cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
484
Views
0
Helpful
2
Replies

AP 1230 and 4400 controller issue

tang.andy
Level 1
Level 1

Hi,

Recently, my boss asks the security issue as below. Please help...

1) As we are using WPA2-AES, is it the best security in terms of authentication?

2) I understand there is a "PMK" soemthing using WPA2-AES but where the PMK keep/cache? (in AP1230 or controller or W2003?)

3) If in AP, how can I secure the rest of path? If in controller, how can I secure the data along the path back to network? If in W2003, really no idea ~~!

4) I know LWAPP running between AP and controller. The question is if LWAPP encryt data? If not, do I need to install VPN client on all PCs. Sorry that we are not using Cisco VPN solution, can it still work? In fact, I assume we are using WPA2-AES which is already encryt all traffic from wireless client back to the controller!!!

5) AS in question 4, in case of LWAPP doesn't encryt traffic, can I just enable something like IPSec/3DES/AES tunnel between AP and controller or between AP and our Nortel Contivity VPN box?

As it is the question rasied by my boss today, appreciate if any help.

Andy

2 Replies 2

fredn
Cisco Employee
Cisco Employee

Lots of questions.. so here goes...

Q1: As we are using WPA2-AES, is it the best security in terms of authentication?

A1: Both WPA and WPA2 may use either 802.1X authentication or Pre-Shared Key (PSK) authentication. There are no known vulnerabilities to WPA or WPA2 encryption protocols. As with any network user authentication, the authentication method used for WLAN (either 802.1X or PSK) should employ good user authentication policies (robust passwords, one-time passwords/ token server, etc.) in order to maintain network integrity. AES-CCM is considered by most cryptographic experts to be superior to stream ciphers (such as the RC4 stream cipher used in WPA-TKIP).

Q2: I understand there is a "PMK" soemthing using WPA2-AES but where the PMK keep/cache? (in AP1230 or controller or W2003?)

A2: Pairwise Master Key (PMK) caching is enabled with WPA2 to decrease roaming latency and reduce load on RADIUS servers. The PMK is always stored at the 802.1X authenticator (and the client device)- which is the Controller in the case of the Cisco Unified Network.

Q3:If in AP, how can I secure the rest of path? If in controller, how can I secure the data along the path back to network? If in W2003, really no idea ~~!

A3: The Master Key is derived and passed to the controller via RADIUS messaging over the wired network. Any key that must be exchanged between an AP and controller is encrypted via the LWAPP protocol. Note that the Master Key is never passed over the wireless network.

Q4: I know LWAPP running between AP and controller. The question is if LWAPP encryt data? If not, do I need to install VPN client on all PCs. Sorry that we are not using Cisco VPN solution, can it still work? In fact, I assume we are using WPA2-AES which is already encryt all traffic from wireless client back to the controller!!!

A4: LWAPP encrypts control data between APs and controller; client data payload is not encrypted between APs and controller. When using WPA2-AES, the packets are encrypted over the wireless network, but are not encrypted in LWAPP.

Q5: AS in question 4, in case of LWAPP doesn't encryt traffic, can I just enable something like IPSec/3DES/AES tunnel between AP and controller or between AP and our Nortel Contivity VPN box?

A5: It is possible to employ VPN termination (IPSEC) on properly equipped controllers. It is also possible to employ an external VPN concentrator with the Cisco Unified Solution. Generally, VPN is used for client devices which do not support WPA security.

The repsonse really help. Thanks! There is one more question.

Q6:Apart from deploying VPN client for internal users , is there any way can secure the wired side as LWAPP doesn't encryt payload (I think this is the root casue that my boss concerns!!!). Can I enable something (like IPSec) on top of LWAPP between the AP and controller?

Thanks

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: