Getting Started with HP Wireless Networks. Version 10.41

Transcription

1 Getting Started with HP Wireless Networks Version 10.41

2 Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not use these materials to deliver training to any person outside of your organization without the written permission of HP. Getting Started with HP Wireless Networks Rev

3 Contents Getting Started with HP Mobility Introduction... 1 Review Module 1: Wireless LAN Technologies Objectives Introduction to overview Definition of Physical and Data Link Layers Physical properties of a wireless signal RF bands and channels Modulation schemes b a g n introduction n and MIMO b/g channels a channels Channel boundaries n channel bonding Comparison of a/b/g/n a, b, g, or n? Data rate and signal strength Data rate versus actual throughput Shaping the wireless signal Three dimensions Summary: Wireless LAN Technologies Review Module 2: Basics of WLAN Configuration Objectives Lesson 1: Introduction Ad hoc network Infrastructure mode In-cell relay mode BSS and BSSID ESS and ESSID WLAN Open versus closed WLANs Active and passive scanning Authentication and association process Rev i

4 HP E-Series Networking Technologies Open system authentication Shared-key authentication Limitations of shared-key authentication association Lesson 1: Summary Lesson 2: Introduction Standalone and controlled APs Controlled APs WLAN access controllers Wireless bridge WLAN architectures Standalone WLAN architecture Centralized WLAN architecture Optimized WLAN architecture Distributing traffic Lesson 2: Summary Lesson 3: Introduction PoE standards PoE support in HP switches Advantages of using PoE and PoE Lesson 3: Summary Review Module 3: WLAN Security Basics Objectives Unsecured wireless networks Authentication, data privacy, and integrity Security options overview MAC-Auth Advantages Disadvantages WEP WEP advantages and disadvantages Advantages Disadvantages Development of WPA and WPA Authentication options for WPA and WPA WPA/WPA2-PSK WPA/WPA2-PSK advantages and disadvantages Advantages Disadvantages WPA/WPA2 with 802.1X WPA/WPA2 with 802.1X advantages and disadvantages Advantages Disadvantages Web-Auth ii Rev

5 Contents Web-Auth advantages and disadvantages Advantages Disadvantages Wireless security options at a glance Module 3: Summary Review Module 4: HP E-MSM Solutions for SMBs Objectives SMB requirements HP E-Series E-Series AP overview HP E-MSM4xx APs HP E-MSM3XX APs HP E-MSM HP E9552, E9152, E8760, E7760, and E-M110 APs HP E-MSM415 RF Security Sensor E-M111 Client Bridge HP E-MSM Controllers Optimized WLAN architecture for E-Series Module 4: Summary Review Module 5: HP Networking Mobility for the Enterprise Objectives Implement and manage a converged network Manage users and control their access Future growth A-Series controllers Unified wireless and wired network Advanced features HP A-WA2x00 Series APs HP wireless bridges HP A3000G wireless switch series HP A-WX WLAN Controllers A-Series controller modules Summary Rev iii

6 HP E-Series Networking Technologies iv Rev

7 Getting Started with HP Mobility Review Introduction This reference guide to Getting Started with HP Mobility is a review guide for the Getting Started with HP Mobility Web-based training course. This course introduces you to the fundamental technologies behind today s wireless networks and is designed to prepare you for the more in-depth instructor-led AIS certification training courses. This guide may be used as a handy reference and will serve as an excellent review of basic technologies when preparing for your AIS certification exam. The topics covered in this review are: Wireless LAN technologies Basics of WLAN configuration WLAN security basics HP E-Series solutions for SMBs HP A-Series solutions for the enterprise Rev Introduction 1

8 Getting Started with HP Wireless Networks Introduction 2 Rev

9 Wireless LAN Technologies Review Module 1 Objectives This module briefly describes the benefits wireless networks provide both businesses and consumers, and then outlines the standards that govern these wireless networks. After completing this module, you should be able to: Describe the benefits wireless networks provide contemporary business networks Describe the characteristics of wireless signals, including factors that affect transmission speed, throughput, and signal strength Discuss the impetus behind the creation of the n standard and describe its features Describe the main features, advantages, and disadvantages of the a, b, g, and n standards Compare and contrast directional and omnidirectional antennas Describe appropriate deployments for various n standards Rev

10 Getting Started with HP Wireless Networks Introduction to Figure 1-1: Introduction to Wireless networking extends Internet and network access to more people and locations than ever before. No matter where people go hotels, coffee shops, bookstores, or airports they expect to have wireless access to the Internet, allowing them to access their favorite Web sites, , or even their office network. In workplaces such as retail shops, manufacturing warehouses, and hospitals, employees rely on wireless networks to do their jobs as they roam through hallways and patient rooms. Likewise, in office environments, employees are using wireless networks to increase their productivity by accessing the applications and data they need in meeting rooms, cafeterias, and common work areas. This lesson introduces you to the technologies used to build the wireless networks these consumers and working professionals rely on. 1 2 Rev

11 Wireless LAN Technologies overview Figure 1-2: overview Wireless networks are based on a set of standards developed by the Institute of Electrical and Electronics Engineers (IEEE). Together these standards are collectively called the standard, or simply Specific subsets within that standard are indicated by lowercase letters such as a, b, g, and n after the 11. This module focuses on the subsets listed here: a, b, g, and n. Rev

12 Getting Started with HP Wireless Networks Definition of Physical and Data Link Layers The Physical Layer controls the physical medium (radio waves). The Data Link Layer describes the protocols that control data transfer across Layer 1. Figure 1-3: Definition of Physical and Data Link Layers The IEEE published the original standard in An addition to the 802 family of standards, which define the functions of wired LANs, defined the Physical and Data Link Layers of wireless networks. In other words, the original standard adapted the well-understood LAN standard for a network that uses radio waves as its physical medium. The Physical Layer controls the physical medium, defining the electrical and mechanical specifications for the network connections. For a wireless network, the physical medium consists of the radio waves. The Data Link Layer describes the procedures (called protocols) that control data transfer across the physical infrastructure at Layer 1. The standard defines the behavior of devices such as access points (APs) and wireless stations on a wireless network. For example, it defines the physical properties such as modulation schemes, radio frequency bands, channels, and transmission speeds that the APs and wireless stations use to establish the wireless network and transmit data. 1 4 Rev

13 Wireless LAN Technologies Physical properties of a wireless signal The physical properties of a wireless signal include: Modulation scheme Radio frequency band Transmission speeds Channel Figure 1-4: Physical properties of a wireless signal To fully understand the standards, you should understand the basic physical properties they define. A modulation scheme is used to encode data onto a radio wave. A radio frequency band is a range of frequencies in the spectrum of electromagnetic waves. Transmissions speeds are the rates at which data can be sent over the radio medium. A channel is a narrow band of contiguous wireless frequencies that has been assigned a number. Rev

14 Getting Started with HP Wireless Networks RF bands and channels Figure 1-5: RF bands and channels Typically, a radio frequency (RF) band is a range of frequencies that is defined or reserved for a particular use. For wireless networking devices, the standard defines two frequency bands 2.4 GHz and 5 GHz which are in the larger super high frequency (SHF) band. Other devices, such as cordless phones, operate in the SHF band. Such devices can cause interference for wireless networking devices operating in the same vicinity. Within the 2.4 GHz and 5 GHz frequency bands, the standard defines channels. As mentioned, each channel is a band of contiguous frequencies that is designated as a single unit for transmission and assigned a number. (You will learn more about channels later in this module.) 1 6 Rev

15 Wireless LAN Technologies Modulation schemes Figure 1-6: Modulation schemes In addition to defining frequency bands and channels, the standard defines several modulation schemes. For the purposes of this course, it is not necessary to know the exact details of each modulation scheme, but you should know that wireless networking devices use these modulation schemes to encode data so that it can be physically transmitted over radio waves. Over time, the IEEE has developed modulation schemes that can encode more data in the same radio wave, thereby increasing possible transmission speeds. Note Wireless modulation schemes should not be confused with encryption methods. Without additional security measures, data transmitted over radio waves is not encrypted. It is accessible to anyone with compatible equipment. Rev

16 Getting Started with HP Wireless Networks b Figure 1-7: b Now that you understand the types of physical properties that are defined in the standard, let s take a look at specific subsets within that standard, starting with b, the first widely adopted wireless standard. Adopted in 1999 by the IEEE, b operates in the 2.4 GHz range. Within its RF band, the b standard defined 14 channels. Many vendors offered b access points (APs) and wireless network interface cards (NICs), and the products were inexpensive. However, network interference from devices such as microwave ovens and some cordless and wireless phone, which operate in the same band, left users wanting better performance from their wireless networks. 1 8 Rev

17 Wireless LAN Technologies a Figure 1-8: a Although, as the name implies, work began on a first, it took longer to complete and was adopted after b a not only increased transmission speeds substantially, but also provided support for more channels. The higher speeds came at the cost of range, however: to achieve the highest transmission speeds, a devices must be 25 to 50 percent closer together than b devices. Also, a uses a different RF band (5 GHz) than b uses. As a result, a is not backward compatible with b. The 5 GHz band is tightly regulated, so vendors must ensure that their devices comply with these regulations. The tighter regulations mean that this RF band is less crowded than the 2.4 GHz band used by b, and, therefore, less prone to interference. Rev

18 Getting Started with HP Wireless Networks g Figure 1-9: g g was the next revision adopted. This standard matches the speed of a but is compatible with b. That is, you can configure APs operating at g speeds to also provide access for b devices. As you would expect, g supports the same channels as b. When an AP supports both g and b stations, it makes some adjustments that reduce the throughput for g stations. Throughput should not be confused with transmission speed. Transmission speed is the AP s actual signaling rate as it transmits data. Throughput, on the other hand, measure what devices actually receive. Many factors affect throughput on wireless networks. For example, all stations must share the radio and take turns transmitting data, and the AP must send broadcast and management frames at the speed that all stations in the wireless cell support. To guarantee higher throughput for g stations, you can configure g devices to ignore b equipment in the vicinity Rev

19 Wireless LAN Technologies ni ntroduction Figure 1-10: n introduction Users are demanding more from their wireless networks, especially higher speeds to support applications such as videoconferencing. In fact, many users are wanting to use the more convenient wireless access to replace their wired connection altogether. Adopted in 2009, n meets these demands. It increases transmission speeds, improves reliability, and extends the operating distance of wireless networks. Operating in both the 2.4 and 5 GHz bands, n is backward compatible with a/b/g. Rev

20 Getting Started with HP Wireless Networks n and MIMO Figure 1-11: n and MIMO One reason n can achieve such high throughput is its multiple input multiple output (MIMO) design. Devices that support MIMO use multiple transceivers, each of which sends part of the data stream. Each transmission can take a different path to the receiver. Devices that receive the data stream also have multiple transceivers, which combine the multiple transmissions into a single data stream. Multiple data streams transmitted simultaneously effectively multiply the bandwidth Rev

21 Wireless LAN Technologies b/g channels Figure 1-12: b/g channels b and g standards define 83.5 MHz of bandwidth in the 2.4 GHz band. This bandwidth is divided into 14 channels beginning at Thirteen of the 14 channels are spaced 5 MHz apart. That is, the center frequency of channel 1 is GHz; the center frequency of channel 2 is GHz, and so forth. Channel 14, designed specifically for Japan, has its center frequency at GHz, 12 MHz from channel 13 s. Of the 14 channels, Europe, Latin America, and Asia Pacific support 1 through 13, while North America allows only channels up to 11. Japan supports all 14. It is important that you understand the spectral placement of b/g channels because signals spread up to 22 MHz from the center frequency. Because channels are spaced only 5 MHz apart, channels overlap up to 5 channels on each side. For example, if you look at channel 4 in the illustration above, you can see it overlaps with channels 1, 2, 3, 5, and 6. Dividing the spectrum into channels allows wireless APs in the same area to operate without interfering with each other: radios are simply tuned to transmit on frequencies that do not overlap one another at the boundaries. Because different regulatory agencies permit different channels, the non-overlapping channels you can use will vary based on your country. Wireless designers in North America typically work with channels 1, 6, and 11 to avoid interference from overlapping channels. Designers in other regions can also use those three channels or channels 1, 7, and 13. As long as you use non-overlapping channels, you can place your APs in close proximity to each other and not worry about interference. Rev

22 Getting Started with HP Wireless Networks a channels Sample of channels supported in the 5GHz band Figure 1-13: a channels The a standard provides more non-overlapping channels and more channels overall than b/g a channels are spaced every 20 MHz because a single a standard encompasses four channel numbers. For example, as the illustration shows, the center frequency of channel 36 is 20 MHz below the center frequency of channel 40 (5.20 GHz). (Note that the illustration shows only some of the a channels.) The 5 GHz frequency band is more tightly regulated than the 2.4 GHz band. The allowed channels vary, depending on the country where you are implementing the wireless network Rev

23 Wireless LAN Technologies Channel boundaries Transmit Spectrum Mask b/g channels 0dBr Unfiltered slnx/x 30 dbr fc 22 MHz fc 11 MHz fc 50 dbr fc +22 MHz fc +11 MHz Transmit Spectrum Mask a channels Unfiltered slnx/x fc 20 MHz fc 10 MHz fc fc +20 MHz fc +10 MHz Figure 1-14: Channel boundaries The b and g standards dictate that, at 11 MHz above and below any one of the center frequencies in the 2.4 GHz band, the signal should be onethousandth the strength (30 db lower) of the signal at the center frequency. Similarly, while the a channel boundaries lie 20 MHz above and below the center frequency, the signal is significant only over a 20 MHz range around the center frequency. As with the b and g standards, the a allowed channels vary depending on regulatory domain. For the a, b, and g standards, the Federal Communications Commission (FCC) regulates wireless networks in the United States, and in Europe the European Telecommunications Standards Institute (ETSI) defines allowed sets of channels. Local regulatory bodies adopt one of these sets and may add some local exceptions or restrictions. Rev

24 Getting Started with HP Wireless Networks n channel bonding Figure 1-15: channel bonding When operating in the 2.4 GHz band, n supports the same channels as b / g. Likewise, when operating in the 5 GHz band, n supports the same channels as a. However, n provides an important enhancement: using channel bonding, n can combine two adjacent 20 MHz channels into a single 40 MHz channel. Bandwidth is more than doubled because the guard band between the two 20 MHz channels can be removed when they are bonded. (The guard band is used to prevent interference between channels.) Channel bonding is typically used in the 5 GHz frequency band because it has more non-overlapping channels. Because the 2.4 GHz frequency band has only three nonoverlapping 20 MHz channels, bonding two 20 MHz channels leaves only one nonoverlapping channel Rev

25 Wireless LAN Technologies Comparison of a/b/g/n Standard Speed Ratified Comparison of a/b/g/n 16 Rev. XX Transmission RF Band Date Advantages a 6-54 Mbps 5 GHz 1999 Less crowded RF band More nonoverlapping channels b 1-11 Mbps 2.4 GHz 1999 Inexpensive equipment g 6-54 Mbps 2.4GHz 2003 Inexpensive equipment Backward compatible with b n Up to 600 Mbps 2.4 or 5 GHz 2009 Highest transmission speeds Ability to operate in 2.4 or 5 GHz band Increased range Disadvantages More regulated Not backward compatible with b Shorter range to reach maximum speeds Slow transmission speeds More crowded RF band Fewer nonoverlapping channels More crowded RF band Fewer nonoverlapping channels Figure 1-16: Comparison of a/b/g/n This table provides a quick comparison of t h e802.11a/b/g/n standards, including transmission rates, RF band, year ratified, and some of the main advantages and disadvantages of each. Rev

26 Getting Started with HP Wireless Networks a, b, g, or n? To determine which standard(s) your network needs to support, you must consider the following: Usage Equipment Frequency band Figure 1-17: a, b, g, or n? When you design a wireless network solution, one of the first decisions you must make is to determine which standard or standards the network will support. To make this decision, you must consider: Usage As you have learned, different standards provide different amounts of bandwidth per AP radio. Therefore, you must consider how many users will typically access each radio and the types of applications that these users will run. For example, if users are accessing video applications or using voice over IP, they will need a lot of bandwidth. Equipment The wireless stations, in addition to the wireless AP, must support the standard that you select. In some environments you can choose the equipment; in others you must work with the equipment that users bring (most stations now support at least a/b/g). Frequency band Sometimes the 5 GHz frequency band used by a and n exhibits less interference than the 2.4 GHz band used by b/g and n. However, the 5 GHz band is also more highly regulated by governments. A site survey can help you select the best frequency for your environment Rev

27 Wireless LAN Technologies Data rate and signal strength Figure 1-18: Data rate and signal strength To design a wireless network, you must also understand data rates and signal strength. Each AP advertises two types of data rates: Basic rates, which are used to transmit management frames, multicast frames, and broadcast frames Supported rates, which are used for a station s unicast traffic Although the station must support the AP s basic rates, during the association process the station and the AP will select a data rate for their transmissions. Because this data rate will be based on the Received Signal Strength (RSS, the strength of the signal over the background noise when the signal reaches the receiver) of their transmissions, the selected data rate depends on factors that affect the RSS. These factors include: Attenuation due to the distance between the station and the AP As a radio wave is propagated through space, the strength of the signal fades. Therefore, even though the AP uses a constant transmit power, the RSS at the station decreases the farther the station is from the AP. Obstacles Obstacles such as shelves and walls (particularly metal, concrete, and brick walls) can weaken the signal significantly. When obstacles intervene between a station and its AP, the data rate can be low even when the station is relatively close to the AP. Interference Other devices operating on the same channel as, or a channel close to, your devices cause interference or background noise. Because RSS is the signal strength over background noise, high interference decreases the RSS and data rate. In effect, the AP s range is decreased. Rev

28 Getting Started with HP Wireless Networks Data rate versus actual throughput Figure 1-19: Data rate versus actual throughput Although a station s selected data rate determines the rate at which it sends and receives data, the station s actual throughput is considerably less for several reasons. Shared medium A single AP radio might support many stations. However, only one device can transmit at a time. Therefore, the total bandwidth is effectively divided between the stations. In addition, collisions and methods for avoiding collisions cut into the time available for actual data transmission. Overhead All devices connected to an AP radio must be able to receive certain transmissions, including management frames, control frames, broadcast frames, and multicast frames. Therefore, these frames are always transmitted at a lower data rate called the basic rate, which all stations are required to support in order to connect to the AP. Management frames Frames dictated by the standard that help stations and APs establish and maintain connections (for example, authentication, association, and disassociation frames) Control frames Frames dictated by the standard that help stations and APs avoid collisions (for example, Request to Send [RTS] and Clear to Send [CTS] frames) Broadcast frames Frames sent to every device connected to the AP Multicast frames Frames sent to devices that have joined a particular multicast group 1 20 Rev

29 Wireless LAN Technologies Shaping the wireless signal Directional antenna Omnidirectional antenna Figure 1-20: Shaping the wireless signal You have learned about some of the factors that can change a radio s coverage area and affect transmission speeds. You will now learn how you can use antennas to deliberately shape the signal s coverage area, thereby directing the wireless signal in specific directions. Different types of antennas focus the signal in a specific way. For example, an omnidirectional antenna directs the signal equally in all horizontal directions, but a directional antenna directs the signal along a specific, usually conical path. Rev

30 Getting Started with HP Wireless Networks Three dimensions Figure 1-21: Three dimensions Wireless signals are three dimensional, so signals will extend horizontally across a floor in a building and vertically between floors in a building. Again, the spread of the signal depends on the type of antenna. For example, with an omnidirectional antenna, the horizontal pattern appears circular. The vertical signal, however, is more flattened, as you can see in Figure Rev

31 Wireless LAN Technologies Summary: Wireless LAN Technologies In this module, you learned about the a/b/g/n standards and the basic factors you should consider when selecting the standards you will use on your network. Additionally, you learned about the factors that affect coverage and transmission rates, and you learned that you can use antennas to shape the wireless signal. Rev

32 Getting Started with HP Wireless Networks PAGE INTENTIONALLY LEFT BLANK 1 24 Rev

33 Basics of WLAN Configuration Review Module 2 Objectives In Module 1, you learned about the standards that are used to establish the radio signals for wireless networks. In this module, you will learn about the guidelines that control how wireless networks are set up and accessed. Once you understand these guidelines, you will learn about the different types of wireless devices and WLAN architectures that can be used to implement wireless networks. After completing this module, you will be able to: Describe the association process and frame types Define Basic Service Set Identifier (BSSID), Extended Service Set Identifier (ESSID), and Service Set Identifier (SSID) Define types of wireless devices (such as controllers, access points [APs], thin APs, fit APs, fat APs, and wireless bridges) Describe WLAN architecture options (such as standalone, controlled, and optimized WLAN) Rev

34 Getting Started with HP Wireless Networks Lesson 1: Introduction This lesson introduces you to standard wireless networks, including: Ad hoc mode Infrastructure mode In-cell relay mode (wireless bridging) It also outlines the authentication and association process, which enables a station to access a wireless network. 2 2 Rev

35 Basics of WLAN Configuration Ad hoc network Figure 2-1: Ad hoc network An ad-hoc network includes two or more stations that communicate directly with each other using wireless transmissions. Each station in an ad-hoc network receives every frame transmitted. To avoid collisions and prevent the loss of data, stations use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). CSMA/CA reduces collisions because stations listen for other transmissions before they attempt to start transmitting data. If another station is sending data, the listening station waits. If there are no transmissions, the listening station starts to send its own data. Ad-hoc networks are sometimes referred to as Independent Basic Service Set (IBSSs) because they do not require a connection to a wired network. Inexpensive and easy to establish, such networks are used most often for exchanging files in small meeting areas when access to the wired network is not necessary or not possible. Rev

36 Getting Started with HP Wireless Networks Infrastructure mode Figure 2-2: Infrastructure mode The most common implementation for wireless networks is the infrastructure mode. In this mode, an AP establishes the wireless network and handles all communications from wireless stations that associate with it. The AP also controls the data rates for the network, and depending on the WLAN architecture used, enforces security settings and other settings such as quality of service (QoS). WLAN architectures determine which type of wireless devices establish and manage the wireless network and where wireless data is bridged onto the wired network. You will learn more about WLAN architectures in Lesson 2 in this module. In addition to connecting wireless stations to each other, the AP is connected to a wired network. As the interface between the wired and the wireless network, the AP receives wireless traffic from stations and forwards it on to the wired network. Likewise, the AP receives and forwards traffic that is being sent from the wired network to the wireless stations. 2 4 Rev

37 Basics of WLAN Configuration In-cell relay mode Figure 2-3: In-cell relay mode In-cell relay mode is used to connect two or more network segments over a wireless connection. The segments can be different segments of a LAN or unconnected wireless networks. For example, if a company s IT department wants to connect the LANs in two buildings, they could use two APs, operating in in-cell relay mode, rather than trying to run cable for a wired connection between the buildings. This mode might also be called wireless bridging, Wireless Distribution System (WDS), or local mesh. Rev

38 Getting Started with HP Wireless Networks BSS and BSSID Figure 2-4: BSS and BSSID The rest of this lesson will focus on guidelines for the infrastructure mode because it is the mode that you will encounter most often. In this mode, an AP and the station or stations connected to it compose a Basic Service Set (BSS). Each BSS has a unique, 48-bit identifier called the BSSID, which is usually the MAC address of the AP s radios. Every frame transmitted to and from the stations in a BSS contains the BSSID in the frame header, identifying the frame as belonging to a particular AP s coverage area. Thus the BSSID distinguishes one BSS from others and increases efficiency by allowing the AP and stations to ignore frames not belonging to their BSS. When a new station joins the BSS, it appends the AP s BSSID to all frames as the receiver address in the header. 2 6 Rev

39 Basics of WLAN Configuration ESS and ESSID Figure 2-5: ESS and ESSID Two or more BSSs compose an Extended Service Set (ESS). Like the BSS, each ESS has a unique 48-bit identifier. The Extended Service Set Identifier (ESSID) is commonly called the SSID, or network name. To access a wireless network, users select this SSID in their wireless client utility. The SSID is included in the header of every frame transmitted on a wireless network. Note In Figure 2-5, the BSSs are visually separated, but typically the BSSs overlap to allow users to roam without losing their wireless connection. Rev

40 Getting Started with HP Wireless Networks WLAN Figure 2-6: WLAN An ESS can also be called a wireless LAN (WLAN). A WLAN defines a broadcast domain. That is, everyone who accesses the WLAN will receive all the broadcast frames. The WLAN also defines various settings for the ESS such as the SSID and security options. WLANs on wireless networks can be compared to VLANs on Ethernet networks: they divide users into different groups, steering each user toward the appropriate resources and access levels. Just as VLANs on a switch effectively transform the switch into several virtual switches, WLANs on an AP effectively divide the AP into several virtual APs, each providing a separate network connection to a group of mobile users. IT managers can exercise a great deal of control over wireless access through carefully planned WLAN options. 2 8 Rev

41 Basics of WLAN Configuration Open versus closed WLANs Figure 2-7: Open versus closed WLANs The standard specifies two types of systems open and closed. In an open system, such as a public hotspot, APs send beacon frames to advertise the SSID at regular intervals. Because anyone with a wireless device can join the WLAN, open systems are typically used for public networks. In a closed system, APs do not advertise the SSID (although it is still included in plaintext in the header of every frame transmitted within the WLAN). A closed system is intended to limit access to users who know the SSID. If an AP supports only closed system WLANs, stations within range may detect its radio signal, but their client utilities will not display any available wireless networks. To join a network, users must manually configure their wireless configuration utility with the correct SSID. In practice, however, a closed system does not provide much security. Applications that can discover the SSIDs in closed systems are readily available. Rev

42 Getting Started with HP Wireless Networks Active and passive scanning Active scanning Passive scanning Figure 2-8: Active and passive scanning To determine which APs are in range and which WLANs those APs support, a station uses a process called scanning. A station can scan for APs in two ways: Active scanning In active scanning (also called probing), stations send probe request frames on a particular channel. APs that are within range and operating on that channel respond with a probe response frame. This response frame contains information about the APs SSIDs (for open systems), capabilities, data rates, and so on. Passive scanning In passive scanning, stations listen for beacon frames from APs within range. APs broadcast beacons at regular intervals. These management frames contain: Radio settings Capabilities SSID Time stamps Other data Stations can listen for beacon frames on all supported channels. This type of passive scanning is called sweeping. If multiple APs are within range, the station chooses which one to associate with based on signal strength. At the same time, the station builds a table to keep track of SSIDs and other connection data. If the station changes location, it can more quickly reconnect to another AP that supports the correct SSID using the data compiled in the table Rev

43 Basics of WLAN Configuration Authentication and association process Figure 2-9: Authentication and association process When a station performs a scan (active or passive) and finds an AP within range, it can begin the process of joining a WLAN, as outlined in the standard. As shown below, this process includes two main parts: authentication association Rev

44 Getting Started with HP Wireless Networks Open system authentication Figure 2-10: Open system authentication Open-system authentication allows any station to be validated by the AP. A station first sends an authentication request frame, which contains its MAC address and a value that indicates that it is using open-system authentication. The AP sends an authentication response frame that contains the result of the request, which is typically successful authentication. Although the station is authenticated, it is not yet associated. It cannot send data onto the wireless network Rev

45 Basics of WLAN Configuration Shared-key authentication Figure 2-11: Shared-key authentication With shared-key authentication, each device must first prove to the AP that it has the correct key and should be granted network access. The device then uses this key to encrypt data it transmits and to decrypt data it receives. Likewise, the AP uses the same key to encrypt and decrypt data. Shared-key authentication uses Wired Equivalent Privacy (WEP) as the encryption algorithm. The steps of shared-key authentication are as follows: 1. The station sends an authentication request frame, containing the station s MAC address and a value indicating shared-key authentication. 2. The AP issues a response frame containing challenge text a 128-byte, randomly generated data stream. 3. Using the key it should already possess, the station encrypts the challenge text from the AP and sends it back. 4. Using the same key, the AP decrypts the challenge text received from the station. If the decrypted challenge text matches the challenge text that was sent in the second frame, the authentication is successful. The final frame in the exchange indicates authentication success or failure. Rev

46 Getting Started with HP Wireless Networks Limitations of shared-key authentication Figure 2-12: Limitations of shared-key authentication Shared-key authentication (which is also called static WEP) is seldom used because it opens a security hole. Because the AP sends the challenge in plaintext and the station encrypts it, a hacker can obtain a segment of plaintext and the equivalent ciphertext. Then the hacker can reverse engineer the keystream and gain access and even crack the key. Almost all wireless networks now use open authentication and then enforce another form of authentication after the station has completed the association. As you will learn in the next module, you have several options for implementing supplemental authentication Rev

47 Basics of WLAN Configuration association Figure 2-13: association If the authentication (whether open system or shared key) is successful, the station sends an association request frame to the AP, which can accept or reject the request. If it accepts the association, the AP assigns an association ID to the station and allocates RAM and other resources to the connection. The AP registers the station on the network so that frames destined for the new station are sent to the correct AP for processing. If no supplemental authentication is in place, the station is now authenticated and associated and is a part of the network. The station is allowed to transmit data frames, and the AP begins to process frames for it. The association remains active until it is terminated by either party. Stations cannot associate with more than one AP at a time. They can, however, roam and re-associate to a new AP in the same WLAN. Rev

48 Getting Started with HP Wireless Networks Lesson 1: Summary In this lesson, you learned about the three modes for wireless networks: ad hoc mode, infrastructure mode, and in-cell relay mode. You then learned more about the guidelines for establishing an infrastructure mode network, including the authentication and association process. Finally, you learned that because authentication is not secure enough to protect wireless networks, supplemental authentication measures were created. (Module 3 describes these security measures in more detail.) 2 16 Rev

49 Basics of WLAN Configuration Lesson 2: Introduction This lesson describes the wireless devices that are used to establish wireless networks APs, WLAN access controllers, and wireless bridges. It then outlines the WLAN architectures that determine how APs work independently or together in a controlled solution. Rev

50 Getting Started with HP Wireless Networks Standalone and controlled APs APs can operate in standalone or controlled modes. Figure 2-14: Standalone and controlled APs Because wireless access has become both a business and consumer requirement, APs are as recognizable as the RJ45 jacks connecting stations to a wired network. APs can operate in one of the following modes: Standalone APs are managed individually through a Web browser interface or a command-line interface (CLI). These intelligent APs establish the wired network, enforce security settings (including encrypting and decrypting traffic), and bridge traffic onto the wired network. Standalone APs may also be called autonomous or fat APs. Controlled APs are managed and configured through a WLAN access controller. Like standalone APs, controlled APs establish the wireless network. Depending on the type of AP and the WLAN architecture used, however, controlled APs can provide other functions as well (as you will learn in this lesson) Rev

51 Basics of WLAN Configuration Controlled APs There are two basic types of controlled APs: Thin APs, which forward all traffic to the controller for processing Intelligent or fit APs, which can perform functions as dictated by the controller There two basic types of controlled APs: Figure 2-15: Controlled APs Thin APs establish the wireless network and forward all traffic to the controller for processing. The controller provides all the intelligence for the wireless network. Intelligent, or fit, APs establish the wireless network but can perform other functions, as dictated by the controller and the WLAN architecture used (as you will learn later in this lesson). Rev

52 Getting Started with HP Wireless Networks WLAN access controllers Figure 2-16: WLAN access controllers WLAN access controllers are used to configure and manage multiple APs. In addition to automating the deployment of APs and distribution of software updates, controllers allow you to centrally define security, QoS, and other policies, ensuring that a consistent set of services is delivered throughout the network. Some of HP s WLAN access controllers are shown in Figure You ll learn more about HP s controllers in Modules 4 and Rev

53 Basics of WLAN Configuration Wireless bridge Figure 2-17: Wireless bridge A wireless bridge accepts traffic on one interface (typically an Ethernet interface) and bridges it out a wireless radio and vice versa. Wireless bridges can be used to connect two networks. In addition, wireless bridges are used to provide wireless connectivity for a device that has an Ethernet network adapter, or NIC, but no wireless one. Rev

54 Getting Started with HP Wireless Networks WLAN architectures Figure 2-18: WLAN architectures APs and WLAN access controllers can be deployed using one of following WLAN architectures: Standalone Centralized Optimized WLAN The next few pages describe these architectures and explain the environments for which each one is best suited Rev

55 Basics of WLAN Configuration Standalone WLAN architecture APs are deployed, configured, and managed separately. There is no centralized controller. Figure 2-19: Standalone WLAN architecture The standalone WLAN architecture meets the needs of organizations that require wireless access for a limited number of APs or in a limited geographic area. With this architecture, APs are deployed, configured, and managed separately. There is no centralized controller. Rev

56 Getting Started with HP Wireless Networks Centralized WLAN architecture All wireless data traffic must be forwarded to the controller. Network performance can suffer. Figure 2-20: Centralized WLAN architecture If organizations need to deploy a number of APs, managing them separately can become time consuming and labor intensive. The centralized WLAN architecture was designed to solve these issues. In a centralized WLAN architecture, you access and configure the centralized controller, or WLAN access controller. The centralized controller and each thin AP exchange WLAN management traffic. The simplified network diagram in Figure 2-20 shows the beginnings of the limitations of the centralized WLAN architecture. Because all wireless data traffic must be forwarded to the controller before it can be distributed to its final destination, the centralized architecture can significantly increase the traffic on, and add latency to, the wired network. As more user traffic is added to the network, particularly if the APs support n, network performance can be negatively affected Rev

57 Basics of WLAN Configuration Optimized WLAN architecture All the benefits of a WLAN access controller and Flexibility in how traffic is distributed Flexibility in how authentication and access control are applied Figure 2-21: Optimized WLAN architecture HP uses the optimized WLAN architecture an architecture that capitalizes on the strengths of the centralized WLAN architecture while overcoming its limitations. With the optimized WLAN architecture, you still have all the benefits of configuring and managing APs from a WLAN access controller. However, you also have much more flexibility in how traffic is distributed onto the wired network and how authentication and access control measures are applied. Rev

58 Getting Started with HP Wireless Networks Distributing traffic Distributed forwarding Centralized access control Distributed forwarding with centralized authentication Figure 2-22: Distributing traffic The intelligent or fit APs in a WLAN optimized architecture can be configured in one of two ways: Bridge users wireless traffic directly onto the wired network Forward users wireless traffic to the controller, which then acts as the gateway between the wireless and wired network Some APs can also authenticate users and apply access controls, while other APs rely on the controller to provide these functions. You will learn more about how different APs and controllers implement the optimized WLAN architecture in Modules 4 and 5. For now, you can view the different forwarding methods in Figure 2-22: Distributed forwarding Distributed forwarding with centralized authentication Centralized access control The optimized WLAN architecture allows you to control how traffic is authenticated and distributed onto the wired network. For example, you may want APs to send guests wireless traffic directly to the controller. The controller can prevent guests from accessing the private network but allow them to reach the Internet. You may also want APs to bridge employees data directly onto the wired network because that traffic pattern is more efficient Rev

59 Basics of WLAN Configuration Lesson 2: Summary In this lesson, you learned about standalone and controlled APs. Although standalone APs may meet the needs of small installations, the vast majority of businesses will quickly realize the benefits of using a WLAN access controller to configure and manage multiple APs. You were also introduced to three different WLAN architectures and learned the specific advantages of using HP s optimized WLAN architecture. Rev

60 Getting Started with HP Wireless Networks Lesson 3: Introduction When you plan your wireless network, you must determine how to power the APs. All HP APs can be powered through Power over Ethernet (PoE). PoE enables devices to receive power over the same Ethernet cable that connects them to the network. In fact, some can be powered only by PoE; they cannot be powered by an AC or DC power source. In this lesson, you will learn about the standards that govern PoE and the reasons you might use PoE to power your APs Rev

61 Basics of WLAN Configuration PoE standards IEEE has defined two PoE standards: 802.3af 802.3at Figure 2-23: PoE standards The original PoE standard, 802.3af, allows each device to receive up to 15.4 watts of power. The enhanced PoE+ standard, 802.3at, allows each device to receive up to 25 watts. Many devices support PoE, but some devices such as n APs, video phones, touch-screen devices, and pan-tilt-zoom (PTZ) security cameras might need more than 15 watts of power and require PoE+. Rev

62 Getting Started with HP Wireless Networks PoE support in HP switches Figure 2-24: PoE support in HP switches Infrastructure devices such as switches can provide PoE or PoE+ to multiple devices, or you can use a specialized device called a PoE injector to power one device. HP Networking offers both switches and WLAN access controllers that provide PoE and PoE+. A small sample of these PoE-enabled devices is shown in Figure (Check the HP Web site for more detailed information.) 2 30 Rev

63 Basics of WLAN Configuration Advantages of using PoE and PoE+ PoE and PoE+: Are cost effective Allow for remote system monitoring Provide networking freedom Figure 2-25: Advantages of using PoE and PoE+ Using PoE/PoE+ to power devices has several advantages: PoE/PoE+ can make deployments of new devices less costly. For example, deploying devices such as APs or IP video security cameras is less expensive if you do not have to wire remote locations for both power and Ethernet. PoE/PoE+ enables you to remotely monitor and control power to devices. For example, if you need to power cycle a device to force a reboot, you can do so from the switch that is providing power. PoE/PoE+ provides more freedom in device placement; you are not limited to locations where an AC outlet is nearby. Keep in mind that these advantages are provided by standards-based PoE/PoE+ products such as those offered by HP. Rev

64 Getting Started with HP Wireless Networks Lesson 3: Summary This lesson introduced the two industry standards for providing PoE: 802.3af and 802.3at. All HP APs can be powered by PoE, which is provided by a switch, WLAN access controller, or PoE injector. Using PoE to power APs provides a number of advantages. For example, you don't have to install APs near a power source, and you can more easily power cycle them Rev

65 WLAN Security Basics Review Module 3 Objectives Implementing a wireless network can provide convenient, anytime, anywhere access for your company s customers, partners, and employees. Unless you carefully configure security for that wireless network, however, this access may extend to anyone whether or not you want that person to access your network. In this module, you will learn about the options currently available for securing wireless networks. You will learn the advantages and disadvantages of each option and identify those that are most secure. After completing this module, you will be able to: Describe the security challenges created by wireless networks Compare and contrast the options for encryption of wireless traffic (Wired Equivalent Privacy [WEP] and Wi-Fi Protected Access [WPA/WPA2]) Compare and contrast technologies used to provide authentication on wireless networks, including Web-Auth, MAC-Auth, and 802.1X Rev

66 Getting Started with HP Wireless Networks Unsecured wireless networks Figure 3-1: Unsecured wireless networks Wireless networks are inherently insecure because transmissions are sent over a shared medium the AP s radio. Unless security measures are taken, anyone can access a wireless network. And because transmissions are transmitted in clear text, anyone with an compliant device can intercept and read the wireless transmissions. They can even tamper with the transmissions, changing them in some way. 3 2 Rev

67 WLAN Security Basics Authentication, data privacy, and integrity The hacker may access: Passwords Confidential records Personal data Figure 3-2: Authentication, data privacy, and integrity To completely secure wireless transmissions, you need to implement a security option that provides: Authentication, which ensures that only authorized users access the network Data privacy, which ensures that only the intended recipient can read the data, preventing other users from reading it Data integrity, which protects data from being tampered with before it reaches the intended recipient Rev

68 Getting Started with HP Wireless Networks Security options overview Figure 3-3: Security options overview You have several options for securing a wireless LAN (WLAN) some that enforce only authentication and some that enforce authentication and provide data privacy and data integrity. The option you select depends on the needs of the company and the users who access the WLAN. For example, to protect your company s data, you may want to use the strongest security option for WLANs that are accessed by employees. Because guests are not allowed to access your company s internal network, however, you don t need to protect their transmissions, so you may use a less secure option for the WLAN s guest users access. 3 4 Rev

69 WLAN Security Basics MAC-Auth Advantages Figure 3-4: MAC-Auth One of the first restrictions you can place on wireless access is to filter authentication requests based on a frame s media access control (MAC) address. When MAC authentication, or MAC-Auth, is enabled, frames are accepted or rejected based on their MAC address. MAC-Auth can be enabled in different ways. Some APs and controllers use allowed or blocked lists of MAC addresses. Other APs and controllers check MAC addresses against either their local database of user accounts or against an external RADIUS server s database. In this case, the MAC address is typically both the username and password in the account. MAC-Auth requires no configuration or special software on the device attempting to access the wireless network. Because all devices must include their MAC address in the access request, all devices can be controlled through MAC-Auth. In fact, many vendors support MAC-Auth because it is the only option for devices that do not have a user interface or support 802.1X. MAC-Auth can also be combined with other authentication methods, strengthening the level of security it provides. Disadvantages MAC-Auth has several disadvantages. First, this authentication method can be compromised because MAC addresses are easily spoofed. Second, tracking and entering MAC addresses can be both tedious and labor intensive. Third, this authentication method is hardware based not user based. As a result, you cannot use it to grant users different levels of access. Rev

70 Getting Started with HP Wireless Networks WEP WEP has two methods of authentication: WEP key (static WEP) 802.1X (dynamic WEP) Figure 3-5: WEP The standard s first attempt to secure wireless transmissions was Wired Equivalent Privacy (WEP). To make wireless security equal to that of a wired network, WEP was designed to provide authentication, data privacy, and data integrity. With WEP, all stations encrypt frames with a secret key before transmitting them to the AP. The AP uses the same key to decrypt the frame. Similarly, the AP encrypts all traffic destined to the station with the key. For simplicity, the example illustrated above shows a standalone AP. In controllerbased wireless solutions, stations may make associations with the AP or the controller, depending on the implementation. If the association is made with the controller rather than the AP, the controller encrypts and decrypts traffic. WEP has two methods of authentication: WEP key (static WEP), in which a secret key shared by all stations associated with the AP acts as de facto authentication. (If the AP receives a frame it cannot decrypt, it simply drops that frame.) 802.1X (dynamic WEP), in which users authenticate individually to a network RADIUS server and receive individual secret keys. A RADIUS (Remote Authentication Dial-In User Service) server can store and manage user and device information in a central database. It uses this information to approve or deny users access to the network and resources on that network. (You will learn more about 802.1X and other security measures used with it later in this module.) Unfortunately, WEP failed to live up to the promise of its name. It was cracked almost immediately, making it a dubious choice for either consumers or businesses. 3 6 Rev

71 WLAN Security Basics WEP advantages and disadvantages Advantages Encrypted data Controls user access (static WEP) g g User based authentication (dynamic WEP) Advantages Figure 3-6: WEP advantages and disadvantages Despite its shortcomings, WEP has some advantages over MAC-Auth, which by itself is even less secure. Although WEP s weaknesses are well-publicized, it does at least encrypt the wireless data. This makes it a more secure option than MAC-Auth, which enforces only authentication. Static WEP also controls which users can send and receive data (because these users must have the key). Dynamic WEP provides user-based authentication and less easily cracked keys (because each user has his or her own). Disadvantages Disadvantages Algorithm has limitations Requires RADIUS server (dynamic WEP) The WEP algorithm has severe limitations. Applications that crack WEP are readily available on the Internet, and hackers need only a small sample of data to successfully use these applications to infiltrate a wireless network. Dynamic WEP is more difficult to configure because it requires a RADIUS server. In addition, it is less secure than other methods that use 802.1X. Rev

72 Getting Started with HP Wireless Networks Development of WPA and WPA2 Figure 3-7: Development of WPA and WPA2 After WEP was compromised, the IEEE i taskforce began to create a new standard that was more secure. Because companies could not wait until the new standard was completed, however, the Wi-Fi Alliance designed Wi-Fi Protected Access (WPA) as an interim solution. WPA meets only the first part of the i standard. It provides backward compatibility for equipment designed to support WEP while substantially strengthening security. WPA2 was created to meet the complete i standard. 3 8 Rev

73 WLAN Security Basics Authentication options for WPA and WPA2 Figure 3-8: Authentication options for WPA and WPA2 Both WPA and WPA2 include encryption and authentication algorithms to provide data privacy and data integrity. However, the WPA2 algorithms are more secure. Therefore, WPA2 should be used if users stations support it. When using WPA or WPA2, you have two authentication options: Preshared keys 802.1X You will learn more about these options on the next few pages. Rev

74 Getting Started with HP Wireless Networks WPA/WPA2-PSK After association, the station submits a preshared key. Key: A5729BC226 Key: A5729BC226 When the preshared keys match, the station can transmit and receive data over the wireless network. Key: A5729BC226 Key: A5729BC726 If the keys do not match, the station cannot transmit and receive data over the wireless network. Figure 3-9: WPA/WPA2-PSK With WPA/WPA2-Pre-Shared Key (WPA2-PSK), all the users accessing the WLAN share the same key. Before a station can submit the pre-shared key for approval, it must first associate with the AP (as you learned in Module 2: Basics of WLAN Configuration). Once the station is associated, it submits the pre-shared key. If this key does not match the one configured for the WLAN, the station cannot transmit or receive data on the wireless network Rev

75 WLAN Security Basics WPA/WPA2-PSK advantages and disadvantages Advantages Best data privacy available More secure than WEP Easy to configure Advantages Figure 3-10: WPA/WPA2-PSK advantages and disadvantages Like other wireless security options, WPA/WPA2-PSK has advantages and disadvantages. WPA2 provides the best data privacy and integrity measures available for wireless networks. WPA is less secure but still provides much stronger security than WEP. In addition, WPA/WPA2-PSK is easy to configure and does not require a RADIUS server (as 802.1X does). Disadvantages Disadvantages Weak authentication Not user based WPA/WPA2-PSK s weakness is its authentication. Because all users share the key, it is more likely that someone will leak, or give, that key to an unauthorized user. In addition, this security option is not user based. That is, you cannot grant users who access the WLAN different levels of access. Rev

76 Getting Started with HP Wireless Networks WPA/WPA2 with 802.1X In this example, the authenticator is the WLAN access controller. Figure 3-11: WPA/WPA2 with 802.1X 802.1X enforces user-based authentication, making sure that only authorized users are allowed to authenticate to the network. It further allows you to enforce a particular level of access for each user. For example, a user in the Marketing group could receive different access rights than an executive at the same company X requires three participants in the authentication process: Supplicant The supplicant is the station that is requesting access to the network. Authenticator The authenticator controls access to the network, preventing the supplicant from transmitting data onto the network until it has successfully authenticated. On a wireless network, standalone or fat APs operate as the authenticators. Controlled APs may operate as authenticators or rely on the controller to perform this function. In Figure 3-11, the authenticator is the WLAN access controller because the WLAN is configured for centralized authentication. APs forward all user authentication requests to it. (However, the APs can still distribute users data directly on to the wired network.) Authentication server The authentication server makes access decisions based on whether or not the user supplies valid authentication credentials. The authentication server is often a RADIUS server, which could be an external server (such as the Microsoft Network Policy Server [NPS]) or the WLAN access controller s internal RADIUS server (if the controller includes one). When a station associates with a WLAN that is protected by WPA/WPA2 with 802.1X, the AP or the controller immediately blocks all transmissions, except those used to authenticate the station. The exact authentication process varies, depending on the 802.1X options configured for the WLAN. What you need to know for this course is that the authenticator in this case, the controller forwards the user s credentials to the RADIUS server. This server, in turn, notifies the authenticator whether or not the user is authorized Rev

77 WLAN Security Basics If a user authenticates successfully, his or her station is allowed to transmit data onto the wireless network. Transmissions are encrypted and protected, according to the WPA or WPA2 specifications. Rev

78 Getting Started with HP Wireless Networks WPA/WPA2 with 802.1X advantages and disadvantages Advantages Provides strongest security User based access Best data privacy measures (WPA2) Advantages Figure 3-12: WPA/WPA2 with 802.1X advantages and disadvantages There are advantages and disadvantages to using WPA/WPA2 with 802.1X. WPA/WPA2 with 802.1X provides the strongest security for wireless networks X prevents anyone from transmitting or receiving any data on the network until he or she has authenticated successfully. Further, 802.1X provides user-based authentication, allowing you to grant users different levels of access. WPA2 also provides the best data privacy and integrity measures available for wireless networks. WPA is less secure but still provides much stronger security than WEP. Disadvantages Disadvantages Requires RADIUS server Must be configured precisely Must have an 802.1X supplicant 802.1X has more requirements than other security options. For example, your network must include a RADIUS server that supports 802.1X options for wireless networks, and you must configure that server correctly to support the WLANs protected by 802.1X. In addition, the station must have an 802.1X supplicant, and some user setup is required for that supplicant Rev

79 WLAN Security Basics Web-Auth Web Auth allows users to access a wireless network through their own web browsers. Figure 3-13: Web-Auth Web authentication, or Web-Auth, enables users to access the wireless network through their familiar Web browser. Because no client software is required, this solution is typically used for guests and partners. Web-Auth can simply direct users to a welcome page (if no login credentials are required) or to a login page that prompts users to enter a username and password. Some solutions also allow users to pay a subscription fee and create their own accounts. Web-Auth provides user-based authentication, and depending on the user's credentials, the AP or controller might implement various forms of access control on the user. Web-Auth can also be combined with WEP or WPA/WPA2 to provide data privacy and integrity. Rev

80 Getting Started with HP Wireless Networks Web-Auth advantages and disadvantages Advantages Figure 3-14: Web-Auth advantages and disadvantages Although Web-Auth has significant advantages particularly for providing guest access it does have some disadvantages. Web-Auth does not require a special client. Any station can authenticate on a WLAN that uses Web-Auth as long as the user has a legitimate username and password and a Web browser. Web-Auth also allows you to open parts of your network to guests by providing limited access to unauthenticated users. In addition, Web-Auth provides userbased authentication. Disadvantages Advantages Does not require a special client User-based authentication Provides limited access to unauthenticated users Disadvantages Does not require encryption (it is optional) Cannot authenticate devices that do not have a Web browser interface Web-Auth does not require encryption although encryption is an option on some wireless devices. Because Web-Auth requires interaction with the user, you cannot use it to authenticate stations or devices that do not have a Web browser interface Rev

81 WLAN Security Basics Wireless security options at a glance Authentication Method y p Encryption Option Security Option Figure 3-15: Wireless security options at a glance Recommendation Shared-Key WEP Static WEP X WPA/WPA2-PSK for WPA/WPA2 WPA/WPA-PSK small companies 802.1X WEP Dynamic WEP WPA/WPA2 with WPA/WPA X preferred WPA/WPA2 with 802.1X Web-Auth None Web-Auth Typically used for guests; optional WEP Web-Auth encryption secures with static WEP wireless transmissions WPA/WPA2 Web-Auth with WPA/WPA2-PSK MAC-Auth Does not provide encryption, but can be Adds some security to combined with other security options methods such as WPA/WPA2-PSK X Not recommended Acceptable in some circumstances Most secure In this module, you have learned about the options for authenticating users on wireless networks and ensuring data privacy and integrity. These options are summarized in the table above. Rev

82 Getting Started with HP Wireless Networks Module 3: Summary Now that you understand the security options for wireless networks, you can better plan the WLANs for your company. You can evaluate which resources and information each group of users will access and select the appropriate security option for the WLAN that group will access Rev

83 HP E-MSM Solutions for SMBs Review Module 4 Objectives In this module, you will learn what small-to-medium businesses (SMBs) require from their wireless networks. You will then be introduced to the HP E-Series wireless products and learn how these products meet these SMB requirements. After completing this module, you should be able to: Describe the mobility needs of SMBs Describe the HP E-Series wireless products Explain how E-Series solutions meet the needs of SMBs Rev

84 Getting Started with HP Wireless Networks SMB requirements Figure 4-1: SMB requirements SMBs rely on their network to help them stay ahead of the competition. To provide the applications and services they need, they are expanding their networks to support voice, data, and video. Wireless access has been and will continue to be an important gateway into this converged network. As important as technology is to SMBs, they have limited budgets and IT resources to devote to managing a converged network. The network must therefore be easy to manage and secure. In particular, the IT staff must be able to enforce appropriate levels of security for each type of user whether that user accesses the network from a wired or wireless connection. 4 2 Rev 10.41

85 HP E-MSM Solutions for SMBs HP E-Series Figure 4-2: HP E-Series The HP E-Series wireless products provide the features required by SMBs. For example, they fit easily into a wired network, integrating with an organization s existing security infrastructure. As a result, users can move anywhere within the network and get consistent or customized access from a wireless connection. Some SMBs will want users to receive access to the same network resources no matter how the users access the network. Other SMBs may want users to receive access to limited network resources when they access the network from a wireless connection. E-Series wireless products support both approaches. To meet SMBs requirements for manageability, the E-Series APs can be configured and managed through a controller, using a Web browser interface. SMBs also have the option of grouping up to five controllers in a team and managing them through one interface. Such teams also provide scalability and redundancy. Or, SMBs can manage controllers or APs in the context of their E-Series wired products. By adding HP Mobility Manager to HP PCM+, they can manage E-Series wired and wireless products from the same management console. HP PCM+ is a Simple Network Management Protocol (SNMP) platform that supports E-Series wireless products and E-Series switches that run the classic HP software. (Some E-Series switches run Comware software and can be managed through HP Intelligent Management Center [IMC], in addition to their own management interfaces.) HP Mobility Manager is a PCM+ add-on that allows you to configure and manage E-Series wireless devices. It also provides RF planning and modeling. Rev

86 Getting Started with HP Wireless Networks E-Series AP overview Figure 4-3: E-Series AP overview You will now learn about the wireless products that are included in the E-Series, starting with the APs. You will also learn about the HP Multi-Service Mobility (MSM) access device, the wireless sensor, and the client bridge. Finally, you will be introduced to the three controllers that are part of this series. 4 4 Rev 10.41

87 HP E-MSM Solutions for SMBs HP E-MSM4xx APs E-MSM422 E-MSM410 Figure 4-4: HP E-MSM4xx APs There are two E-MSM4XX APs the E-MSM422 and the E-MSM410 and both support n. Both can operate as controlled or autonomous APs. Table 4-1: HP E-MSM4xx APs AP model Radio (s) Power Local Mesh Antennas E-MSM422 1 ( a/b/g/n) 1 ( a/b/g AC PoE Yes 3 internal omnidirectional (802.11a/b/g/n radio) 2 internal omnidirectional (802.11a/b/g radio) 4 connectors E-MSM410 1 (802.11a/b/g/n) PoE Yes 3 internal omnidirectional Note A local mesh is HP s implementation of a wireless bridge. (A wireless bridge is also sometimes called a wireless distribution system, or WDS.) Rev

88 Getting Started with HP Wireless Networks HP E-MSM3XX APs E-MSM325 E-MSM320 E-MSM335 E-MSM310 Figure 4-5: HP E-MSM3XX APs The E-MSM3XX APs support a/b/g. All of these APs operate in controlled mode or autonomous mode. Table 4-2: HP E-MSM3xx APs AP Model Radio(s) Power Outdoor Local Mesh Antennas Sensor E-MSM335 3 (802.11a/b/g) AC PoE E-MSM325 2 (802.11a/b/g) AC PoE E-MSM320 2(802.11a/b/g AC PoE E-MSM310 1 (802.11a/b/g AC PoE No Yes 6 internal omnidirectional 3 connectors No Yes 4 omnidirectional 4 connectors E-MSM320-R Yes 4 omnidirectional 4 connectors Ships with sensor license Ships with sensor license Can purchase license E-MSM310-R Yes 2 internal directional No 4 6 Rev 10.41

89 HP E-MSM Solutions for SMBs HP E-MSM317 Figure 4-6: HP E-MSM317 The E-MSM317 Access Device integrates wired and wireless connectivity. In addition to establishing an b/g wireless network, this access device provides four Ethernet ports and a pass-through RJ-45 connection for service and user connectivity. It has two directional diversity antennas. The E-MSM317 Access Device operates only in controlled mode and is powered by PoE. Rev

90 Getting Started with HP Wireless Networks HP E9552, E9152, E8760, E7760, and E-M110 APs E9552 E9152 E8760 E7760 E-M110 Figure 4-7: HP E9552, E9152, E8760, E7760, and E-M110 APs The E-Series also includes standalone, or fat, APs. The E-M110 AP always operates as a standalone AP. The E9552, E9152, E8760, and E7760 APs, on the other hand, ship as standalone APs but can later be converted to controlled, or fit, APs. When converted to controlled APs, they are managed by A-Series controllers. (See Module 5 for information about these controllers.) The table below provides more information about these APs. Table 4-3: HP E9552, E9152, E8760, E7760, and E-M110 APs Radio(s) Power Ethernet Ports AP Model Antennas E (802.11a/b/g/n) PoE or external E (802.11a/b/g/n) PoE or external E (802.11a/b/g) PoE or external* E (802.11a/b/g) PoE or external* E-M110 1 (802.11a/b/g) PoE or external Mode 1 10/100/ internal Fat 3 connectors 1 10/100/ internal Fat No 1 10/100 2 external Fat No 1 10/100 2 external Fat No 1 10/100 2 external 2 connectors Fat Plenum Rated No Yes *Ships with a PoE injector 4 8 Rev 10.41

91 HP E-MSM Solutions for SMBs HP E-MSM415 RF Security Sensor Figure 4-8: HP E-MSM415 RF Security Sensor The HP E-MSM415 RF Security Sensor is a dedicated RF security sensor. It works with the HP RF Manager Controller, a wireless intrusion detection/intrusion prevention system (WIDS/IPS) that checks traffic for threats. An IDS merely alerts you that an attack has been detected; an IPS can take action to mitigate the attack. The E-MSM415 s single a/b/g/n radio security sensor continuously scans the 2.4 and 5 GHz bands to detect and counter security threats for wireless devices and APs. The E-MSM415 RF Security Sensor shares the same form factor as the E-MSM410 AP. Rev

92 Getting Started with HP Wireless Networks E-M111 Client Bridge Figure 4-9: E-M11 Client Bridge HP also provides a solution for organizations that want to connect legacy Ethernet or serial devices to a WLAN. For example, organizations may want to connect a fax machine to a WLAN so that wireless users can send faxes. Rather than upgrade these legacy devices, organizations can connect them to the HP E-M111 Client Bridge, which provides a wireless signal and allows them to access a WLAN Rev 10.41

93 HP E-MSM Solutions for SMBs HP E-MSM Controllers E-MSM765 zl E-MSM760 Figure 4-10: HP E-MSM Controllers HP Networking offers several E-MSM Controllers. E-MSM710 The E-MSM765 zl is a module that can be installed in an HP E8200 zl or E5400 zl Switch. It ships with a Premium license that allows it to operate as a mobility controller (supporting Layer 3 roaming). This license provides support for other advanced features such as redundancy. You can purchase a Premium license for the E-MSM760 and the E-MSM710 to enable Layer 3 roaming and other advanced features on these WLAN controllers. These two are appliances rather than modules installed into an HP switch chassis. Rev

94 Getting Started with HP Wireless Networks Optimized WLAN architecture for E-Series Figure 4-11: Optimized WLAN architecture for E-Series With E-MSM controllers and APs, you can determine how wireless traffic is controlled and distributed on to the wired network. You have three options: Distributed forwarding The AP controls users access to the wireless network and distributes wireless traffic directly onto the wired network. Distributed forwarding is well suited for n deployments where high-speed wireless connectivity generates a great deal of traffic. Distributed forwarding with centralized authentication The E-MSM APs forward authentication traffic to the controller but handle all wireless data traffic transmitting it directly onto the network. One benefit of this approach is simplified RADIUS setup where IT time is at a premium or staff experience is limited. Centralized access control Acting as the gateway between the wireless and wired network, the controller handles both authentication and wireless data traffic. Centralized access control is typically used for guest access Rev 10.41

95 HP E-MSM Solutions for SMBs Module 4: Summary In this module, you learned about the challenges that SMBs face and how the HP E- Series MSM solutions are ideally suited to help them meet those challenges. For more information about these products, visit the HP Networking site at Rev

96 Getting Started with HP Wireless Networks 4 14 Rev 10.41

97 HP Networking Mobility for the Enterprise Review Module 5 Objectives In Module 4, you learned about the specific wireless needs of SMBs. In this module, you will learn what enterprises require to implement wireless networks for their complex, distributed environments. You will then be introduced to HP A-Series wireless solutions and learn how these solutions meet enterprise requirements. After completing this module, you should be able to: Compare and contrast the mobility needs of SMBs and enterprises Describe the HP A-Series wireless solutions and their roles in the enterprise wireless network Explain why HP A-Series wireless solutions are better suited for enterprise deployments than HP E-Series wireless solutions Rev

98 Getting Started with HP Wireless Networks Implement and manage a converged network Enterprises have: Complex WLAN needs Multiple locations Diverse user groups Enterprises need: A seamless converged network Ease of management Figure 5-1: Implement and manage a converged network Enterprises not only differ from SMBs in terms of the number of employees but also in their more complex wireless LAN (WLAN) manageability needs. Representing diverse industries, enterprises must manage WLANs across multiple locations. Enterprises have multiple branch offices and even multiple main offices, which might be located in different countries or provinces and states. These WLANs must fit seamlessly into a converged network that also supports voice, data, and video, providing a convenient way for users to access this network. The IT staff must be able to manage the entire converged network including WLANs from a single management console. 5 2 Rev 10.41

99 HP Networking Mobility for the Enterprise Manage users and control their access Figure 5-2: Manage users and control their access In addition, enterprise organizations must manage a large number of users who require access to different network resources. On a university campus network, for example, faculty, students, staff, and guests each have a distinct purpose for accessing the WLAN, and as such, their access must be appropriately managed and secured. Faculty and staff These users can access application servers and the Internet. Security required: Wi-Fi Protected Access 2 (WPA2) with 802.1X Students These users can access the university s intranet as well as the Internet. Security required: WPA/WPA2 with 802.1X Guests These users only have access to the Internet. Security required: Web-Auth Note The examples in this module show a simplified enterprise network. In a real-world environment, an enterprise network would include multiple locations and thousands of devices. Rev

100 Getting Started with HP Wireless Networks Future growth Figure 5-3: Future growth Enterprises also need wireless solutions that provide a platform for future growth. Such solutions must not only be able to scale to accommodate more users and their high-volume traffic but also support new services. 5 4 Rev 10.41

101 HP Networking Mobility for the Enterprise A-Series controllers Figure 5-4: A-Series controllers HP A-Series wireless solutions are designed for large-scale deployments, supporting both branch and corporate offices. Organizations can select a WLAN access controller that supports as few as eight APs or as many as 640. With many WLAN access controllers, organizations can start with a base license and purchase incremental licensing as they grow. Rev

102 Getting Started with HP Wireless Networks Unified wireless and wired network Figure 5-5: Unified wireless and wired network A-Series controllers have both a command-line interface (CLI) and a Web browser interface. Because the controller software uses the same base code as A-Series switches, the controllers CLI is consistent with the switches CLI, simplifying management for both. The controllers CLI uses the same access levels and basic organization as the A-Series switch CLI. Of course, the controllers CLI contains commands specific to wireless networks, which the switch CLI does not support. Compare the controller and switch CLI commands below: <AController> system-view [AController] vlan <ID> [AController-vlan<ID>] port <type> <ID> [AController-vlan<ID>] quit [AController] management-vlan <ID> <ASwitch> system-view [ASwitch] vlan <ID> [ASwitch-vlan<ID>] port <type> <ID> [ASwitch-vlan<ID>] quit [ASwitch] management-vlan <ID> In addition, you can manage these switches and controllers from HP s Intelligent Management Center (IMC), a platform that provides a single point of management for A-Series networks. 5 6 Rev 10.41

103 HP Networking Mobility for the Enterprise Advanced features Figure 5-9: Advanced features In addition to supporting standard wireless security options, the A-Series controllers offer features such as full redundancy with fast backup and WLAN load balancing. The controllers also support the optimized WLAN architecture, providing both centralized or distributed data forwarding. Controllers handle functions such as authentication and AP routing and handoffs. They integrate with AAA servers, consistently enforcing user and group access policies across the wireless LAN. Controlled, or fit, APs handle local traffic encryption to provide security close to the user and decrease latency. Rev

104 Getting Started with HP Wireless Networks HP A-WA2x00 Series APs A-WA2620E A-WA2620 A-WA2612 A-WA2610 A-WA2220 A-WA 2110 Figure 5-10: HP A-WA2x00 Series APs You will now be introduced to the A-Series APs, starting with the HP A-WA2x00 AP Series. This series includes both single- and dual-radio APs, and each radio supports up to 64 users. These controlled, or fit, APs can be managed through any A-Series WLAN access controller. Table 5-1: HP A-WA2x00 Series APs AP Model Radio(s) Power Ports Antennas n MIMO A-WA2620E 2 (802.11a/b/g/n) PoE 1 10/100/ external 3T x 3R Yes A-WA (802.11a/b/g/n) PoE 1 10/100/ internal 2T x 3R No 3 connectors A-WA (802.11a/b/g/n) PoE 1 10/100/ external 2T x 3R No A-WA (802.11a/b/g/n) PoE 1 10/100/ external 3T x 3R Yes Plenum rated A-WA (802.11a/b/g) PoE 1 10/100 2 external N/A N/A A-WA (802.11a/b/g) PoE 1 10/100 2 external No No 5 8 Rev 10.41

105 HP Networking Mobility for the Enterprise HP wireless bridges HP a Integrated Outdoor Bridge and Access Point HP a/b/g Workgroup Bridge Figure 5-11: HP wireless bridges The A-Series includes two types of wireless bridges: HP a Integrated Outdoor Bridge and Access Point As the name suggests, the Integrated Outdoor Bridge and Access Point is designed to connect network segments in two different buildings. It provides this connectivity using a. This combined bridge/ap can also be used to provide wireless access to b/g stations. HP a/b/g Workgroup Bridge The Workgroup Bridge is designed to connect legacy devices (such as fax machines or printers) to a wireless network. Rev

106 Getting Started with HP Wireless Networks HP A3000G wireless switch series A G-PoE+ A G-PoE+ Figure 5-12: HP A3000G wireless switch series The HP A3000G Wireless Switch Series provides centralized management of a/b/g/n wireless networks. Ideal for branch offices and campus networks, these devices function as both WLAN access controllers and switches, providing 10/100/1000 ports for wired network connectivity. Table 5-2: A3000G wireless switch series Model APs Ports Managemant PoE/PoE+ support A G-PoE+ Up to /100/ dual-personality Web-based, CLI, and SNMP A G-PoE+ Up to /100/1000 Web-based, CLI, 2 SFP and SNMP A3000-8G-PoE+ Up to /100/1000 Web-based, CLI, and SNMP With regard to the table: A3000-8G-PoE+ All ports Any 4 ports Ports 1-4 only Small Form-factor Pluggable (SFP) ports support transceivers, which provide a variety of connectivity options, including fiber optic. Dual-personality ports can be used as either 10/100/1000 ports for copper cables or open SFP ports. Simple Network Management Protocol (SNMP) enables central management of a variety of devices, including switches, routers, and APs Rev 10.41

107 HP Networking Mobility for the Enterprise HP A-WX WLAN Controllers A-WX5004 A-WX5002 Figure 5-13: HP A-WX WLAN Controllers The A-WX5000 WLAN Controller Series includes two models. The A-WX5004 controls up to 256 APs; the A-WX5002 controls up to 64. Table 5-2: A-WX WLAN Controllers Model APs Ports Management PoE support A-WX5004 Up to dual-personality Web-based, CLI, and SNMP A-WX5002 Up to 64 2 dual-personality Web-based, CLI, and SNMP No No Rev

108 Getting Started with HP Wireless Networks A-Series controller modules A5800 Access Controller Module for APs A5800 Access Controller Module for APs A7500 Access Controller Module A9500 Access Controller Module Figure 5-14: A-Series controller modules Customers with an HP A5800, A7500, or A9500 switch chassis have the option to purchase a WLAN access controller module. When the controller is installed into one of these switches, they control both wired and wireless networks. These WLAN access controller modules provide features similar to the standalone access controllers. Table 5-3: A-Series Controller Modules APs Management Model Port A5800 Access Controller Module for APs A5800 Access Controller Module for APs A7500 Access Controller Module A9500 Access Controller Module Management interface /100 Web-based, CLI, and SNMP /100/1000 Web-based, CLI, and SNMP /100/1000 Web-based, CLI, and SNMP /100/1000 Web-based, CLI, and SNMP Internal interface PoE support USB port 2 1-GbE No No 1 10-GbE No No 1 10-GbE No Yes 1 10-GbE No Yes 5 12 Rev 10.41

109 HP Networking Mobility for the Enterprise Summary In this module you learned how the needs of enterprises differ from those of SMBs. You were introduced to a variety of HP Networking wireless solutions which allow enterprises to precisely manage high-volume, multi-user wireless traffic in a secure environment. You also learned that HP wireless access controllers offer unified networking to simplify wired and wireless network management. Rev

110 Getting Started with HP Wireless Networks 5 14 Rev 10.41

111

112 To learn more about HP networking, visit Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.