CCNA Wireless Study Guide
Waves, Frequencies, and RF
Waves – Wireless starts and ends with waves, specifically radio waves. There are different
modulation techniques to encode data onto a carrier wave signal. These techniques differ
between the 3 (now 4 with N) flavors of wireless, A, B, and G. DSSS (Direct Sequence
Spread Spectrum) is the modulation technique used by 802.11b, which uses “chipping
codes” to send redundant data to allow for interference. OFDM (Orthogonal Frequency
Division Multiplexing) is the modulation technique used by 802.11a and 802.11g. This
technique divides a channel into multiple subcarriers, similar to how a T1 is divided up. Data
is sent simultaneously over these subchannels to achieve redundancy and a combined higher
data rate. MIMO (Multiple-Input Multiple-Output) is the modulation technique used by
802.11n and allows a device to use more than 1 antenna for sending data and 1 antenna for
receiving data. This is the main thing that helps N products achieve such higher data rates
than a and b/g, along with many other advances in how signals are processed.
Frequencies – All wireless devices use unlicensed frequencies, meaning that you do not have
to apply for a license from the FCC to use them and they are subject to interference from
other devices. Within the frequencies assigned to a and b/g there are also “channels,” which
are the portion of the frequency that an individual device can use. This is less important for
802.11a devices as AP’s using 802.11a will automatically sense and choose a channel that is
less likely to conflict with the AP’s around it. A also has a lot more non-overlapping channels
to choose from – 23 within the 5GHz range of 802.11a. 802.11b only has 3 non-overlapping
channels to choose from within the 2.4Ghz range 802.11b uses. If 2 AP’s next to each other
are transmitting at on the same channel, the signal to noise ratio will rise and the bandwidth
available will decrease.
RF – Radio Frequency waves behave like light waves or any other waves. They are subject to
many issues that can degrade performance of a wireless network. Surveying before deploying
a network and periodically helps mitigate these issues. Absorbtion describes how waves are
blocked by walls or dampened by carpet. This is similar to how sound waves are absorbed.
Scattering is how waves are reflected by something in the air, like heavy rain. Refraction
describes how a wave’s path is altered by passing through something, such as think glass.
This is similar to what happens to light waves as they pass through a prism. Reflection
describes how waves bounce off of shiny or reflective objects, which can cause more noise as
wireless frames arrive out of order, causing a “multipath issue” where signals can become out
of phase and cancel each other out. Line of Sight can become an issue in wireless WAN
deployments as the curvature of the earth itself can become an obstacle, making taller towers
necessary. Signal-to-Noise Ratio is a measurement of how strong a signal is compared to all
the surrounding noise. This can be helpful when diagnosing issues with RF coverage or
deciding how to place AP’s.
WPAN, WLAN, WMAN, and WWAN – A WPAN (Wireless Personal Area network) is
limited to 20ft and is primarily for peripheral devices (mice, Bluetooth devices, etc), operates
on the unlicensed 2.4GHz spectrum and is generally limited to 8 active devices. It can also be
called a “piconet.” A WLAN (Wireless Local Area Network) operates on the 2.4 or 5 GHz
spectrum, spans about 100 meters from AP to client, and is more flexible to allow more than 8
devices. WLANs and their clients are dual-band, supporting different transmission methods in
different areas. A WMAN (Wireless Metropolitan Area Network) is slower than a WLAN,
but covers more distance with speeds closer to broadband. Also includes WiMAX. Speeds
decrease with distance. A WWAN (Wireless Wide Area Network) is essentially a wireless
WAN connection with low rates, high cost and a licensed frequency.
802.11 Topologies – Originally, there were 2 modes for 802.11 networks – Ad Hoc and
Infrastructure. Ad hoc networks are made by wireless clients without a central device
controlling them, like an AP. These are also called IBSS (Independent Basic Service Set) and
are frowned upon for enterprise use for a number of issues, many of them security related.
Network Infrastructure Mode is the one most commonly used in enterprises. When there is
only 1 AP, it is called a BSA or Basic Service Area or wireless cell, if more than 1 AP is
connected, then it is called a ESA or Extended Service Area.
SSID’s – Service Set Identifiers (SSIDs) are mapped to a MAC address on the AP that you
are connecting to. The MAC address can be the MAC address of the wireless radio on the AP
or a virtual one it generates. If an AP has only 1 SSID, it is called a BSSID or Basic Service
Set Identifier. If an AP has more than one SSID, it is called a MBSSID (Multiple Basic
Service Set Identifier.
Bridges – Cisco offers 2 types of workgroup bridges, which help extend a wired network to
an area you can’t run cable to. They are point-to-point wireless connections. Autonomous
Workgroup Bridge (aWGB) and Universal Workgroup Bridge (uWGB).
Repeaters – A repeater extends the reach of a WLAN and does not require a wired
connection. Regular Cisco AP’s can act as repeaters, but there is a performance hit with each
Outdoor Wireless Bridges – These connect wired LANs together in either a point-to-point
connection or point-to-multipoint connection, like from building to building. Aironet 1300
bridges and Aironet 1400 bridges can do this. A 1300 series will also connect clients and uses
the 2.4 GHz range. The 1400 uses the 5 GHz range.
Outdoor Mesh Networks – This allows a bunch of AP’s to form a mesh network. Requires
Polarization – RF waves are electro-magnetic waves, so like a magnet, they have
polarization. This is a bigger issue for outdoor deployments than indoor, but is one of the
reasons to be careful how you position an antenna.
Diversity – The use of 2 antennas for each radio to increase the odds of getting a good signal.
Omnidirectional – Across the Horizontal plane or Azimuth, the signal spreads fairly evenly.
In the veritical plane or Elevation plane, signal propagates mainly downward, meaning that an
AP on the ceiling will not bleed so much to the floor above. These are generally the most
2.2-dBi Dipole – Similar propagation to an omnidirectional, but with a doughnut shape in that
on the Elevation plane there are some gaps in the middle. These look like short plastic poles
and usually have a hinge where they can be bent.
Directional Antennas – Give more control over RF propagation, such as parabolic dishes and
8.5-dBi Patch, Wall Mount – Most signal is focused forward, with a little allowed to bleed
13.5 Yagi Antenna – Very directed, focused RF pattern, such as a straight shot down a
21-dBi Parabolic Dish – Very, very narrow path…must be calibrated correctly. Most allow
you to change polarity to make them easier to mount.
Antenna Connectors and Hardware:
Attenuators – reduces signal between the radio and antenna to comply with FCC regs.
Amplifiers – Adds gain to strengthen a signal between the AP and antenna.
Lightning Arrestors – Prevents surges from lightning strikes from traveling from an antenna
to a LAN and damaging equipment. Does not stop direct strikes.
Original 802.11 Protocol – RF tech: FHSS (Frequency Hopping Spread Spectrum) and
DSSS (Direct Sequence Spread Spectrum), Coding: Barker 11, Not used today because it only
yields 1 to 2 Mbps.
802.11b Protocol – RF tech: DSSS, 2.4GHz spectrum, Coding: Barker 11 and CCK
(Complementary Code Keying), Modulation: DQPSK (Differential Quadrature Phase-Shift
Keying). Gives data rates of 1,2,5.5, and 11 Mbps and has 3 non-overlapping channels of 1, 6,
11. Backwards compatible with original 802.11.
802.11g Protocol – RF tech: DSSS and OFDM (Orthogonal Frequency Division
Multiplexing), 2.4 GHz spectrum, Coding: Barker 11 and CCK, Data rates of 1, 2, 5.5, 11
Mbps with DSSS and 6, 9, 12, 18, 24, 36, 48, and 54 Mbps with OFDM and has the same 3
non-overlapping channels as b. Backwards compatible with original 802.11 and b.
802.11a Protocol – Not compatible with original 802.11, b, or g. uses 5GHz spectrum, RF
tech: OFDM, Coding: Convolution Coding, Modulation: BPSK, QPSK, and 16 or 64-QAM.
Data Rates are 6, 9, 12, 18, 24, 36, 48, and 54 Mbps with OFDM. Multiple non-overlapping
channels – AP’s automatically choose a channel not in use by adjacent AP’s.
802.11n Protocol – Backward compatible with ALL 802.11 protocols. Uses MIMO
(Multiple-Input, Multiple-Output) to achieve higher data rates even for a, b, and g clients,
Less harmed by interference and reflection. Up to 32 data rates.
Wireless Frame Transmission
Management Frames – Used for association and anything else to do with leaving or joining
Control Frames – ACK’s for when data frames are received.
Data Frames – Duh…they contain data.
Wireless LANs use CSMA/CA (Carrier Sense Multiple Access Collision Avoidance). This
means they listen to the network and wait a designated time before attempting to send data.
This period is called the IFS (Interframe Space) and can vary according to the type of client or
SIFS (Short Interframe Space) – Higher priority. Used for ACKs and others
PIFS (Point-coordination Interframe Space) – Used when an AP is going to control the
DIFS (Distributed-coordination Interframe Space) – The normal spacing between frames.
Used for data frames.
A client starts counting down a random timer. If it hears nothing during that timer, it sends
frames. If it does, it adds 45 to it’s current count and continues counting down until it hears
nothing, then sends. The total time it has to wait is called a Contention Window.
Wireless Frame Headers:
A Wireless Frame Header can have up to 3 MAC addresses in it. The Source and Destination
MAC addresses and a BSSID, which is also a MAC address. Wireless frames are larger than
Ethernet frames and often have to be fragmented before bridged to the wired network.
RTS/CTS – If a AP is controlling the network, the client will send a RTS or “Request to
Send” to see if it is allowed to take a turn sending frames. If it is, the AP will respond with a
CTS or “Clear To Send” response telling the client to proceed.
Other Wireless and How They Mess Your WLAN Up!
Cordless Phones – Not too common anymore, but they do interfere with wireless since they
operate either at 2.4GHz or 5.8GHz. They use TDMA (Time Division Multiple Access) or
FDMA (Frequency Division Multiple Access) to allow several devices to use the same
frequency at the same time on different “channels.”
Bluetooth – Interfers with b/g WLANs as it operates at 2.4GHz, but has limited range. Uses
FHSS (Frequency Hopping Spread Spectrum) so it will jump to a different frequency within
that range to minimize interference. Considered a piconet or WPAN. Connects multiple slave
devices to one master device for its topology.
ZigBee – Another WPAN technology, mostly used for monitoring devices. Has a funky
topology with stars and clusters with some full function devices and some coordinators or
reduced function devices.
WiMAX – Doesn’t interfere with WLAN’s, but is basically a wireless broadband solution for
WAN links to the internet.
Other Culprits of Interference – Leaky Microwaves (huge problem in real life!), Wireless
X11 cameras, Radar Systems, Motion Sensors, Fluorescent Lighting, Game Controllers and
How Packets Get To and From a Wireless Network From a Wired
Association – A client either passively scans a network to see what SSID’s are being
broadcast by a beacon from the AP or actively scans sending a probe request for a specific
SSID that may or may not be being broadcast. If the client hears a beacon or receives a probe
response, the client sends an authentication request to the AP for the desired SSID. The AP
should respond with an authentication response. If this is successful, the client sends an
association request that includes client info like data rates and the AP responds with an
association response that contains the AP’s info like data rates. The client chooses a data rate
based on the RSSI (Received Signal Strength Indicator) and the SNR (Signal-to-Noise Ratio).
The client is now associated.
Sending to a Host on Another Subnet – 1. Client decides to send traffic to another host. 2.
Client determines that the other host is not on their subnet. 3. Client decides to send the traffic
to its default gateway. 4. Client looks up gateway in ARP, but it’s not there. 5. Client sends an
ARP request to the AP for the gateway. 6. The AP sends the ARP request to its controller
using the LWAPP (Lightweight Wireless Access Point Protocol) across the wired network,
encapsulating it into a 6 byte header for the trip. 7. The Controller opens the LWAPP frame
and reads the ARP request and rewrites the ARP request into an Ethernet frame and sends that
across the wired network as a broadcast. All the switches that receive this broadcast flood it
out all ports except the one it was received on. 8. A layer 3 device receives the ARP request
broadcast and responds with a unicast ARP response which is received by the WLAN
controller. 9. The controller rewrites the Ethernet frame into a 802.11 frame and adds a
LWAPP header and sends it to the AP. 10. The AP removes the LWAPP header and exposes
the 802.11 frame which contains the ARP response. 11. The AP buffers the frame and starts a
backoff timer and goes through the usual process of waiting for a free moment to send. It then
sends the frame to the client.
Vlans – In order for multiple SSID’s to be able to be used on an AP, a logical Vlan must be
assigned to the SSID, which allows different SSID’s to have different subnets. APs using
multiple Vlans and SSID’s need to have trunk ports between them and the switch they are
connected to. Configuring Vlan’s is covered in the CCNA, but suffice it to say an SSID is
mapped to one logical subnet and one logical Vlan.
Cisco Unified Wireless LANs
CUWN (Cisco Unified Wireless LAN) – Cisco’s Lightweight wireless infrastructure which
moves some tasks from the Access Point (AP) to the Wireless LAN Controller (WLC) using
what they call the “Split MAC Architecture.” AP’s send information to and from the WLC
using LWAPP (Lightweight Wireless Access Point Protocol) and the WLC can make
decisions boosting or weakening AP signal strength to provide better coverage, boosting the
power of AP’s around an AP that has failed, containing rogue AP’s, etc. A WLC can manage
from 6-300 AP’s. WCS (Wireless Control System) can then control multiple controllers.
Cisco Controllers and AP’s:
The AP Handles – Frame exchange, beaconing, buffering and transmitting frames, responds
to probe requests, forwards notifications of receive probe requests to WLC, provides RRM
(Radio Resource Management) information regarding quality to WLC, monitors all channels
for noise and interference.
The WLC handles – Association, Reassociation when roaming occurs, Authentication,
Frame Translation and Bridging.
Layer 2 LWAPP Mode – Being deprecated by Cisco. WLC has to be in the same subnet as
the AP’s it controls.
Layer 3 LWAPP – Cisco’s preferred mode. LWAPP travels across subnets and the WLC can
be in a different subnet than the AP’s.
WLC’s can support up to 512 Vlan’s. All data regardless of the SSID/Vlan is sent in 1 tunnel
from the AP to the WLC via LWAPP. The WLC can only have 16 SSID’s per each AP,
Clients – Aironet Client Devices, Cisco-compatible client devices, Cisco Secure Services
1130AG – Can operate as autonomous or lightweight and H-REAP (Hybrid Remote Edge
AP). Designed for Indoor use. Supports 802.11a/b/g
1240AG – Has same features as 1130’s but only uses external antennas.
1250 Series – Supports 802.11a/b/g/n. Designed for rugged environments, uses 2x3 MIMO
technology with external antennas.
1300 Series AP/Bridge – Outdoor AP or Bridge. Does not have a 5GHz radio, so only
supports 802.11b/g. Can be purchased with integrated antennas or connectors for external
antennas. Has a special power supply.
1400 Wireless Bridge – Can only operate as a bridge and cannot connect clients. Does not
support LWAPP and is autonomous only. Designed for outdoor environments and can be
purchased with an internal antenna or connectors for an external antenna. Supports
4400 Series WLC – Supports 12, 25, 50, or 100 AP’s depending on model. Can support up to
5,000 MAC addresses in database. AP and controller must run the same code version, but the
controller will upgrade or downgrade the AP.
3750-G WLC – A WLC integrated into a small switch with the swich and WLC sharing a
backplace. Saves space and ports.
Cisco WiSM (Wireless Services Module) – Blade that installs in a 6500 or 7600 chassis,
sharing a backplane. WiSM supports up to 300 Ap’s or 150 AP’s per controller with each
blade having 2 controllers. Allows clustering of AP’s into a mobility domain.
Cisco 2106 WLC – Same form factor as ASA 5505’s. Small branch controller with 2 PoE
switchports. Supports up to 6 AP’s.
Cisco WLCM – Another small branch controller designed to be added to an ISR router as a
module. Supports 8 or 12 Ap’s, depending on model.
Runs on Windows or Linux Red Hat servers. Manages up to 3,000 lightweight AP’s and 1250
Autonomous AP’s. If you add WCS Navigator, it scales above 3,000 AP’s by letting you
navigate between several WCS servers. Also works with Wireless Location Application to
track RFID tags.
Controller Discovery and Association
LWAPP Layer 2 Transport Mode – Again, not preferred by Cisco, AP and WLC must be
on the same Subnet. All LWAPP communication is in Ethernet encapsulated frames, not IP
LWAPP Layer 3 Transport Mode – Preferred due to scalability. Frames are encapsulated in
UDP. You need to make sure any firewalls between the AP’s and the controller allow UDP
port 12222 for LWAPP data messages and UDP port 12223 for LWAPP control messages. A
1500 MTU is assumed, but can be changed.
LWAPP AP Controller Discovery
1. Discovery Mode – An AP boots and enters Discovery Mode. It sends a layer 2 broadcast
Discovery Request message. If this fails (unless we have a LWAPP layer 2 transport mode in
use, it will), it goes to step 2.
2. The AP moves to layer 3 by checking its config for an IP address. If it doesn’t have one, it
uses Dhcp to get one.
3. The AP gets an IP address from the dhcp server. If the dhcp server has DHCP option 43
configured to give the AP an IP address for a controller, the AP now uses that to try to contact
4. If no IP address for a WLC was configured on the dhcp server and no WLC has responded
to the layer 2 Discovery Request broadcast, the AP reverts back to layer2 broadcasts and tries
IOS-Based AP’s only do a Layer 3 Discovery, as Follows:
1. AP does a subnet broadcast to see if a controller is operating in Layer 3 mode on its subnet.
2. The AP does an OTAP (Over-the-air-Provisioning)
3. When other AP’s exist and are in a joined state with a WLC, they send messages to the
WLC that have the IP address of the controller in them. The AP that is trying to discover the
WLC can overhear these and get the WLC IP address from them and send a directed
Discovery Message to it.
4. After an AP has associated with at least 1 WLC, the AP gets a list of other controllers from
the WLC that it can associate with. This gets stored in NVRAM and can be used to skip
straight to a directed Discovery Message the next time the AP reboots. This is called AP
***You can also use DNS to set an entry for CISCO-LWAPP-Controller for the IP address of
a WLC management interface. The AP can use this address to send a unicast query.
Choosing a Controller
1. The AP chooses the primary controller if it has been primed.
2. The AP chooses the secondary controller, then the tertiary controller if it has been primed.
3. If no information is available, it looks for a master controller. Each mobility group should
4. If all the above fail, the AP looks for the least-loaded AP-Manager interface based on the
number of AP’s being managed.
5. The AP sends the WLC it has chosen a Join Message. The WLC should respond with a Join
Reply message which includes the result code, allowing them to talk, it’s certificate, and a test
payload to see if jumbo frames will work. This completes the Join Request Phase.
Receiving a Configuration
If the AP is not running the correct software version, the controller upgrades or downgrades it
at this point. If this is necessary, the AP reboots and discovers and rejoins the WLC. Once the
software versions match, the AP prompts the WLC for a config by sending a LWAPP config
request message that contains what is already set and what can be configured. When the WLC
gets this request, it send a configure response message with the values. The AP applies the
config in RAM…it is never stored in flash as on an autonomous AP.
Redundancy for APs and WLC’s
N+1 – Provides a single backup for multiple controllers. This strategy fails if more than 1
controller goes down.
N+N – Each Controller backs up another controller . Load balancing is important here.
N+N+1 – Most redundant design with every controller acting as a backup to another and an
extra backup designated as the tertiary. $$$
Local Mode – usual AP mode serving clients. Can also be used for site surveys
Monitor Mode – Passive and cannot send traffic or associate clients. Used for finding rogue
AP’s, troubleshooting, surveying, or IDS matches. Can be used with location appliance to
Sniffer Mode – Cannot send traffic or associate clients. Works with 3rd party sniffer software
to capture data for troubleshooting and forensics.
Rogue Detection Mode – Radios are turned off and cannot associate clients or send traffic.
Listens for ARP messages on the wired network and sends information about rogue AP and
client MAC list to controller for controller to issue alarms.
H-REAP Mode – Allows you to have lightweight AP’s across a WAN link from their
controller. Link must be faster than 128kbps and latency must be less than 100ms roundtrip.
Connected mode means the AP can reach the controller. If the WAN link fails, the AP goes
into Standalone mode and all client requests are serviced based on a config that is local to the
AP (basically, it reverts back to autonomous).
Bridge Mode – Allow point-to-point or multi-point links. Mainly used in Mesh networks.
Roaming…no Buffalo…just Roaming
Mobility Groups – A group of controllers that share information about clients that are
roaming. Think a group of controllers in one building on a campus. A client does not need to
reassociate when moving between AP’s on different controllers in a mobility group and keeps
the same IP even if the AP it roams to is in a different subnet.
Mobility Domain – A group of mobility groups or controllers in different mobility groups
that share information regarding their clients. Think of two buildings connected in a
campus…this might be 2 different mobility groups, but 1 mobility domain. Users roaming
between AP’s on different controllers in different mobility groups that are in the same
mobility domain do not need to reassociate, but they do have to get a new IP address. Users
who roam from an AP on a controller in one mobility domain to a controller in a completely
different mobility domain do have to reassociate completely as if connecting for the first time
and will lose connection.
Roaming Requirements – All controllers have to be in the same mobility domain. All
WLC’s must be on the same code version. All WLC’s have to operate in the same LWAPP
mode. ACL’s (Access Control Lists) in the network must be the same. The SSID must be the
Layer 2 Versus Layer 3 Roaming – Layer 2 roaming takes place when a client roams from 1
AP to another that are both in the same network and the client keeps the same IP address.
Layer 3 roaming happens when a client roams from one AP on one subnet to another AP on a
completely different subnet where both AP’s have the same SSID. The client keeps the same
IP address in both cases and no data is lost as they roam.
Asymmetric Tunneling – Traffic from the client is routed to the destination, regardless of its
source address, and the new traffic is sent to its original controller, called and anchor and is
tunneled to the new controller.
Symmetric Tunneling – All traffic is tunneled from the client to the anchor controller, sent to
the destination, returned to the anchor controller, and then tunneled back to the client via the
Mobility Anchors – Also called guest tunneling or anchor mobility. All the traffic that
belongs to a WLAN is tunneled to a predefined WLC or set of WLC’s. This is particularly
good to anchor guest devices to a WLC in the DMZ for security. This is done on a per WLAN
WLAN = SSID and all its parameters
Port – Ties together a VLAN and SSIDs.
Management Interface – The “IP Address” of the controller. AP’s use this IP to discover the
controller and mobility groups exchange information using it.
AP Manager Interface – This address is the source address for LWAPP communication
between the WLC and the AP. It has to be unique, but can be in the same subnet as the
Virtual Interface – Controls the Layer 3 security and mobility manager communications for
all the physical ports of the WLC. This interface also has the DNS gateway hostname used by
Layer 3 security and mobility managers to verify certificates. If you configure users to have to
log in to a web page to authenticate to use the network (like for guest access), this is the IP
address they will be redirected to.
Service Port – Out of Band management, system recovery, and maintenance purposes. This
is the only port on the controller that is active in boot mode. It does not auto-sense.
Migrating Standalone (Autonomous) AP’s to LWAPP
The IOS to LWAPP Conversion Utility – Software that runs in windows. Will upgrade
Ap’s running version 12.3(7)JA or above for WLC’s running version 3.1 or later. Uses a .txt
file with information about the AP’s you wish to upgrade and a tftp server to send image files
Cisco Mobility Express
Small Business Communication System – Designed to be able to grow with a small
business, the hardware does not work with their enterprise systems. Allows for the
management advantages fo the CUWN without as much cost or equipment. Only supports
growth up to 12 AP’s total.
Cisco Unified Communication 500 Series for Small Businesses – Long name, but it
includes a dhcp server and can support up to 48 users.
Cisco Unified IP Phones
Cisco Monitor Director
Cisco Mobility Solution, Including:
Cisco 526 Wireless Express Controller – Each controller can support up to 6 AP’s with 2
controllers supported. Provides guest access, Voice-over-WLAN, LWAPP, Same
authentication architectures as enterprise, wired/wireless network virtualization, and
management with CCA. (Cisco Configuration Assistant).
Cisco 521 Wireless Express Access Point – Can only communicate with the 526 Wireless
Express Controller, so it cannot be used in an enterprise environment, only supports
802.11b/g, otherwise similar to 1130AG AP’s.
Microsoft Windows Zero Configuration Utility (WZC) – Probably the least preferred, least
secure, and most troublesome way to connect. This one is fairly familiar to anyone who has
set up a windows PC for wireless. A major security hole is that, if unable to join a
broadcasting network, it will automatically attempt to create its own ad hoc network and
allow others to connect to it, in the background, with no notification to the user that this is
happening. It will also automatically connect to any ad hoc network it finds if it cannot
connect to an infrastructure network.
Apple AirPort Extreme – This GUI is actually pretty nice, with very intuitive settings. No
glaringly obvious security holes.
Linux NetworkManager – GUI tool available in many different Linux distros…similar to
tools for Macs and PC’s and not tested for the CCNA-Wireless
Cisco Aironet Desktop Utility (ADU) – Cisco offers cardbus and PCI card WLAN NICs and
this is the utility used to manage them on a PC. It also has a utility for the system tray called
the Aironet System Tray Utility. It’s better than the WZC, but I prefer other utilities when I
have the chance. A few advantages it has though are the ability to give a SNR (Signal-to-
Noise Ratio) reading from the client and the ability to do basic site surveying with it. You can
use the Aironet Configuration Administration Utility (ACAU) to automate the creation of
client profiles if you have a lot of these cards in your enterprise.
Cisco Secure Services Client (SSC) – Cisco’s alternative to the WZC for those with
Wireless NICs from other vendors. Requires a license for the client and has a utility as well to
create client profiles for distribution called the SSCAU (Secure Services Client
CCX (Cisco Client Extension) Program – basically certifies that devices will work with
Cisco AP’s and infrastructure. On the AP side, using all CCX compatible clients means the
AP can change some settings on the client side and gives you more control over how they
Threats Unique to WLAN’s:
Ad Hoc Networks – This allows 2 or more clients to connect to each other bypassing
corporate security policies. An attacker could form an ad hoc network and trick users to
connect to that network and steal data or use their connection to the corporate network as a
way to then gain access.
Rogue AP’s – An AP outside the corporate infrastructure that could be friendly or malicious.
You have to track them down to determine if they are just a neighboring office building’s
network or something that has been brought in from home, or part of a malicious attack.
Attackers try to get users to connect to the rogue and gain access or steal data from them. A
user may unwittingly attach an AP to the corporate network, allowing an attacker to bypass
corporate security policies and gain access to the network.
Client Misassociation – An attacker spoofs the SSID of a network a client device has already
connected to and the client utilities use the cached information about that SSID to
automatically connect to the spoofed SSID, sometimes without the client’s knowledge. This
can be done by sending false beacon messages or management frame spoofing.
Management Frame Protection (MFP) – This helps prevent a client misassociation attack.
Each management frame gets a MIC (Message Integrity Check) added to it before the FCS
(Frame Check Sequence). Each WLAN (SSID) gets a unique key sent to each radio on the
AP. If anyone tries to spoof the frames or mess with the contents and does not have this key, it
invalidates the message. Client MFP can be used with CCX (Cisco Compatible Extensions) 5
or better on the client. Here the client can talk to the AP and find out what the MIC is and it
can also verify that the management frames it receives match this MIC. This will also keep a
neighboring AP from attacking your network with deauthentication messages (essentially
trying to contain your AP as if it were a rogue) since clients will know that these deauth
messages did not come from your AP.
Attacks Used on Both Wired and Wireless Networks:
Reconnaissance Attacks – An attacker tries to gain info about your network (port scanning,
Access Attacks – An attacker tries to get access to data, devices, or the network. (Includes
trying to crack pre-shared keys, etc.)
DoS (Denial of Service) Attacks – An attacker tries to prevent users from getting services
they need. An example might be someone putting AP’s at the edge of your property and then
trying to contain your AP’s as if they were rogues.
Open – Suitable only for guest access to a network. Pretty much no authentication. These
users should only be given internet access.
PSK (Pre-shared Key) with WEP (Wired Equivalent Privacy) – Actually considered less
secure than Open authentication. Keys are easily broken and then the attacker has access.
Uses RC4 encryption method, which is weak. Key sizes are 40bit, 104bit, and 128bit, but
Windows will not support the 128 bit. All sizes are easily cracked. MAC Address filtering
helps little because MACs are easily spoofed.
EAP (Extensible Authentication Protocol)/ 802.1x – Much better authentication and
encryption. This has a 3-way handshake to authenticate and requires an external AAA server
EAP-TLS – Requires PKI (Public Key Infrastructure) certificates on the supplicant (client)
and the authentication server. Considered most secure and an encrypted tunnel protects the
EAP-FAST – Does not require PKI certificates, but uses a strong shared secret key called a
PAC (Protected Access Credential) that is unique on every client. Is considered the successor
to Cisco LEAP (Lightweight Extensible Authentication Protocol).
PEAP(Protected EAP) – Only a server-side certificate is needed, which is used to create an
encrypted tunnel where the real authentication takes place. PEAP uses MS-CHAPv2 or GTC
(Generic Token Card) to authenticate users
LEAP – Vulnerable to an offline exploit, being deprecated.
WPA – Uses TKIP (Temporal Key Integrity Protocol) to automatically change keys. Can
support AES (Advanced Encryption Standard) optionally. Uses stronger encryption (TKIP vs.
RC4) than WEP and a larger IV (initialization vector). 2 Modes offered – Enterprise mode
(requires a Radius server and uses TKIP with AES available) Personal – Uses PSK (preshared
keys) vs. RADIUS, so it is weaker, but more friendly to home environments.
WPA2 – Mandates AES, TKIP is not available. Only allows the AES/CCMP (Advanced
Encryption Standard-Cipher Block Chaining Message Authentication Code Protocol) version
of AES. Key Management allows keys to be cached to allow for faster connections.
WCS (Wireless Control System)
Linux – Will support 3,000 AP’s and 250 Controllers with Red Hat ES/AS Linux Release 4
or better, Intel Xeon Quad 3.15-GHz CPU or better, and 8Gig RAM or better, and a 200Gig
Windows – Will support 2,000 AP’s and 150 controllers with Windows Server 2003 or
better, Pentium 4/2.06 GHz or better, 2G RAM, and a 30G HD or better.
Licenses – There are 2 license options here – Base and Base with Location which allows you
to use a Location appliance for RFID tag tracking.
Templates – Allow for faster, more uniform configuration of controllers
Auto Provisioning – Allows a new, unconfigured controller to automatically grab a
configuration from the WCS server.
Heat Maps – Can be used for a basic RF prediction (Not always as accurate as a site survey),
and once deployed, show real-time RF info and location and status of AP’s.