CISCO-LWAPP-WLAN-SECURITY-MIB

This MIB is intended to be implemented on all those
        devices operating as Central controllers, that
        terminate the Light Weight Access Point Protocol
        tunnel from Cisco Light-weight LWAPP Access Points.
        
        Information provided by this MIB is for WLAN security
        related features as specified in the CCKM, CKIP 
        specifications. 
        
        The relationship between the controller and the 
        LWAPP APs is depicted as follows:
        
              +......+     +......+     +......+ 
              +      +     +      +     +      +
              +  CC  +     +  CC  +     +  CC  +
              +      +     +      +     +      +
              +......+     +......+     +......+
                ..            .             .   
                ..            .             .   
               .  .            .             .  
              .    .            .             . 
             .      .            .             .
            .        .            .             .
        +......+ +......+     +......+      +......+
        +      + +      +     +      +      +      +
        +  AP  + +  AP  +     +  AP  +      +  AP  +
        +      + +      +     +      +      +      +
        +......+ +......+     +......+      +......+
                   .              .             .
                 .  .              .             .
                .    .              .             .
               .      .              .             .
              .        .              .             .
           +......+ +......+     +......+      +......+
           +      + +      +     +      +      +      +
           +  MN  + +  MN  +     +  MN  +      +  MN  +
           +      + +      +     +      +      +      +
           +......+ +......+     +......+      +......+
        
        
        The LWAPP tunnel exists between the controller and
        the APs.  The MNs communicate with the APs through
        the protocol defined by the 802.11 standard.
        
        LWAPP APs, upon bootup, discover and join one of the
        controllers and the controller pushes the configuration,
        that includes the WLAN parameters, to the LWAPP APs.
        The APs then encapsulate all the 802.11 frames from
        wireless clients inside LWAPP frames and forward
        the LWAPP frames to the controller.
        
                           GLOSSARY
        
        802.1x
        
        The IEEE ratified standard for enforcing port based
        access control.  This was originally intended for
        use on wired LANs and later extended for use in
        802.11 WLAN environments.  This defines an
        architecture with three main parts - a supplicant
        (Ex. an 802.11 wireless client), an authenticator
        (the AP) and an authentication server(a Radius
        server).  The authenticator passes messages back
        and forth between the supplicant and the
        authentication server to enable the supplicant
        get authenticated to the network.
        
        Access Point ( AP )
        
        An entity that contains an 802.11 medium access
        control ( MAC ) and physical layer ( PHY ) interface
        and provides access to the distribution services via
        the wireless medium for associated clients.
        
        LWAPP APs encapsulate all the 802.11 frames in
        LWAPP frames and sends them to the controller to which
        it is logically connected.
        
        Advanced Encryption Standard ( AES )
        
        In cryptography, the Advanced Encryption Standard
        (AES), also known as Rijndael, is a block cipher
        adopted as an encryption standard by the US
        government. It is expected to be used worldwide
        and analysed extensively, as was the case with its
        predecessor, the Data Encryption Standard (DES).
        AES was adopted by National Institute of Standards
        and Technology (NIST) as US FIPS PUB 197 in
        November 2001 after a 5-year standardisation
        process.
        
        Central Controller ( CC )
        
        The central entity that terminates the LWAPP protocol
        tunnel from the LWAPP APs.  Throughout this MIB,
        this entity also referred to as 'controller'. 
        
        Cisco Centralized Key Management ( CCKM )
        
        Client and AP exchange several EAPOL packets in the
        process of EAP authenticaton to determine dynamic
        session key (NSK), which is used for encrypting
        packets between them.
        
        When client moves to new-AP, it has to mutually
        authenticate with the new-AP and derive new NSK. This
        is being done by using complete EAP authentication
        (which is time consuming and causes noticeable delay
        in the voice application). Till that time, no data
        packets are being transmitted between new-AP and
        client.
        
        CCKM implementation in first controller caches
        client's credentials like session, vlanid, ssid, etc.
        and propagates the same to other controllers in
        mobility group.
        
        Currently a set of controller can be configured as
        part of a mobility group. If client roams across
        access points associated to this set of controllers,
        then with CCKM implementation in place, the L2
        authentication will not happen. To make this happen
        a CCKM cache is maintained on each controller and the
        first controller where client gets associated update
        rest of the controllers in mobility group. On later
        reassociations, controller validates the CCKM specific
        IE present and allow associations.
        
        Wireless LAN Access Points (APs) manufactured by Cisco
        Systems have features and capabilities beyond those in
        related standards (e.g., IEEE 802.11 suite of
        standards, Wi-Fi recommendations by WECA, 802.1X
        security suite, etc). A number of features provide
        higher performance. For example, Cisco AP transmits a
        specific Information Element, which the clients adapt
        to for enhanced performance. Similarly, a number of
        features are implemented by means of proprietary
        Information Elements, which Cisco clients use in
        specific ways to carry out tasks above and beyond the
        standard.
        
        Other examples of feature categories are roaming and
        power saving.
        
        Cisco Key Integrity Protocol ( CKIP )
        
        A proprietary implementation similar to TKIP.  CKIP
        implements key permutation for protecting the CKIP
        key against attacks.  Other features of CKIP include
        expansion of encryption key to 16 bytes of length for
        key protection and MIC to ensure data integrity.
        
        Light Weight Access Point Protocol ( LWAPP )
        
        This is a generic protocol that defines the
        communication between the Access Points and the
        Central Controller.
        
        Mobile Node ( MN )
        
        A roaming 802.11 wireless device in a wireless
        network associated with an access point. Mobile Node
        and client are used interchangeably.
        
        Multilinear Modular Hash ( MMH )
        
        This is a message authentication code. The original
        message is run through the hash (with a secret key),
        and the code is the result.  The code is sent along
        with the original message.  The receiver of the
        message calculates the hash over the original message
        (also with the secret key) and compares the final
        message authentication code with the code sent with
        the message. If the two codes match, the receiver can
        be assured that the original message is authentic.
        
        Pre-Shared Key ( PSK )
        
        Pre-shared keys are normally used for
        interoperability purposes.  The basic idea is that
        two parties sharing a common secret can communicate
        securely.  This idea has been used since cryptography
        first sprung onto the scene.
        
        Temporal Key Integrity Protocol ( TKIP )
        
        A security protocol defined to enhance the limitations
        of WEP.  Message Integrity Check and per-packet keying
        on all WEP-encrypted frames are two significant
        enhancements provided by TKIP to WEP.
        
        Wired Equivalent Privacy ( WEP )
        
        A security method defined by 802.11. WEP uses a
        symmetric key stream cipher called RC4 to encrypt the
        data packets.
        
        Wi-Fi Protected Access ( WPA )
        
        Wi-Fi Protected Access (WPA and WPA2) are security
        systems created in response to several serious
        weaknesses found in Wired Equivalent Privacy (WEP).
        WPA implements the majority of the IEEE 802.11i
        standard, and was intended as an intermediate
        measure to take the place of WEP while 802.11i was
        prepared. WPA is designed to work with all wireless
        network interface cards, but not necessarily with
        first generation wireless access points.
        
        REFERENCE
        
        [1] Wireless LAN Medium Access Control ( MAC ) and
        Physical Layer ( PHY ) Specifications,
        Amendment 6, MAC Security Enhancements.
        
        [2] draft-obara-capwap-lwapp-00.txt, IETF Light 
        Weight Access Point Protocol

Imported Objects

CLSecEncryptType, CLSecKeyFormatCISCO-LWAPP-TC-MIB
cLWlanIndexCISCO-LWAPP-WLAN-MIB
ciscoMgmtCISCO-SMI
MODULE-COMPLIANCE, OBJECT-GROUPSNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE, Unsigned32SNMPv2-SMI
TruthValueSNMPv2-TC
ciscoLwappWlanSecurityMIB .1.3.6.1.4.1.9.9.521
ciscoLwappWlanSecurityMIBNotifs .1.3.6.1.4.1.9.9.521.0
ciscoLwappWlanSecurityMIBObjects .1.3.6.1.4.1.9.9.521.1
clwsCckmConfig .1.3.6.1.4.1.9.9.521.1.1
cLWSecDot11EssCckmTable .1.3.6.1.4.1.9.9.521.1.1.1
cLWSecDot11EssCckmEntry .1.3.6.1.4.1.9.9.521.1.1.1.1
cLWSecDot11EssCckmWpaSupport .1.3.6.1.4.1.9.9.521.1.1.1.1.1
cLWSecDot11EssFtEnable .1.3.6.1.4.1.9.9.521.1.1.1.1.10
cLWSecDot11EssFtReassocTime .1.3.6.1.4.1.9.9.521.1.1.1.1.11
cLWSecDot11EssFtOverDs .1.3.6.1.4.1.9.9.521.1.1.1.1.12
cLWSecDot11Ess11wPfm .1.3.6.1.4.1.9.9.521.1.1.1.1.13
cLWSecDot11EssRetryTime .1.3.6.1.4.1.9.9.521.1.1.1.1.14
cLWSecDot11EssComebackTime .1.3.6.1.4.1.9.9.521.1.1.1.1.15
cLWSecDot11EssCckmWpa1Security .1.3.6.1.4.1.9.9.521.1.1.1.1.2
cLWSecDot11EssCckmWpa1EncType .1.3.6.1.4.1.9.9.521.1.1.1.1.3
cLWSecDot11EssCckmWpa2Security .1.3.6.1.4.1.9.9.521.1.1.1.1.4
cLWSecDot11EssCckmWpa2EncType .1.3.6.1.4.1.9.9.521.1.1.1.1.5
cLWSecDot11EssCckmKeyMgmtMode .1.3.6.1.4.1.9.9.521.1.1.1.1.6
cLWSecDot11EssPskFmt .1.3.6.1.4.1.9.9.521.1.1.1.1.7
cLWSecDot11EssPsk .1.3.6.1.4.1.9.9.521.1.1.1.1.8
cLWSecDot11EssCckmGtkRandomize .1.3.6.1.4.1.9.9.521.1.1.1.1.9
cLWSecDot11EssCkipTable .1.3.6.1.4.1.9.9.521.1.1.2
cLWSecDot11EssCkipEntry .1.3.6.1.4.1.9.9.521.1.1.2.1
cLWSecDot11EssCkipSecurity .1.3.6.1.4.1.9.9.521.1.1.2.1.1
cLWSecDot11EssCkipKeyIndex .1.3.6.1.4.1.9.9.521.1.1.2.1.2
cLWSecDot11EssCkipKeyLength .1.3.6.1.4.1.9.9.521.1.1.2.1.3
cLWSecDot11EssCkipKeyFmt .1.3.6.1.4.1.9.9.521.1.1.2.1.4
cLWSecDot11EssCkipKey .1.3.6.1.4.1.9.9.521.1.1.2.1.5
cLWSecDot11EssCkipMMHMode .1.3.6.1.4.1.9.9.521.1.1.2.1.6
cLWSecDot11EssCkipKPEnable .1.3.6.1.4.1.9.9.521.1.1.2.1.7
clwsCkipConfig .1.3.6.1.4.1.9.9.521.1.2
clwsWebPolicyConfig .1.3.6.1.4.1.9.9.521.1.3
cLWSecDot11EssWebPolicyTable .1.3.6.1.4.1.9.9.521.1.3.1
cLWSecDot11EssWebPolicyEntry .1.3.6.1.4.1.9.9.521.1.3.1.1
cLWSecDot11EssWebPolicyCondRedirect .1.3.6.1.4.1.9.9.521.1.3.1.1.1
cLWSecDot11EssWebPolicySplashPageWebRedirect .1.3.6.1.4.1.9.9.521.1.3.1.1.2
ciscoLwappWlanSecurityMIBConform .1.3.6.1.4.1.9.9.521.2
ciscoLwappWlanSecurityMIBCompliances .1.3.6.1.4.1.9.9.521.2.1
ciscoLwappWlanSecurityMIBGroups .1.3.6.1.4.1.9.9.521.2.2