- [ ] Explain role and functions of wireless network devices – AP, WAP, WLC,
- [ ] Describe Wireless Principles
- [ ] Compare Cisco Wireless Architecture and AP Modes
- [ ] Describe Wireless security and encryption protocols
Two types of wireless communication – Infrastructure and AD HOC.
Infrastructure – Think WAP. An AP connects to the wired network and sends a signal for all potential end users to connect to via SSID (wireless network name.) If only a single AP is attached, called a BSS, basic service set. The area this AP reaches is called it’s BSA, Basic Service Area. The BSSID is basically the ID for the AP, usually a copy of the APs MAC address.
Adhoc – Not typically connected to the internet. This is a small network of wireless devices only communicating with each other. This is called a Peer-To-Peer connection. One device will take control of advertising it’s wireless network to other devices. IBSS, Independent Basic Service Set, allows up 10 devices to communicate without any additional wireless devices. This does not scale well beyond 10 devices.
What’s the best way to connect a large group of APs without needing a wired connection to each AP?
Use a Mesh network for larger wireless needs. Basically, linked WAPs can connect in Mesh mode, bridging client traffic between each other. Each AP in the mesh maintains a BSS on one channel used by the wireless clients. Then the APs bridge between each other using other channels. The mesh network runs it’s own dynamic routing protocols to determine the best path tot he wired network.
AP Architecture is the network topology of wireless networks. Below are some AP architectures:
- Autonomous AP Architecture:
These are self-contained devices with both wired and wireless hardware so that it can bridge to the wired VLAN infrastructure wireless clients that belong to SSIDs.
Autonomous APs connect to access layer switches in a 3 layer topology (Core, Dist, Access.) Carry separate SSIDs for each VLAN assigned on the distribution layer.
SSID1 – WLAN100
SSID2 – WLAN200
- Cloud based AP Architecture:
This is Cisco Meraki. The APs are managed in the cloud, and not individually. There are two distinct paths for data traffic and for management traffic respectively: The Control plane (traffic used to control, manage, and monitor the APs,) and the Data plane (contains only end user traffic through the AP.)
- Lightweight AP Architectures:
Architecture comprised solely of lightweight APs (LAP.) These are lightweight because they only provide wireless operation for wireless clients. These are managed by Wireless LAN Controllers (LAC) and use Lightweight Access Point Protocol (LWAPP) to communicate.
- CAPWAP Operation:
Split-MAC architecture = division of labor between WLC (wireless lan controller) and lightweight APs (LAP.) LAP interacts with wireless clients on the MAC layer (L2?) More recently, LWAPP (lightweight AP protocol) has been replaced by CAPWAP (Control and Provisioning of Wireless APs.) CAPWAP uses two tunnels, one for control, and one for data, similar to LWAPP.
CAPWAP Control uses UDP Port 5246
CAPWAP Data uses UDP Port 5247
CAPWAP Control Message Tunnel – Control carries the exchanges that are used to config the LAP and manage its operation. These message are encrypted. and LAP is securely controlled by only the appropriate Wireless Lan Controller. Uses UDP Port 5246.
CAPWAP Data Tunnel – Used for packets traveling to and from wireless clients that are associated with the LAP. Similar to the data plane for the LWAPP. This tunnel only carries data packets. Uses UDP port 5247. These messages are not encrypted by default.
Wireless Security Protocols
- Which network should you use of security is not a concern? – Open Network
- Which is the security protocol most commonly used in Home/SOHO networks? – WPA2
- What are the 3 entities in an 802.1X arrangement? – Supplicant, Authenticator, Authentication Server
Open Wireless – No security or encryption on the wireless network. Any available wireless device can connect to this network without any authentication. Packets are not encrypted and can be easily sniffed.
WPA and WPA2 – Typically used in home routers. This stands for WiFi Protected Access. Users would connect to a wireless network using a PSK, Pre-Shared Key. No other authentication server is required or used. There is now a WPA3 available, however, not typically used in home/SOHO networks.
802.1X/EAP (Extensible Authentication Protocol) – This reverses open and WEP authentication networks. Client uses open authentication to associate with the AP, and then the client authentication process occurs at a dedicated authentication server. There are three entities in an 802.1X arrangement:
Supplicant – This is the client requesting access
Authenticator – As the name suggests, this is the network device that authenticates/provides access to the wireless network.
Authentication Server – Again, as the name suggests, this is the server which permits or denies potential wireless users.
As noted earlier, WPA3 does exist, and includes the following 4 features:
WPA3-Personal: PSK is never exposed. This helps thwart SAE attacks (Simultaneous Auth of Equals,) and brute force attacks as again, the PSK is never exposed.
WPA3 – Enterprise: Still uses 802.1X as described above, however, requires the use of a 192-bit cryptographic suite and eliminates the mixing of security protocols.
Open Networks – No authentication still to connect, however, data is encrypted usig Opportunistic Wireless Encryption.
IoT Onbording – IoT means Internet of Things. Think smart lights, Alexa, Google Home, etc. WPA3 uses DPP, device provisioning protocol, to make it easier to add IoT devices to the network. The admin/homeowner can simply scan the QR code which contains the device’s hard-coded public key, and quickly onboard the IoT device.
Wireless Encryption Methods
- What is the strongest encryption method as of 2020? GCMP, used with WPA3
- Which checks for both encrypted and non-encrypted data manipulation? AES, advanced encryption standard.
Encryption is used to protect data being transmitted. The following 3 encryption protocols are used with wireless authentication:
TKIP – Temporal Key Integrity Protocol – This is the encryption protocol used by WPA (WiFi Protected Access.) This makes use of WEP, but encrypts the Data Link layer (L2) payload using TKIP and carries out the MIC (Message Integrity Check) in the encrypted packet to ensure the message was not changed.
AES – Advanced Encryption Standard – This is used by WPA2. This is the preferred method of encryption. Makes use of CCMP, chaining message authentication code protocol, allowing the destination device to recognize if both the encrypted and non-encrypted bits were altered.
GCMP – Galois/Counter Mode Protocol – This is used in WPA3. More robust than the prior 2 encryption methods.