals to the WDS it has roamed and WDS will send the client’s base key to the new Access Point (AP2) 4. The overall roam time is reduced to <150ms, and in most cases, <100ms
AP2
AP1
Note: Because the local WDS device handles roaming and reauthentication, the WAN link is not used
More information on Cisco SWAN is available from the references section at the end of this document and at http://www.cisco.com/go/swan. This document provides details on Cisco fast secure roaming protocol implemented in the following software releases: • Cisco IOS Software release 12.2(11)JA or greater for Cisco Aironet 1200 and 1100 Series access points • Client Aironet Client Utility, firmware, and driver software releases included in Cisco Aironet Client Adaptor Installation Wizard version 1.1 or greater Cisco fast secure roaming enhancements will be included in Version 2 of the Cisco Compatible Extensions program, which will be made available to third-party WLAN network interface card (NIC) vendors. Table 1 and Table 2 summarize the client and infrastructure types that can and cannot utilize Cisco fast secure roaming to roam between upstream access points. Table 1 Client Support for Cisco Fast Secure Roaming
Supports Fast Secure Roaming with Cisco Centralized Key Management (CCKM) Yes Yes Yes
Fast Secure Roaming Client Cisco Aironet 340, 350 wireless LAN client adapter cards Cisco Aironet 5 GHz, 54 Mbps wireless LAN client adapter cards Cisco Compatible Extensions version II compliant NICs (when available)
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 2 of 33
Fast Secure Roaming Client Cisco Aironet 1200 and 1100 Series access points running Cisco IOS Software in repeater mode Cisco Aironet wireless bridge in non-root mode Cisco Aironet workgroup bridge
Supports Fast Secure Roaming with Cisco Centralized Key Management (CCKM) Yes
No No
Table 2 Infrastructure Support For Cisco Fast Secure Roaming
Supports Fast Secure Roaming with Cisco Centralized Key Management (CCKM) Yes
Fast Secure Roaming Infrastructure Cisco Aironet 1200 and 1100 Series access points running Cisco IOS Software in access point mode Cisco Aironet 350 Seres access points running Cisco IOS Software in i access point mode (when available)
Yes
Solution Overview Networks are normally partitioned into discrete L2 domains corresponding to Internet Protocol (IP) subnets. This partitioning and the difference between L2 and Layer 3 (L3) roaming are illustrated in Figure 2.
Figure 2 Layer 2 and Layer 3 Roaming
Distribution Layer Switches
Layer 3
Access Layer Switches Access Points Subnet A QoS QoS
Access Layer Switches Access Points Subnet B
Layer 2 Roaming Inter Access Point Protocol (IAPP)
Layer 3 Roaming (Mobile IP)
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 3 of 33
This application note discusses only L2 roaming. L2 roaming occurs when a WLAN client moves between wireless access points that are part of the same IP subnet. A L3 roam occurs when the client roams to an access point in a different subnet. Mobile IP capability is required to provide seamless roaming across L3 subnet boundaries. Every L3 roam is preceded by a L2 link-layer roam. This document examines L2 roaming in detail. L3 roaming will be addressed in a separate application note. Wireless LANs provide the ability to connect to the network from virtually any location within the enterprise. The desire to move from one location to another while maintaining an application session is a natural extension of this extended network reach. The trend toward wireless IP telephony, wireless laptops, and personal digital assistants (PDAs) will further accelerate the desire for seamless network access for clients moving between locations. Wireless LAN benefits specific to mobility include: • Innovative application deployment—New and innovative applications such as actionable alerts, messaging, and workflow applications that require always-on network connectivity, are now possible • Improved efficiency and productivity—Continuous connectivity allows work to be performed any where, any time without interruption • Increased data accuracy—Data can be captured or updated immediately, from any location, which increases data accuracy. • Ubiquity—Users can remain online at virtually any location at home, at work or on the road General Design Characteristics Cisco AVVID (Architecture for Voice, Video, and Integrated Data) provides comprehensive campus network architecture including WLANs. Where possible, the existing Cisco AVVID L3 architecture should be maintained, with wireless LANs deployed as an additional, dedicated, wireless subnet per wiring closet for WLAN overlays. Detailed enterprise network design guidance is provided on the Cisco Solution Reference Network Design Guides home page, available at http://www.cisco.com/go/srnd Clients not compatible with Cisco Centralized Key Management (CCKM), can be migrated to CCKM by making client use of CCKM optional.
Layer 2 Design
Due to access-point WDS processing and memory limitations, Cisco fast secure roaming currently supports a maximum of 30 access points per L2 domain (subnet). Caveats Deploying WLANs as recommended in this document and in the Cisco AVVID Network Infrastructure Enterprise Wireless LAN Design document may result in multiple L2 subnets on the same floor of a building. As recommended in this document, mobile IP is required to roam seamlessly between these L2 subnets. Layer 2 Roaming Primer This section details WLAN client roaming and explains what happens when a WLAN client roams.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 4 of 33
Introduction A L2 roam occurs when a WLAN client moves from one access point to another within the same subnet. If the client moves to a new access point on a different IP subnet, L3 roaming occurs after the L2 roam has completed. Roaming is always a client station decision. The client station is responsible for detecting, evaluating, and roaming to an alternative access point. Figure 3 Sequence of Events for L2 Roam illustrates a L2 roam.
Figure 3 Sequence of Events for L2 Roam
Wired LAN Connecting APs (Intra-Subnet Roaming) 4 Access Point A
IAPP Inter Access Point Protocol 3 Access Point B 2
1
The arrows in Figure 3 indicate the following events: 1. A client moves from access point A coverage area into access point B coverage area (with both access points in the same subnet). As the client moves out of the range of access point A, a roaming event (for example, maximum retries) is triggered. 2. The client scans all IEEE 802.11 channels for alternative access points. In this case, the client discovers access point B and reauthenticates and reassociates to it. After associating to the new access point B, if it is configured for 802.1X, the client begins IEEE 802.1X authentication. 3. Access point B sends a null media access control (MAC) multicast, on the client’s virtual local area network (VLAN), using the source address of the client. This updates the content addressable memory (CAM) tables of the upstream switch and directs further LAN traffic for the client to access point B and not access point A. 4. Using its own source address, access point B sends a MAC multicast, on the native VLAN, telling access point A that access point B now has the client associated to it. Access point A receives this multicast and removes the client MAC address from its association table. This guide focuses on events 1 and 2 in Figure 3. Events 3 and 4 are post-roam actions taken as part of the Cisco Inter Access Point Protocol (IAPP) and are not discussed in this document. • Event 1 in Figure 3 is discussed in the Roaming Events section of this document that describes the events that cause a client to initiate the roam process. • Event 2 in Figure 3 is discussed in the Fast Secure Roaming section where the process of discovering evaluating and roaming to an alternative access point is reviewed.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 5 of 33
Roaming Events This section reviews the events that cause a client to roam. The roaming process is described in the Fast Secure Roaming section. Roaming is always initiated by the client, and is not defined by IEEE standards. For Cisco clients, roaming is caused by one of the following events. • Maximum data retry count is exceeded • Missed too many beacons • Datarate shift • Initial startup • Periodic client interval (if configured)
Maximum Data Retry Count Exceeded
When a client station retries a packet more often than is acceptable under the max data retry count, the station will initiate a roam. The max data retry count defaults to 16, and is configured in the Aironet Client Utility under the RF Network tab for the currently active profile. A sample screen is shown in Figure 4.
Figure 4 Setting Maximum Data Retries in the Aironet Client Utility
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 6 of 33
Missed Too Many Beacons
All clients associated to an access point receive a periodic beacon. By default, access points send a beacon every 100ms, which is the beacon period setting on an access point as is shown in Figure 5.
Figure 5 Max Data Retries, Beacon Period, and Data Rate Settings
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 7 of 33
Clients learn the access point’s beacon interval from an element in the beacon. If a client misses eight consecutive beacons, a roaming event is deemed to have occurred, and the roam process detailed in the Fast Secure Roaming section is initiated. By continuously monitoring for received beacons, even an otherwise idle client is able to detect a loss of wireless link quality, and will initiate a roam.
Datarate Shift
Packets are normally transmitted at the access points’ default rate. The default rate is the highest rate set to the “require” or “enable” setting on the access point. The configuration of data rate on an access point is shown in Figure 5. Every time a packet has to be retransmitted at a lower rate,1 a retransmit count is increased by three. For each packet successfully transmitted at the default rate, the retransmit count is decreased by one, until it is zero. If the retransmit count reaches 12, one of the following scenarios occurs: • If the client has not attempted to roam in the last 30 seconds then the roam process as described in the fast secure roaming event occurs. • If the client has already attempted to roam in the last 30 seconds, the data rate for that client is set to the next lower rate A client transmitting at less than the default rate will increase the data rate back to the next-higher rate after a short time interval if transmissions are successful.
Periodic Client Interval (If configured)
The ability to configure how often, and at what signal strength threshold, the client will scan for a better access point is available in Aironet Client Utility version 6.1 or greater, included in Cisco Aironet Installation Wizard version 1.1 or greater. This capability is configured in the Aironet Client Utility for the selected profile under the radio frequency (RF) network tab as shown in Figure 6.
1. A rate shift occurs when a frame is retransmitted three times and a request to send/clear to send (RTS/CTS) is used to send the last two retransmissions.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 8 of 33
Figure 6 Aironet Client Utility Configuration – Scan For A Better Access Point
Figure 6 Aironet Client Utility Configuration – Scan For A Better Access Point shows the default Aironet Client Utility settings. With these settings, the client will scan for a better access point when both of the following conditions have been met. • The client has been associated to its current access point for at least 20 seconds. This restriction is to prevent a client “flapping” or switching between access points too rapidly. Valid values are from 5 to 255 seconds • The signal strength is less than 50 percent. Valid values range from zero to 75 percent. The periodic scan is a roaming event that causes the occurrence of the roam process described in the Fast Secure Roaming section.
Initial Client Start-up
When a client starts up it goes through the roam process described in the Roam Process section, to scan for and associate with the most appropriate access point. Roam Process The previous section described the five events that cause a client to decide that it needs to roam. This section discusses what a client station does when it roams. The process of finding and re-associating to a new access point includes: • Scan for available access points • Compile a list of roam targets • Pick the best access point from the list of roam targets
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 9 of 33
When a roaming event occurs, the client station scans each 802.11 channel.2 On each channel the client station sends a probe, and waits for a probe responses or beacons from access points on that channel. The probe responses and beacons received from access points are discarded unless they have matching Service Set Identifier (SSID) and encryption settings. Once the scan is complete and the client has a list of responding access points, it selects the access point to compare the others against. That access point is then referred to as the current access point. The current access point is determined in the following manner: • If this is the clients initial start-up – Current access point = the first access point in the list • If the client is roaming – Current access point = the previously associated access point, if it responded to the probe request • If the client is roaming and the previous access point did not respond to the probe request – Current access point = the first access point in the list The current access point is compared with each of the access points in the list of responding access points. To be considered as a new current access point, each access point must meet all the criteria in Table 3. Table 3 Access Point Conditions that Must Be Met for the Access Point to Be Considered a Roam Target
Client station with Cisco Aironet Extensions Enabled (Probe response / Beacon must satisfy all conditions) • Potential roam target access points signal strength is greater than 20 percent and • If signal strength more than 20 percent weaker than current access point, signal strength must be 50 percent or more If the potential roam target access point is in repeater mode and is more radio hops from the backbone than the current access point, its signal strength must be at least 20 percent greater than the current access point’s signal strength The transmitter load for the potential roam target access point can not be more than 10 percent greater than the transmitter load of the current access point
Client Station without Cisco Aironet Extensions Unknown—implementation dependent
Not applicable—radio hop information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element.
Not applicable—access point transmitter load information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element.
The client compares each access point that meets the base criteria listed in Table 3 with the current access point. If an evaluated access point meets any of the criteria listed in Table 4, then the client selects it as the new current access point, and compares the next access point in the list against this new current access point.
2. The client scans all 802.11 channels valid in the country in which the client is operating The Fast Secure Roaming section describes ways in which the fast secure roaming channel scanning enhancements can reduce the number of channels that are scanned during a roam.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 10 of 33
Table 4 Choosing from Eligible Roam Targets
Client Station with Cisco Aironet Extensions Enabled (Access point must satisfy any condition) Signal strength is 20 percent stronger than current access point Fewer hops to the backbone Client Station without Cisco Aironet Extensions (Access point must satisfy all conditions) Unknown—implementation dependent
Not applicable—Backbone hops information is Cisco element in beacons. Client stations that do not have Aironet extension capability cannot read the Cisco beacon element. Not applicable—access point client association load information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element. Not applicable—access point transmitter load information is Cisco element in beacons. Client stations that do not have Cisco Aironet extension capability cannot read the Cisco beacon element.
At least four (or more) fewer clients associated to it than current access point
20+% less transmitter load1
1. Transmitter load is an indication of how busy the access point radio is.
Fast Secure Roaming The Cisco fast secure roaming implementation in Cisco IOS Software release 12.2(11)JA is comprised of two main enhancements. • Improved 802.11 channel scanning during physical roaming • Improved reauthentication using advanced key management The improved 802.11 channel scanning during physical roaming enhancements speeds up all L2 roaming, regardless of the security method used. The improved reauthentication, using advanced key management enhancements, speeds up Cisco LEAP authentication to provide fast secure roaming. Improved 802.11 Channel Scanning Improved channel scanning is enabled by default on Cisco clients and access points and is not configurable. The fast secure roaming enhancements to channel scanning require communication between the client and access point. Improved channel scanning has the following software dependencies: • Cisco IOS Software release 12.2(11)JA or greater • Cisco Aironet Client Utility, firmware, and driver software, which is included in Cisco Aironet Client Adaptor Installation Wizard version 1.1 or greater.
Channel Scanning Prior to Fast Secure Roaming
Before the release of Cisco IOS Software 12.2(11)JA, Cisco Aironet clients took 37ms to scan for each of the 11 802.11 channels in the United States, for a total scan time of ~400ms. (Eleven channels are used in the United States. Different countries use different channel sets.) For each of the 802.11 channels valid in a specific regulatory domain, the client performed the following steps: • Radio hardware physically moves to a specific WLAN channel
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 11 of 33
• Client listens to avoid a collision • Client transmits a probe frame • Client waits for probe responses or beacon frames
Fast Secure Roaming Channel Scanning Improvements
Improvements to the Cisco channel scanning algorithm introduced with Cisco IOS Software release 12.2(11)JA includes: • Re-associating clients now communicate information to the new access point such as the length of time since they lost association with the previous access point, channel number, and SSID. • Using the information from client associations, an access point builds a list of adjacent access points and the channels these access points were using. If the client reporting an adjacent access point was disassociated from its previous access point for more than 10 seconds its information is not added to the new access points list. • Access points store a maximum list of 30 adjacent access points. This list is aged out over a one-day period. • When a client associates to an access point, the associated access point sends the adjacent access point list to the client as a directed unicast packet. The communication between client and access point is shown in Figure 7.
Figure 7 Client and Access Point Communication During Association
Access Points Channel 1
Channel 6
Channel 11
Adjacent Channel is 1
Adjacent Channels are 1 and 11
Roaming Client
When a client needs to roam, it uses the adjacent access point list it received from its current access point to reduce the number of channels it needs to scan. How the client uses the adjacent access point list depends upon how busy the client is. There are three types of client roams: • Normal Roam: The client has not sent or received a unicast packet in the last 500ms. – The client does not use the adjacent access point list obtained from the previous access point. Instead it scans all channels valid for the operating regulatory domain. • Fast Roam: The client has sent or received a unicast packet in the last 500ms.3 – The client scans the channels on which it has been told there is an adjacent access point. – If no new access points are found after scanning the adjacent access point list, the client reverts to scanning all channels.
3. A typical IP telephony call generates a single packet in each direction every 20ms
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 12 of 33
– The client limits its scan time to 75ms if it is able to find at least 1 better4 access point. • Very Fast Roam: the client has sent or received a unicast packet in the last 500ms,5 and the client is contributing a non-zero percentage to the load of the cell. – Identical to a Fast Roam except the scan is ended as soon as a better6 access point is found. If the client did not receive an adjacent access point list from its previous access point, and it wants to fast roam or very fast roam, then it will use the list of channels on which access points were found during its last full scan. Improved Cisco LEAP Authentication Besides fast 802.11 channel scanning, the fast secure roaming feature provides a fast rekey capability for clients using Cisco LEAP as their 802.1X authentication protocol. Improved Cisco LEAP authentication introduces the new CCKM protocol that is a component of the Cisco Wireless Security Suite.
Cisco LEAP Authentication Prior to Fast Secure Roaming
A Cisco LEAP client using Cisco IOS Software version 12.2(8)JA or earlier needs to perform a full Cisco LEAP reauthentication each time it roams. A Cisco LEAP reauthentication requires: • A minimum of 100ms • An average of ~600ms • Up to 1.2seconds + The timeframes above are in addition to the channel-scanning portion of the L2 roam. Cisco LEAP authentication takes this much time because it requires three roundtrips to a Remote Authentication Dial-In User Service (RADIUS) server using the following process: • Client sends identity, Cisco Secure Access Control Server (ACS) or RADIUS Server sends challenge • Client sends challenge response, Cisco Secure ACS sends success • Client sends challenge, Cisco Secure ACS sends challenge response In addition to network transit times, each of these roundtrip transactions requires time-consuming cryptographic calculations, hence the total times quoted above.
Improved Reauthentication Using Fast Secure Roaming Advanced Key Management
Industry standards such as Wi-Fi Protected Access (WPA) and 802.11i require 802.1X and also introduce a new key hierarchy to WLAN security. Cisco fast secure roaming is based on this new key hierarchy. Cisco fast secure roaming is a WDS feature. Cisco fast secure roaming requires 802.1X authentication of access points and clients to a RADIUS server. This authentication uses a dedicated RADIUS server, or the local authentication service running on a Cisco Aironet access point.
4. As defined in the section on roam processes 5. A typical IP telephony call generates a single packet in each direction every 20ms 6. As defined in the section on roam processes
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 13 of 33
About Wireless Domain Services
Wireless Domain Services (WDS) act as a central authentication entity that supports a fast client rekey, rather than requiring a full RADIUS reauthentication each time the client roams. All access points and clients in a L2 domain 802.1X authenticate to a RADIUS server via the WDS that performs the role of 802.1X authenticator. Because all clients and access points authenticate via the WDS, the WDS is able to establish shared keys between itself and every other entity in the L2 domain. These shared keys enable CCKM fast secure roaming. Figure 8 illustrates access points and clients authenticating to WDS.
Figure 8 Access Points and Clients Authenticating to WDS
802.1X Supplicant
802.1X Authenticator/Supplicant
802.1X Authenticator
802.1X Authentication Server
Client
Access Point
Access Point with WDS
RADIUS
Clients Authenticate via the WDS
Access Points Authenticate via WDS
The WDS function is written in Cisco IOS Software and initially runs on Cisco IOS Software on Cisco Aironet access points only. In the future, WDS be available in Cisco router and switch infrastructure products. At least one WDS is required per L2 domain. The CCKM architecture supports WDS redundancy via a MAC-layer multicast primary WDS election process. If redundant WDS are configured, the WDS with the highest priority is elected to be the primary WDS. If equal or no priorities are configured, a primary is dynamically determined. Redundancy provides a cold backup. If the primary WDS fails, all authenticated clients continue to operate, until a roaming event occurs, at which point the client completes a full initial authentication to the RADIUS server, via the backup WDS. All access points in a L2 domain dynamically learn the address of the active WDS via an L2 multicast. The address of the WDS is not configured in any access point. The WDS supports a single L2 domain with up to 30 access points supported per L2 domain. The 30 access point limit is not a physical limit, but is the maximum recommended by Cisco, and the maximum number supported by Cisco Technical Assistance Center (TAC).
Comparing Cisco Fast Secure Roaming with 802.11i or WPA Security Protocols
While the CCKM protocol is very closely aligned to the 802.11i and WPA security specifications, it adds additional steps to perform fast secure roaming. Currently, 802.11i and WPA have no equivalent fast secure roaming capability. Cisco access points support both WPA and CCKM concurrently. However, only CCKM clients can perform fast secure roaming. Figure 9 provides a high-level overview of the differences between 802.11i or WPA key management schemes and CCKM.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 14 of 33
Figure 9 Comparing CCKM Initial Key Establishment with Industry Standard WPA/802.11i Key Management
WPA/802.11i Supplicant Authenticator Authentication Server Supplicant
CCKM Authenticator/ Supplicant WDS Authenticator Authentication Server
Static Password
Infrastructure Authentication
Beacon/probe RSNIE
Cisco LEAP Authentication CTK
Static Password Derive CTK
Derive CTK Beacon/probe RSNIE
Discovery
EAP Credential EAP Authentication EAP Credential Derive PMK PMK 4-way Handshake (nonces) 4-way Handshake (nonces) Derive PTK Derive BTK/KRK PTK Derive PTK WLCCP Encapsulation BTK Derive BTK/KRK NSK EAP Credential Cisco LEAP Authentication WLCCP Encapsulation EAP Credential Derive NSK
Authentication
Derive PMK
Key Management
Derive PTK
2-way Handshake Decrypt GTK PTK - Unicast Data
2-way Handshake Decrypt GTK PTK - Unicast Data
Data Protection
GTK - Multicast Broadcast
GTK - Multicast Broadcast
Figure 9 outlines the key similarities and differences between 802.11i/WPA and CCKM. The additional steps performed (during initial client authentication only) by CCKM are circled. CCKM derives different, additional keys and introduces WDS between the access points and the RADIUS server. Fast Secure Roaming Stages There are three stages in Cisco fast secure roaming: 1. Infrastructure authentication—All of the access points in a L2 domain 802.1X authenticate, via the WDS, to a RADIUS server. 2. Initial authentication—When a WLAN client first associates to an access point in a new L2 domain, it performs a full 802.1X authentication, via the WDS, to the RADIUS server. This initial authentication has the same latency characteristics as non-CCKM (Cisco LEAP) authentication. Fast secure roaming applies when the client moves to subsequent access points in the same L2 domain. 3. Fast secure roaming—When a client roams to another access point in the same L2 domain, it uses CCKM to perform fast rekeying, without contacting the RADIUS server.
Infrastructure Authentication
During the infrastructure authentication phase, all Cisco Aironet access points, including any running WDS, authenticate using Cisco LEAP7 via the WDS, to a RADIUS server as shown in Figure 10.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 15 of 33
Figure 10 Infrastructure Authentication Phase
Authenticator/ Supplicant Layer 2 Client Access Point
Authenticator Layer 2 or Layer 3 Access Point with WDS
Cisco LEAP Authentication
Authentication Server
RADIUS
Static Password Derive CTK
Static Password RADIUS CTK Derive CTK
All Cisco infrastructure devices in the L2 domain must authenticate to the WDS during the infrastructure authentication phase as noted in Figure 10 above. This allows each access point to establish a shared key with the WDS. This shared key is called the context transfer key (CTK) and is used to pass key material from the WDS to the new access point during a fast secure roam.
Initial Authentication
When a WLAN client first associates to an access point in a new L2 domain, it performs a full 802.1X authentication, via the WDS, to the RADIUS server. This initial authentication has the same latency characteristics as a non-CCKM Cisco LEAP authentication. Initial authentication consists of the following three sub-stages: • Discovery stage • Authentication stage • Key management stage Fast secure roaming occurs after the initial authentication, when the client moves to subsequent access points in the same L2 domain. Initial Authentication—Discovery stage The discovery phase is the same whether WPA/802.11i or CCKM is used (Figure 11) to authenticate the client.
Figure 11 Initial Authentication – Discovery Stage
Layer 2 Client Access Point Access Point with WDS
Layer 2 or Layer 3 RADIUS
Beacon/Probe response RSNIE
7. Currently CCKM supports only Cisco LEAP authentication.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 16 of 33
The access point advertises its security capabilities via the Robust Security Network Information Element (RSNIE) in the access point’s beacons and probe responses. CCKM capability is communicated by a MAC organizationally unique identifier (OUI) value of 00:40:96 and a type value of 0 in the Authenticated Key Management (AKM) suite selector of the RSNIE. Initial Authentication—Authentication Stage In CCKM, the 802.1X Cisco LEAP authenticator functionality is split between the access point to which the client is associated and the WDS. The access point the client is authenticating to blocks all client data traffic until Cisco LEAP authentication is complete–per the standard authentication process. Instead of communicating directly with the RADIUS server to perform the Cisco LEAP authentication, the access point puts a wireless LAN context control protocol (WLCCP) header on the packets, and sends them to the WDS. The WDS communicates with the RADIUS server to complete the Cisco LEAP authentication. A network session key (NSK) is mutually derived on the RADIUS server and the client following successful authentication. (Figure 12).
Figure 12 Initial Authentication – Authentication Stage
Layer 2 Client
EAP Credential
Layer 2 or Layer 3 Access Point with WDS RADIUS
EAP Credential
Access Point
Cisco LEAP Authentication
WLCCP Encapsulation
RADIUS Derive NSK
Initial Authentication—Key Management Stage In the key management stage, the process for CCKM authentication differs significantly from WPA/802.11i authentication. In this stage, an additional key—the base transient key (BTK)—is established on the WDS. In the CCKM scheme, the BTK is used for fast secure roaming. For WPA/802.11i, the BTK does not exist and a full reauthentication is required for roaming WPA/802.11i clients (Figure 13).
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 17 of 33
Figure 13 Initial Authentication – Key Management Stage
Layer 2 Client Access Point Access Point with WDS
Layer 2 or Layer 3 RADIUS
NSK
NSK 4-way Handshake (nonces) Derive BTK/KRK RN=1 Derive PTK BSSID Derive PTK ECTK (BTK RN=1) WLCCP Encapsulation
NSK
Derive BTK/KRK
2-way Handshake Receive GTK Derive GTK
For CCKM clients, the RADIUS server forwards the NSK it derived from the Cisco LEAP authentication process to the WDS (because from the RADIUS server’s viewpoint, the WDS was the 802.1X authenticator). The NSK is used as the basis for deriving all subsequent keys for the lifetime of the client’s association with this extended basic service set (EBSS)8, or until the RADIUS server’s rekey interval changes it. The WDS and the client derive a BTK and a key request key (KRK) by combining the NSK with random numbers (nonces) obtained via a process known as the four-way handshake. The four-way handshake appears to the client to be between the client and the access point it is authenticating to, but the access point puts a WLCCP header on the frames in the four-way handshake, and forwards them to the WDS. After the four-way handshake is complete, WDS forwards the BTK, and a rekey number (RN) to the access point to which the client is authenticating (since this is the initial authentication the WDS sets the RN to one). The access point the client is authenticating to uses the BTK, RN, and basic service set identifier (BSSID)9 to derive a pairwise transient key (PTK) which includes a shared session key for unicast traffic. After the PTK has been successfully derived, the access point sends the group transient key (GTK) that is used for multicast and broadcast traffic to the client, encrypted by an element of the PTK. The process of sending the GTK to the client is called the two-way handshake. The BTK and KRK are used when the client roams to quickly establish a new PTK.
Fast Secure Roaming
The third phase, fast secure roaming, occurs after the client has performed its initial Cisco LEAP authentication. Any subsequent roams to an access point in the same L2 domain will utilize the preestablished key hierarchy to perform a very fast rekey. Comparing a WPA/802.11i Roam with a CCKM Roam
8. The EBSS is equivalent to the L2 domain 9. The BSSID is equivalent to the access point’s MAC address
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 18 of 33
The advantage of CCKM becomes apparent when the WLAN client roams. In Figure 14, the WPA client is shown completing a reauthentication when it roams (including 802.1X re-authentication to a central RADIUS server). In contrast, the CCKM client sends a single reassociate-request frame to the access point and the access point sends a single frame to a local WDS and receives a single frame reply. Table 5 compares a CCKM roam re-establishment with industry standard key management.
Figure 14 Comparing a CCKM Roam Establishment with Industry Standard WPA/802.11i Key Management
WPA/802.11i Supplicant Authenticator Authentication Server Supplicant
CCKM Authenticator/ Supplicant WDS Authenticator Authentication Server
WLCCP Infrastructure
Beacon/Probe RSNIE Beacon/Probe RSNIE
Discovery
EAP Credential EAP Authentication EAP Credential Derive PMK PMK 4-way Handshake (nonces) ReassociateRequest Derive PTK Derive PTK Derive PTK BTK
Authentication
Derive PMK
Key Management
Derive PTK
2-way Handshake Decrypt GTK PTK - Unicast Data PTK - Unicast Data
Data Protection
GTK - Multicast/Broadcast
GTK - Multicast/Broadcast
Table 5 Comparing a CCKM Roam Establishment with Industry Standard Key Management
WPA/802.11i When a WPA/802.11i client roams, it completes a full reauthentication, just as it did in the initial authentication. This includes: • A full Cisco LEAP reauthentication with a central RADIUS server • The complete four-way handshake to derive the PTK • The complete two-way handshake to determine the GTK Cisco CCKM When a CCKM client roams, it sends a reassociate request to its new access point. • The new access point forwards the reassociate request to the WDS • The WDS sends the new access point the client’s BTK • The new access point and the client mutually derive a new PTK • The GTK, encrypted by the PTK, is sent to the client
When a CCKM client roams, it sends a reassociation request message to the new access point. The reassociation request includes:
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 19 of 33
• A message integrity check (MIC) using the KRK • A sequentially incrementing RN Immediately after sending the reassociation request, the client is able to calculate its next PTK. It does this by performing a cryptographic hash of the BTK, the RN, and the BSSID. Figure 15 shows the CCKM key management phase in more detail. The access point passes the reassociation request to the WDS by encapsulating it in the WLCCP protocol. The WDS verifies the MIC. The WDS then encrypts the BTK and the RN with the CTK shared by the WDS and the new access point, and passes the encrypted message to the new access point. The new access point then hashes the BTK, RN and BSSID to calculate the same new PTK as the client. After the PTK has been mutually derived by the access point and the client, the access point uses an element of the PTK to encrypt the GTK. The access point then passes the GTK to the client.
Figure 15 CCKM Fast Rekey
Layer 2 Client
BTK (KRK) Reassociation Request (MICKRK, RN=(RN+1)) Verify MIC Derive PTK BSSID Derive PTK EPTK(GTK) Receive GTK ECTK (BTK, RN=(RN+1)) WLCCP Encapsulation
Layer 2 or Layer 3 Access Point with WDS
BTK (KRK)
Access Point
RADIUS
Note: CCKM roaming requires one roundtrip to a subnet-local WDS. An equivalent Cisco LEAP authentication requires three roundtrips to a RADIUS server located on the network core. Layer 2 Design Recommendations This section provides design guidance for architecting and deploying L2 roaming considerations on a network. Detailed campus wireless LAN design guidance is provided on the Cisco Solution Reference Network Design Guides home page, available at http://www.cisco.com/go/srnd Cisco AVVID Design Cisco provides comprehensive campus network architecture guidance with Cisco AVVID. For wireless LANs used in existing networks as a wireless overlay or as freestanding all-wireless networks, the existing Cisco AVVID Layer 3 architecture should be maintained where possible, with the WLAN deployed as an additional, dedicated, wireless subnet per wiring closet. Figure 16 shows a typical Cisco AVVID architecture to which a WLAN subnet has been added to each access layer switch.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 20 of 33
Figure 16 Adding WLAN to Cisco AVVID Architecture
HSRP Active VLAN 20, 41, 140
Layer 3
HSRP Active VLAN 40, 21, 120
10.1.20.0 10.1.21.0 10.1.120.0
VLAN 20 Data VLAN 21 WLAN VLAN 120 Voice
10.1.40.0 10.1.41.0 10.1.140.0
VLAN 40 Data VLAN 41 WLAN VLAN 140 Voice
Sizing the Layer 2 Domain In Figure 17, each access layer switch represents a separate wiring closet. A dedicated VLAN for each wireless LAN access points is added to each switch. Access points are connected to a dedicated VLAN to minimize the broadcast domain since WLANs are a shared half-duplex media and broadcasts have a bigger impact on access points than on most devises connected to switch ports. Some customers may decide to forgo a L3 architecture, and instead extend the L2 network to provide L2 mobility across a larger section of the enterprise. For these customers, advanced spanning tree features such as Rapid Per VLAN Spanning Tree Plus (Rapid PVST+) are useful. Roaming Cisco Aironet IAPP provides seamless mobility within a single subnet only. In the absence of mobile IP, when a WLAN client moves to an access point on a different subnet, the IP address must be renewed. Windows 2000 and Windows XP automatically renew IP addresses. Renewing the IP address breaks application sessions that are using IP address. Some applications, such as e-mail, and Web-based applications, may recover and continue to operate normally when their IP address is changed (either automatically by Windows 2000 or XP, or manually if using a different operating system). Other applications such as Telnet, File Transfer Protocol (FTP), and other connection-based applications will fail when their IP address is changed and will need to be manually restarted. Mobile IP or proxy mobile IP (PMIP) is the solution for this application problem as it maintains a constant IP address for host applications across L3 subnet boundaries. Configuring Fast Secure Roaming This section illustrates the minimum steps required to configure CCKM fast secure roaming in a lab environment. For more complete configuration details, please refer to the Cisco Aironet installation and configuration guides or the Cisco Aironet release notes at: http://www.cisco.com/en/US/products/hw/wireless/prod_category_positioning_paper0900aecd8009298f.html Note: The graphical user interface (GUI) screen configuration will likely change with different Cisco IOS Software releases. However, the Cisco IOS Software command line interface (CLI) configuration remains consistent across releases.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 21 of 33
Enable Encryption All access points, including the WDS need to enable encryption. CCKM requires the selection of the cipher radio button and one of the cipher modes in the Cisco Aironet access point set-up screen (Figure 17).
Figure 17 Enabling Encryption on Cisco Aironet Access Points
Web GUI
Cisco IOS Software command line interface Dot11Radio0 encryption mode ciphers ckip-cmic
Enable Cisco LEAP for Your SSID All access points, including the WDS require enabling Cisco LEAP for a particular SSID (Figure 18). In the Cisco Aironet access point set-up screen, perform the following steps: 1. Check the “Network EAP” check box (this is the authentication type used by Cisco LEAP) 2. Select the CCKM radio button and choose “Optional” or “Mandatory” from the drop-down menu. (It is possible to choose “Optional” if a mix of CCKM and non-CCKM enabled devices are associating to the VLAN. This option is useful when migrating clients to CCKM.)
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 22 of 33
Figure 18 Enabling Cisco LEAP on Cisco Aironet Access Points
Web GUI
Cisco IOS Software command line Interface dot11 0 ssid <insert SSID> authentication network-eap eap_methods authentication keymanagement cckm
Configuring Access Points with Username/Password to Use when Authenticating to the RADIUS Server Via WDS All access points in the subnet (including the access point running the WDS) authenticate to WDS using Cisco LEAP. To perform this Cisco LEAP authentication, the access points must be statically configured with a Cisco LEAP user name and password (and a matching user name and password must be configured on the RADIUS server). Each access point in a subnet must authenticate to the WDS for that subnet. The username and password are configured as shown in Figure 19. The configuration example uses Cisco as a password. Please ensure a more secure password is chosen for your production deployments.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 23 of 33
Figure 19 Configuring Access Points with User Name and Password for Authentication to WDS
Web GUI
Cisco IOS Software command line wlccp ap username <ap username> password 0 Cisco ! wlccp ap username <ap username> password 0 Cisco
Cisco
Configuring an Access Point as a WDS To configure an access point as a WDS (Figure 20): 1. Select the “Use this access point as Wireless Domain Services” check box, and configure a priority (to deterministically elect a primary WDS if redundant WDS’s are configured; 9 is arbitrarily chosen in this example. The highest priority number will be elected the active WDS.) 2. Type the RADIUS server IP address into the server text-entry box. Ensure that the server type is RADIUS. Type your password into the shared secret text-entry box. For this example “Cisco” is used. (The WDS must be configured as a network access server (NAS) in the RADIUS server with a matching password.) 3. Check the “Infrastructure Authentication” and “Client-Cisco LEAP Authentication” check boxes.
Figure 20 Configuring Access Point1 as WDS
Web GUI
Cisco IOS Software command line wlccp wds priority 9 interface BVI1 ! aaa group server radius wlccp_rad_infra server <Radius IP address> auth-port 1645 acct-port 1646 ! aaa group server radius wlccp_rad_leap server <Radius IP address> auth-port 1645 acct-port 1646
Cisco
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 24 of 33
Verifying and Debugging Fast Secure Roaming Operation Verify the WDS is operational and that the access points are correctly registered to the WDS. The following commands verify the state of the WDS and the access point.
• show wlccp wds • show wlccp ap On access points running WDS only On access point running CCKM key management
The most useful WDS monitoring command is the following command on the WDS:
• show wlccp wds ap On access points running WDS only
Figure 21 shows a sample output from an access point running the WDS.
Figure 21 Monitoring WDS and Access Point Registration State
Testing Roaming
Configuring Client
There are no specific client configuration changes needed in order to use Cisco fast secure roaming. When testing fast secure roaming, ensure the client has installed the Aironet Client Utility, firmware, and driver software releases included in Cisco Aironet Client Adaptor Installation Wizard version 1.1 or greater.
Testing Fast Secure Roaming
Open a Telnet window to two different access points. Enter the terminal monitor command to direct syslog output to the Telnet screen. Use the show dot11 association all command to see which access point your CCKM client is associated to. On the access point your client is associated to, enter the following commands:
Int dot11 0 Shut No shut
Observe the message on the other access point that indicates the client has roamed, using CCKM fast roaming, as shown in Figure 22.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 25 of 33
Figure 22 Fast Roaming Message
Debugging Fast Secure Roaming Trouble Associating If the client is having trouble associating to the access point, use the Aironet Client Utility debugging feature added in Aironet Client Utility release 5.0 or greater to determine where it is failing (Figure 23).
Figure 23 Starting Aironet Client Utility Troubleshooting
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 26 of 33
Trouble Authenticating
The Cisco IOS Software show dot11 association all command provides information about client associations. Figure 24 highlights the client state, key-management type, and encryption type as shown in the output from this command. • show dot11 association all
Figure 24 Client Association Information
Troubleshooting WDS Operation
In addition to the Cisco IOS Software commands shown above, the following debug commands are useful: • debug wlccp wds state • debug dot11 aaa dot1x state • debug dot11 mgmt interface Installing Fast Secure Roaming Software Fast secure roaming requires upgrades of Cisco Aironet client adapter and access point software. Cisco IOS Software release 12.2(11)JA (or greater) must be installed on Cisco Aironet 1200 and 1100 Series access points. Cisco Aironet Client Adaptor Install Wizard version 1.1 (or greater) must be installed on applicable Cisco Aironet WLAN client adapters. Installing Cisco Aironet Client Adaptor Installation Wizard to Enable Fast Secure Roaming To install the Cisco Aironet Client Adaptor Installation Wizard to enable fast secure roaming, follow the steps below (Figure 25) 1. Ensure your 802.11a or 802.11b NIC is inserted or available on your laptop. 2. Downloaded the client installation program. 3. Double-click the “InstallWizard.exe” self-extracting install file. 4. Select the Unzip button from the WinZip pop-up application.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 27 of 33
Figure 25 Installing Cisco Aironet Client Adaptor Installation Wizard
5. All required files will be automatically extracted and the install program shown in Figure 26 will be launched.
Figure 26 Selecting Cisco Aironet Client Adaptor Installation Wizard Installation Type
6. After the installation is complete, restart the client PC. 7. When the PC has restarted, launch the Aironet Client Utility, then click the status icon, and confirm that the firmware version is V5.20.17 or greater as shown in Figure 27.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 28 of 33
Figure 27 Checking the Firmware Version for the Aironet WLAN Client Adapter
Loading the Fast Secure Roaming Cisco Aironet Access Point Software This section describes how to use the Cisco IOS Software command line to upgrade Cisco Aironet 1200 and 1100 Series access points to Cisco IOS Software release 12.2(11)JA or later. The firmware can also be upgraded via the access point GUI. The Cisco IOS Software command line is used here to highlight the difference between Cisco IOS Software upgrades on Cisco Aironet access points and Cisco IOS Software upgrades Cisco routers and switches. 1. Telnet to the access point. 2. Use the following command to install the fast secure roaming software from a TFTP/FTP server. This example uses a FTP server at IP address 10.50.1.50. • Archive download-sw /overwrite /reload ftp://<FTP server IP address>/<image> (where image= the appropriate .tar file for your access point.) A software upgrade in progress is shown in Figure 28. Once the access point finishes loading, it will automatically reboot with the new software.
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 29 of 33
Figure 28 Loading Cisco IOS Software on the Cisco Aironet 1100 Series Access Point
References
Cisco Structured Wireless-Aware Network Overview
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_brochure09186a0080184925.html
WLAN Design Guide
http://www.cisco.com/go/srnd
VLAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
Quality of Service (QoS) Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080144498.html
SAFE White Papers
http://www.cisco.com/go/safe
Cisco Aironet Wireless LAN Security Overview
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_brochure09186a00801f7d0b.html
802.11 Wireless LAN Security White Paper
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 30 of 33
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 31 of 33
Cisco Systems, Inc. All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 32 of 33
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883
Asia Pacific Headquarters Cisco Systems, Inc. Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
Cisco Web site at www.cisco.com/go/offices
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden S w i t z e r l a n d • Ta i w a n • T h a i l a n d • Tu r k e y • U k r a i n e • U n i t e d K i n g d o m • U n i t e d S t a t e s • Ve n e z u e l a • Vi e t n a m • Z i m b a b w e
All contents are Copyright © 1992–2004 Cisco Systems, Inc. All rights reserved. Aironet, Catalyst, Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R) 204113_ETMG_LS_12.04
