This MIB is intended to be implemented on all those
devices operating as Central Controllers (CC) that
terminate the Light Weight Access Point Protocol
tunnel from Cisco Light-weight LWAPP Access Points.
This MIB helps to manage the WLANs on the controller.
The relationship between CC and the LWAPP APs
can be depicted as follows:
+......+ +......+ +......+ +......+
+ + + + + + + +
+ CC + + CC + + CC + + CC +
+ + + + + + + +
+......+ +......+ +......+ +......+
.. . . .
.. . . .
. . . . .
. . . . .
. . . . .
. . . . .
+......+ +......+ +......+ +......+ +......+
+ + + + + + + + + +
+ AP + + AP + + AP + + AP + + AP +
+ + + + + + + + + +
+......+ +......+ +......+ +......+ +......+
. . . .
. . . . .
. . . . .
. . . . .
. . . . .
+......+ +......+ +......+ +......+ +......+
+ + + + + + + + + +
+ MN + + MN + + MN + + MN + + MN +
+ + + + + + + + + +
+......+ +......+ +......+ +......+ +......+
The LWAPP tunnel exists between the controller and
the APs. The MNs communicate with the APs through
the protocol defined by the 802.11 standard.
LWAPP APs, upon bootup, discover and join one of the
controllers and the controller pushes the configuration,
that includes the WLAN parameters, to the LWAPP APs.
The APs then encapsulate all the 802.11 frames from
wireless clients inside LWAPP frames and forward
the LWAPP frames to the controller.
GLOSSARY
Access Point ( AP )
An entity that contains an 802.11 medium access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.
LWAPP APs encapsulate all the 802.11 frames in
LWAPP frames and sends it to the controller to which
it is logically connected to.
Central Controller ( CC )
The central entity that terminates the LWAPP protocol
tunnel from the LWAPP APs. Throughout this MIB,
this entity also referred to as 'controller'.
Light Weight Access Point Protocol ( LWAPP )
This is a generic protocol that defines the
communication between the Access Points and the
controllers.
Mobile Node ( MN )
A roaming 802.11 wireless device in a wireless
network associated with an access point.
Access Control List ( ACL )
A list of rules used to restrict the traffic reaching
an interface or the CPU or WLAN. Each ACL is an ordered
set of rules and actions. If a rule matches then the
action for that rule is applied to the packet.
802.1x
The IEEE ratified standard for enforcing port based
access control. This was originally intended for
use on wired LANs and later extended for use in
802.11 WLAN environments. This defines an
architecture with three main parts - a supplicant
(Ex. an 802.11 wireless client), an authenticator
(the AP) and an authentication server(a Radius
server). The authenticator passes messages back
and forth between the supplicant and the
authentication server to enable the supplicant
get authenticated to the network.
Temporal Key Integrity Protocol ( TKIP )
A security protocol defined to enhance the limitations
of WEP. Message Integrity Check and per-packet keying
on all WEP-encrypted frames are two significant
enhancements provided by TKIP to WEP.
Cisco Key Integrity Protocol ( CKIP )
A proprietary implementation similar to TKIP. CKIP
implements key permutation for protecting the CKIP
key against attacks. Other features of CKIP include
expansion of encryption key to 16 bytes of length for
key protection and MIC to ensure data integrity.
Wired Equivalent Privacy ( WEP )
A security method defined by 802.11. WEP uses a
symmetric key stream cipher called RC4 to encrypt the
data packets.
Wi-Fi Protected Access ( WPA )
Wi-Fi Protected Access (WPA and WPA2) are security
systems created in response to several serious
weaknesses found in Wired Equivalent Privacy (WEP).
WPA implements the majority of the IEEE 802.11i
standard, and was intended as an intermediate
measure to take the place of WEP while 802.11i was
prepared. WPA is designed to work with all wireless
network interface cards, but not necessarily with
first generation wireless access points.
WLAN Layer 2 Security
WLAN layer 2 (MAC) security defines the encryption and
authentication approaches such as 802.1x, WPA,
WPA2, CKIP and WEP.
Delivery Traffic Indication Map ( DTIM )
DTIM is measured in beacon intervals and is the time
period during which multicast/broadcast packets are
sent to clients. This helps client to go in Power Saving
mode and helps to save battery power.
Network Admission Control (NAC)
Cisco NAC uses the network infrastructure to enforce security
policy compliance on all devices that seek to access network
computing resources. With the Cisco NAC appliance, network
administrators can authenticate, authorize, evaluate, and
remediate wired, wireless, and remote users and their machines
prior to network access. The Cisco NAC appliance identifies
whether networked devices such as laptops, IP phones, or game
consoles are compliant with network security policies, and
repairs any vulnerabilities before it permits access to the
network.
Out of Band (OOB)
Out-of-band deployments require user traffic to traverse through
the NAC appliance only within authentication, posture
assessment, and remediation. When a user is authenticated and
passes all policy checks, the traffic is switched normally
through the network and bypasses the NAC server.
Band Select
The 2.4 GHz band is congested and clients have to contend with
numerous performance challenges. These consist of interference
from Bluetooth, microwave ovens, cordless phones, etc.;
protection mechanisms from 802.11b legacy clients; and
co-channel interference from other access points due to
802.11bg?s limit of three non-overlapping channels. Allowing
client Wi-Fi radios capable of dual band (2.4 and 5 GHz)
operation move to the less congested 5 GHz radios would improve
the overall performance of the network.
The Band Select algorithm is based on probe response suppression
on clients 2.4G radio. The feature is OFF by default and has to
be manually switched ON globally for a WLC. It can be optionally
over-ridden per-SSID to disallow it.
Network Access Identifier ( NAI )
In order to provide roaming services, it is necessary
to have a standardized method for identifying users.
NAI is actually the user identity submitted by the client
during network authentication.
KTS (Key Telephone System)
Key Telephone System is an alternative to a private branch exchange (PBX)
phone system. A KTS is equipped with several buttons that allow a caller to
directly select outgoing lines or incoming calls, and use intercom and
conference facilities.
NAS-ID (Network Access Server Identifier)
NAS-ID string is sent to Radius server by WLC (as radius client)
via authentication request, which can be used to classify users
to different groups then radius server can reply a customized
authentication response.
Quality of Service (QoS)
The quality of service (QoS) refers to several related
aspects of telephony and computer networks that allow the \ transport of traffic with special requirements.
In particular, much technology has been developed to allow
computer networks to become as useful as telephone networks
for audio conversations, as well as supporting new applications
with even stricter service demands.
Virtual LAN (VLAN)
In computer networking, virtual local area network,
virtual LAN or VLAN is a concept of partitioning a
physical network, so that distinct broadcast domains
are created. This is usually achieved on switch or router devices.
REFERENCE
[1] Wireless LAN Medium Access Control ( MAC ) and
Physical Layer ( PHY ) Specifications.
[2] Draft-obara-capwap-lwapp-00.txt, IETF Light
Weight Access Point Protocol
[3] IEEE 802.11 - The original 1 Mbit/s and 2 Mbit/s,
2.4 GHz RF and IR standard.