Secure Mobility in CiscoUnified WLAN NetworksBRKEWN-2018Jake WoodhamsSenior Manager/Architect, Technical MarketingJuly 201...
Abstract•  The proliferation of Wi-Fi enabled devices creates important   challenges for IT, perhaps the chief challenge b...
Session Agenda•  Anatomy of a Device Connection•  Anatomy of a Device Roam•  Design and Deployment ConsiderationsBRKEWN-20...
Anatomy of a DeviceConnectionBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   4
Section Agenda•  802.11 Architecture and Services Basics•  802.11i Addendum•  EAP Types and Key Management•  Device Mobili...
802.11 Architecture Basics   BSS – Basic Service Set   SSID – Service Set Identifier   BSSID – Basic Service Set Identi...
802.11 Architecture Basics   ESS – Extended Service Set   DS – Distribution System                                      ...
802.11 ServicesService                                            Description                          Implementation     ...
802.11 Services     Service                                              Description                          Implementati...
802.11 Services     Service                                              Description                          Implementati...
802.11 Services     Service                                              Description                          Implementati...
802.11 Services     Service                                              Description                          Implementati...
802.11 Distribution ServicesAssociation Service               802.11 Association Request:              “Can I Associate to...
802.11 Distribution ServicesDisassociation Service               802.11 Disassociation Request:              “You Cannot B...
802.11 Distribution ServicesReassociation Service (Roaming Context)                   802.11 Disassociation Request:      ...
802.11 Services      Service                                              Description                          Implementat...
802.11 Services     Service                                              Description                          Implementati...
How STAs Connect to a WLAN SecurelySTA Services•  802.11 spec defines authentication, deauthentication, and   privacy serv...
WPA/WPA2                                                 •  A snapshot of the 802.11I Standard               WPA          ...
Authentication Best Practices:WPA2-Enterprise        Strong Authentication       •  Extensible Authentication Protocol (EA...
802.1X/EAP Choreography802.1X/EAPThree Party Model                                                                        ...
802.1X/EAP Choreography                                                                                                   ...
EAP Types: EAP-FASTBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   23
EAP Types: PEAPBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   24
EAP Types: EAP-TLSBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   25
802.1X/EAP ChoreographyBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   26
Key Management –Four-Way HandshakeBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   27
Key Management – Pairwise TransientKey (PTK)BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco...
Key Management – Group Transient Key(GTK)BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Pu...
Key Management – GTK DistributionBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   30
802.1X/EAP Choreography                                                                                                   ...
802.11 Services        Service                                             Description                          Implementa...
802.11 Architecture Basics   ESS – Extended Service Set   DS – Distribution System                                      ...
802.1X/EAP ChoreographyBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   34
Device Mobility Problem Statement:• Specification for how STAs association,authenticate, and protect data privacy defined ...
Device Mobility Problem Statement:• Wireless devices move by definition• Applications require session persistence, whilema...
Anatomy of a Device RoamBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   37
Section Agenda•  CUWN Architecture Review•  Basic Roaming Walkthrough•  Fast Secure Roaming TechnologiesBRKEWN-2018   © 20...
CUWN Architecture ReviewReal-Time 802.11/MAC Functionality:      •  Beacon Generation      •  Probe Response              ...
802.1X/EAP Choreography RevisitedBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   40
Anatomy of a STA RoamInitial Device Connection to NetworkBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights rese...
Anatomy of a STA RoamClient RoamBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   42
Anatomy of a STA RoamSummary of Important Points•  The STA chooses when to roam•  Each time the STA connects to a new BSSI...
How Long Does an STA Roam Take?•  Time it takes for:       Client to disassociate +       Probe for and select a new AP + ...
How Are We Going to MakeRoaming Faster?Focus on Where We Can Have theBiggest Impact…    Eliminating the (re)IP address ac...
Roaming: Intra-Controller•  Intra-controller roam   happens when a STA   moves association   between APs joined to the   s...
Roaming: Inter-ControllerLayer 2BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   47
Roaming: Inter-ControllerLayer 2•  L2 inter-controller roam: STA moves association between APs   joined to the different c...
Roaming: Inter-ControllerLayer 3BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   49
Roaming: Inter-ControllerLayer 3•  L3 inter-controller roam: STA moves association between APs joined   to the different c...
How Are We Going to MakeRoaming Faster?Focus on Where We Can Have theBiggest Impact…    Eliminating the (re)IP address ac...
Cisco Centralized Key Management(CCKM)•  Cisco introduced CCKM in CCXv2 (pre-802.11I), so widely   available, especially w...
PMKID Caching•  Optional component of 802.11I specification•  Defines a “PMK Security Association” (PMKSA) that gets store...
Opportunistic/Proactive Key Caching Basic Mechanics                                                                       ...
Proactive Key Caching Basic Mechanics BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Publi...
OKC/PKCKey Data Points•  Requires client/supplicant support•  Supported in Windows since XP SP2•  Many ASDs support OKC an...
Standardization! 802.11R•  802.11R is a ratified IEEE standard, based in large part on   CCKM•  802.11R: “Fast (Basic Serv...
How Are We Going to MakeRoaming Faster?Focus on Where We Can Have theBiggest Impact…    Eliminating the (re)IP address ac...
Design and DeploymentConsiderationsBRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public  ...
Section Agenda•  Roaming Domains•  Design Considerations for Roaming•  Client Roaming Behavior•  Special Case: H-REAP Grou...
Roaming Domains  Mobility Group•  Mobility Group – cluster of   up to 24 controllers   (regardless of type) that   create ...
Roaming Domains  Mobility Domain  •  Mobility Domain is a seamless     roaming domain of up to 3     Mobility Groups  •  M...
How Long Does a Client Really Take toRoam?•  Time to roam =       Client to disassociate +       Probe for and select a ne...
How Often Do Clients Roam?•  It depends… types of clients and applications•  Most client devices are designed to be “nomad...
Designing a Mobility Group/DomainDesign Considerations•  Less roaming is better – clients and apps are happier•  While cli...
Special Case: FlexConnect Groups  •  Support for up to 20 FlexConnect Groups of up to 25     FlexConnect APs each  •  APs ...
Questions?BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   67
Complete Your OnlineSession Evaluation  Receive 25 Cisco Preferred Access points for each session   evaluation you comple...
Visit the Cisco Store for               Related Titles        http://theciscostores.comBRKEWN-2018   © 2011 Cisco and/or i...
BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   70
Thank you.BRKEWN-2018   © 2011 Cisco and/or its affiliates. All rights reserved.   Cisco Public   71
Upcoming SlideShare
Loading in...5
×

Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

4,816

Published on

Best practices for implementing the latest WLAN security techniques from design to deployment. Includes recommendations for proper authentication and encryption and fast secure roaming. Learn More: http://www.cisco.com/go/wireless

Published in: Technology, Education
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
4,816
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
340
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

  1. 1. Secure Mobility in CiscoUnified WLAN NetworksBRKEWN-2018Jake WoodhamsSenior Manager/Architect, Technical MarketingJuly 2011 BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  2. 2. Abstract•  The proliferation of Wi-Fi enabled devices creates important challenges for IT, perhaps the chief challenge being security and scalable, efficient, secure roaming. This session will cover the state-of-the-art technologies for proper authentication and encryption and fast, secure roaming. Topics include 802.11i/ WPA/WPAv2, TKIP/AES & Fast roaming with CCKM, PKC, and the emerging 802.11r standard. Different EAP types like PEAP, PEAP-GTC, EAP-TLS, EAP-TTLS, EAP-FAST will be covered in this session. The session will include best practices for implementing latest WLAN security techniques and design and deployment recommendations for device roaming. Pre- requisite: A minimum of CCNA level knowledge of campus routing and switching is highly recommended. Knowledge of 802.11 WLAN fundamentals and the basics of the Cisco Unified WLAN technology are also assumed.BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  3. 3. Session Agenda•  Anatomy of a Device Connection•  Anatomy of a Device Roam•  Design and Deployment ConsiderationsBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  4. 4. Anatomy of a DeviceConnectionBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  5. 5. Section Agenda•  802.11 Architecture and Services Basics•  802.11i Addendum•  EAP Types and Key Management•  Device Mobility Problem StatementBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  6. 6. 802.11 Architecture Basics   BSS – Basic Service Set   SSID – Service Set Identifier   BSSID – Basic Service Set Identifier   STA – Station (AKA Client)BSS BSS SSID: ASCII String SSID: ASCII String BSSID: MAC Address BSSID: MAC Address STA STA BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  7. 7. 802.11 Architecture Basics   ESS – Extended Service Set   DS – Distribution System DSBSS BSS ESS BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  8. 8. 802.11 ServicesService Description Implementation Distribution Services STA ServicesBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  9. 9. 802.11 Services Service Description Implementation Distribution ServicesAssociationReassociationDisassociation STA Services BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  10. 10. 802.11 Services Service Description Implementation Distribution ServicesAssociation Used to create a logical connection between a mobile STA 802.11 and an APReassociationDisassociation STA Services BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  11. 11. 802.11 Services Service Description Implementation Distribution ServicesAssociation Used to create a logical connection between a mobile STA 802.11 and an APReassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA 802.11 moves across an ESSDisassociation STA Services BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  12. 12. 802.11 Services Service Description Implementation Distribution ServicesAssociation Used to create a logical connection between a mobile STA 802.11 and an APReassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA 802.11 moves across an ESSDisassociation Used by AP to force mobile STA off the BSS or by mobile 802.11 STA to inform AP it doesn’t need service anymore STA Services BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  13. 13. 802.11 Distribution ServicesAssociation Service 802.11 Association Request: “Can I Associate to This BSSID?” 802.11 Association Response: 802.11 Association Response: “Yes, You Can Associate “No, You Cannot Associate to This BSSID” to This BSSID”BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  14. 14. 802.11 Distribution ServicesDisassociation Service 802.11 Disassociation Request: “You Cannot Be Associated to This BSSID Anymore” 802.11 Disassociation Request: “I Do Not Want to Be Associated to This BSSID Anymore”BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  15. 15. 802.11 Distribution ServicesReassociation Service (Roaming Context) 802.11 Disassociation Request: “I Do Not Want to Be Associated to This BSSID Anymore” 802.11 Reassociation Request: “Can I Reassociate to This BSSID?” 802.11 Association Response: 802.11 Association Response: “No, You Cannot Associate “Yes, You Can Associate to ThisThis BSSID” to BSSID”BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  16. 16. 802.11 Services Service Description Implementation Distribution Services Association Used to create a logical connection between a mobile STA 802.11 and an AP Reassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA 802.11 moves across an ESS Disassociation Used by AP to force mobile STA off the BSS or by mobile 802.11 STA to inform AP it doesn’t need service anymore STA Services  So, What Do These Three Services Accomplish?  What’s Missing? BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  17. 17. 802.11 Services Service Description Implementation Distribution ServicesAssociation Used to create a logical connection between a mobile STA 802.11 and an APReassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA 802.11 moves across an ESSDisassociation Used by AP to force mobile STA off the BSS or by mobile 802.11 STA to inform AP it doesn’t need service anymore STA ServicesAuthentication Used to prove the identity of the STA and APDeauthentication Used to eliminate a previously authenticated user from WPA/WPAv2 (802.11I), further use of the network CAPWAPPrivacy Used to protect frames in transit over wireless medium BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  18. 18. How STAs Connect to a WLAN SecurelySTA Services•  802.11 spec defines authentication, deauthentication, and privacy services, but…•  802.11 spec provides extremely weak (useless for 2010 requirements) mechanisms for these services: -  Authentication/Deauthentication: Shared-Key Auth -  Privacy: Wired Equivalent Privacy (WEP)•  802.11I addendum adds strong(er) mechanisms for implementing STA security-related services: -  Authentication/Deauthentication: PSK, 802.1X/EAP -  Privacy: TKIP & CCMPBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  19. 19. WPA/WPA2 •  A snapshot of the 802.11I Standard WPA •  Commonly used with TKIP encryption •  Final version of 802.11I WPA2 •  Commonly used with AES encryption Authentication •  Personal (PSK) – Home Use •  Enterprise (802.1X/EAP) – Office Use Mechanisms BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  20. 20. Authentication Best Practices:WPA2-Enterprise Strong Authentication •  Extensible Authentication Protocol (EAP) •  Outside Methods (Protective Tunnel): •  PEAP •  EAP-FAST •  TLS •  Inside Methods (Authentication Credentials): •  EAP-MSCHAPv2 •  EAP-GTC BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  21. 21. 802.1X/EAP Choreography802.1X/EAPThree Party Model 802.1X Port Blocking Instantiated: Only Authentication Transaction Related Traffic Allowed Through the AP Keys Plumbed, 802.1X Port Blocking Removed… Data Allowed Through AP BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  22. 22. 802.1X/EAP Choreography Distribution Services: Association/Reassociation/Disassociation STA Services: Authentication/Deauthentication STA Services: PrivacyBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  23. 23. EAP Types: EAP-FASTBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  24. 24. EAP Types: PEAPBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  25. 25. EAP Types: EAP-TLSBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  26. 26. 802.1X/EAP ChoreographyBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  27. 27. Key Management –Four-Way HandshakeBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  28. 28. Key Management – Pairwise TransientKey (PTK)BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  29. 29. Key Management – Group Transient Key(GTK)BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  30. 30. Key Management – GTK DistributionBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  31. 31. 802.1X/EAP Choreography Distribution Services: Association/Reassociation/Disassociation STA Services: Authentication/Deauthentication STA Services: PrivacyBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  32. 32. 802.11 Services Service Description Implementation Distribution Services Association Used to create a logical connection between a mobile STA 802.11 and an AP Reassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA 802.11 moves across an ESS Disassociation Used by AP to force mobile STA off the BSS or by mobile 802.11 STA to inform AP it doesn’t need service anymore Distribution Service to determine how to deliver frames 802.11, CAPWAP Integration Service to determine how WLAN connects to other LANs STA Services Authentication Used to prove the identity of the STA & AP Deauthentication Used to eliminate a previously authenticated user from WPA/WPAv2 (802.11I),  So, What Do These Nine Services Accomplish? Privacy further use of the network Used to protect frames in transit over wireless medium CAPWAP  What’s Missing? reliable delivery of frames Data Delivery Used to provide 802.11, CAPWAP BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  33. 33. 802.11 Architecture Basics   ESS – Extended Service Set   DS – Distribution System DS ????BSS BSS ESS BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  34. 34. 802.1X/EAP ChoreographyBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  35. 35. Device Mobility Problem Statement:• Specification for how STAs association,authenticate, and protect data privacy defined incontext of a single AP (mostly…)• Specifications for how STAs transition securelyin an ESS – hazy• Specifics of DS/Integration services not welldefined for Enterprise BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  36. 36. Device Mobility Problem Statement:• Wireless devices move by definition• Applications require session persistence, whilemaintaining security and other servicesRequirement: Facilitate FastSecure Roaming for EnterpriseClass Devices in an Efficient andScalable Way… BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  37. 37. Anatomy of a Device RoamBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  38. 38. Section Agenda•  CUWN Architecture Review•  Basic Roaming Walkthrough•  Fast Secure Roaming TechnologiesBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  39. 39. CUWN Architecture ReviewReal-Time 802.11/MAC Functionality: •  Beacon Generation •  Probe Response Non Real-Time 802.11/MAC Functionality: •  Power management/Packet buffering •  Assoc/Disassoc/Reassoc •  802.11e/WMM scheduling, queueing •  802.11e/WMM resource reservation •  MAC layer data encryption/decryption •  802.1X/EAP •  802.11 control messages •  Key managementData Encapsulation/De-Encapsulation 802.11 Distribution ServicesTranslational Bridging (H-REAP Local Switching) 802.11 STA Services (Auth/Deauth/Privacy*)Fragmentation/De-Fragmentation Wired/Wireless Integration Services BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  40. 40. 802.1X/EAP Choreography RevisitedBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  41. 41. Anatomy of a STA RoamInitial Device Connection to NetworkBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  42. 42. Anatomy of a STA RoamClient RoamBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  43. 43. Anatomy of a STA RoamSummary of Important Points•  The STA chooses when to roam•  Each time the STA connects to a new BSSID, it must fully reauthenticate and rekey•  IP Addresses get refreshed on roams (usually)•  How long does a roam take?BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  44. 44. How Long Does an STA Roam Take?•  Time it takes for: Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition•  All this can be on the order of seconds… Can we make this faster?BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  45. 45. How Are We Going to MakeRoaming Faster?Focus on Where We Can Have theBiggest Impact…   Eliminating the (re)IP address acquisition challenge   Eliminating full 802.1X/EAP reauthentication BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  46. 46. Roaming: Intra-Controller•  Intra-controller roam happens when a STA moves association between APs joined to the same controller•  Client must be re- authenticated and new security session established•  Controller updates client database entry with new AP and appropriate security context•  No IP address refresh needed BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  47. 47. Roaming: Inter-ControllerLayer 2BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  48. 48. Roaming: Inter-ControllerLayer 2•  L2 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto the same subnet•  Client must be re-authenticated and new security session established•  Client database entry moved to new controller•  WLCs must be in same mobility group or domain•  No IP address refresh needed•  Account for mobility message exchange in network designBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  49. 49. Roaming: Inter-ControllerLayer 3BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  50. 50. Roaming: Inter-ControllerLayer 3•  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets  Client must be re-authenticated and new security session established  Client database entry copied to new controller – entry exists in both WLC client DBs  Original controller tagged as the “anchor”, new controller tagged as the “foreign”  WLCs must be in same mobility group or domain  No IP address refresh needed  Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release  Account for mobility message exchange in network design  Account for asymmetric traffic path (EtherIP)BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  51. 51. How Are We Going to MakeRoaming Faster?Focus on Where We Can Have theBiggest Impact…   Eliminating the (re)IP address acquisition challenge   Eliminating full 802.1X/EAP reauthentication BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  52. 52. Cisco Centralized Key Management(CCKM)•  Cisco introduced CCKM in CCXv2 (pre-802.11I), so widely available, especially with application specific devices (ASDs)•  CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture•  CCKM ported to CUWN architecture in 3.2 release•  In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!•  CCKM is most widely implemented in ASDs, especially VoWLAN devices•  To work across WLCs, WLCs must be in the same mobility group•  CCX-based laptops may not fully support CCKM – depends on supplicant capabilitiesBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  53. 53. PMKID Caching•  Optional component of 802.11I specification•  Defines a “PMK Security Association” (PMKSA) that gets stored by authenticator•  PMKSA includes:   PMKID   Lifetime   PMK (32 bytes)   BSSID (6 bytes)   Clients MAC (6 bytes)   AKM (Authentication and Key Management)•  PMKID = HMAC-SHA1-128 (PMK, “PMK Name” || BSSID || STA Mac)BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  54. 54. Opportunistic/Proactive Key Caching Basic Mechanics 1.  WLC extracts PMKID from 802.11 (Re) CAPWAP association request t: ques 2.  WLC computes the new PMKID based ion Re ted to ociat cia on the PMKSA and other information it 1 Disass Be Asso ” o e 802.1 ot Want t Anymor knows (BSSID, Client Mac) N ID “I Do This BSS 3.  WLC compares the values – if they match, full 802.1X/EAP authentication is skipped and the WLC & client go directly to the four-way handshake, then updates the PMKSA in the client DB 4.  If they don’t match, the WLC sends the STA an EAP-Identity Request to initiate the full 802.1X/EAP Authentication BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  55. 55. Proactive Key Caching Basic Mechanics BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  56. 56. OKC/PKCKey Data Points•  Requires client/supplicant support•  Supported in Windows since XP SP2•  Many ASDs support OKC and/or PKC•  Check on client support for TKIP vs. CCMP – mostly CCMP only•  Enabled by default on WLCs with WPAv2•  Requires WLCs to be in the same mobility group•  Important design note: pre-positioning of roaming clients consumes spots in client DB•  In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  57. 57. Standardization! 802.11R•  802.11R is a ratified IEEE standard, based in large part on CCKM•  802.11R: “Fast (Basic Service Set) BSS Transition”•  Also includes dynamic QoS capabilities•  No commercially available clients at this point•  WiFi Alliance is planning/implementing 802.11R plugfests•  Cisco WLCs have implemented 802.11R (unsupported) since 5.2•  In highly controlled OTA test environments, 802.11R roam times are comparable to CCKM OTA timesBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  58. 58. How Are We Going to MakeRoaming Faster?Focus on Where We Can Have theBiggest Impact…   Eliminating the (re)IP address acquisition challenge   Eliminating full 802.1X/EAP reauthentication BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  59. 59. Design and DeploymentConsiderationsBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
  60. 60. Section Agenda•  Roaming Domains•  Design Considerations for Roaming•  Client Roaming Behavior•  Special Case: H-REAP GroupsBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  61. 61. Roaming Domains Mobility Group•  Mobility Group – cluster of up to 24 controllers (regardless of type) that create a seamless roaming domain•  Fast secure roaming technologies work across controllers within a roaming domain•  Mobility messages exchanged either unicast or multicast depending on configurationhttp://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html#wpmkr1100509 BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
  62. 62. Roaming Domains Mobility Domain •  Mobility Domain is a seamless roaming domain of up to 3 Mobility Groups •  Max of 72 WLCs •  Seamless roaming == IP addressing is maintained •  Fast secure roaming does work not across Mobility Group – clients crossing these boundaries will have to go through a full reauth, but will retain their IP addresshttp://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html#wpmkr1100509 BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  63. 63. How Long Does a Client Really Take toRoam?•  Time to roam = Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition•  Network latency will have an impact on these times – consideration for controller placement•  With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may varyBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  64. 64. How Often Do Clients Roam?•  It depends… types of clients and applications•  Most client devices are designed to be “nomadic” rather than “mobile”, though proliferation of small form factor, “smart” devices will probably change this…•  Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly•  “SWAG” design rule of thumb: 10-20 roams per second for every 5000 clientsBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
  65. 65. Designing a Mobility Group/DomainDesign Considerations•  Less roaming is better – clients and apps are happier•  While clients are authenticating/roaming, WLC CPU is doing the processing – not as much of a big deal for 5508 which has dedicated management/control processor•  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size•  Leverage natural roaming domain boundaries•  Mobility Message transport selection: multicast vs. unicast•  Make sure the right ports and protocols are allowedBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  66. 66. Special Case: FlexConnect Groups •  Support for up to 20 FlexConnect Groups of up to 25 FlexConnect APs each •  APs in an FlexConnect share common configuration parameters like RADIUS servers •  Fast Secure Roaming via CCKM for locally switched clients is supported for all clients in an FlexConnect Group (L2 roaming only) •  CCKM keying material is provisioned locally – allows CCKM to work in standalone mode (existing clients when AP transitioned from connected mode) * Note: FlexConnect is new branding for Hybrid REAP (H-REAP)http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70hreap.html#wp1133688 BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
  67. 67. Questions?BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  68. 68. Complete Your OnlineSession Evaluation  Receive 25 Cisco Preferred Access points for each session evaluation you complete.  Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.  Don t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  69. 69. Visit the Cisco Store for Related Titles http://theciscostores.comBRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  70. 70. BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
  71. 71. Thank you.BRKEWN-2018 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×