secure mobility in cisco unified wlan networks for mobile devices

71
Secure Mobility in Cisco Unified WLAN Networks BRKEWN-2018 Senior Manager/Architect, Technical Marketing July 2011 Jake Woodhams

Upload: cisco-mobility

Post on 27-Jan-2015

114 views

Category:

Technology


2 download

DESCRIPTION

Best practices for implementing the latest WLAN security techniques from design to deployment. Includes recommendations for proper authentication and encryption and fast secure roaming. Learn More: http://www.cisco.com/go/wireless

TRANSCRIPT

Page 1: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 1

Secure Mobility in Cisco Unified WLAN Networks BRKEWN-2018

Senior Manager/Architect, Technical Marketing

July 2011

Jake Woodhams

Page 2: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 2

Abstract

• The proliferation of Wi-Fi enabled devices creates important challenges for IT, perhaps the chief challenge being security and scalable, efficient, secure roaming. This session will cover the state-of-the-art technologies for proper authentication and encryption and fast, secure roaming. Topics include 802.11i/WPA/WPAv2, TKIP/AES & Fast roaming with CCKM, PKC, and the emerging 802.11r standard. Different EAP types like PEAP, PEAP-GTC, EAP-TLS, EAP-TTLS, EAP-FAST will be covered in this session. The session will include best practices for implementing latest WLAN security techniques and design and deployment recommendations for device roaming. Pre-requisite: A minimum of CCNA level knowledge of campus routing and switching is highly recommended. Knowledge of 802.11 WLAN fundamentals and the basics of the Cisco Unified WLAN technology are also assumed.

Page 3: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 3

Session Agenda

• Anatomy of a Device Connection • Anatomy of a Device Roam

• Design and Deployment Considerations

Page 4: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 4

Anatomy of a Device Connection

Page 5: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 5

Section Agenda

•  802.11 Architecture and Services Basics •  802.11i Addendum

• EAP Types and Key Management • Device Mobility Problem Statement

Page 6: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 6

802.11 Architecture Basics

BSS BSS

  BSS – Basic Service Set

  SSID – Service Set Identifier

  BSSID – Basic Service Set Identifier

  STA – Station (AKA Client)

STA STA

SSID: ASCII String BSSID: MAC Address

SSID: ASCII String BSSID: MAC Address

Page 7: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 7

802.11 Architecture Basics

  ESS – Extended Service Set

  DS – Distribution System

BSS BSS

ESS

DS

Page 8: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 8

802.11 Services Service Description Implementation

Distribution Services

STA Services

Page 9: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 9

802.11 Services Service Description Implementation

Distribution Services Association

Reassociation

Disassociation

STA Services

Page 10: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 10

802.11 Services Service Description Implementation

Distribution Services Association Used to create a logical connection between a mobile STA

and an AP 802.11

Reassociation

Disassociation

STA Services

Page 11: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 11

802.11 Services Service Description Implementation

Distribution Services Association Used to create a logical connection between a mobile STA

and an AP 802.11

Reassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA moves across an ESS

802.11

Disassociation

STA Services

Page 12: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 12

802.11 Services Service Description Implementation

Distribution Services Association Used to create a logical connection between a mobile STA

and an AP 802.11

Reassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA moves across an ESS

802.11

Disassociation Used by AP to force mobile STA off the BSS or by mobile STA to inform AP it doesn’t need service anymore 802.11

STA Services

Page 13: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 13

802.11 Distribution Services Association Service

802.11 Association Request: “Can I Associate to This BSSID?”

802.11 Association Response: “Yes, You Can Associate

to This BSSID”

802.11 Association Response: “No, You Cannot Associate

to This BSSID”

Page 14: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 14

802.11 Distribution Services Disassociation Service

802.11 Disassociation Request: “You Cannot Be Associated to This

BSSID Anymore”

802.11 Disassociation Request: “I Do Not Want to Be Associated to

This BSSID Anymore”

Page 15: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 15

802.11 Distribution Services Reassociation Service (Roaming Context)

802.11 Reassociation Request: “Can I Reassociate to This BSSID?”

802.11 Disassociation Request: “I Do Not Want to Be Associated to

This BSSID Anymore”

802.11 Association Response: “Yes, You Can Associate

to This BSSID”

802.11 Association Response: “No, You Cannot Associate

to This BSSID”

Page 16: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 16

802.11 Services Service Description Implementation

Distribution Services Association Used to create a logical connection between a mobile STA

and an AP 802.11

Reassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA moves across an ESS

802.11

Disassociation Used by AP to force mobile STA off the BSS or by mobile STA to inform AP it doesn’t need service anymore 802.11

STA Services

  So, What Do These Three Services Accomplish?   What’s Missing?

Page 17: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 17

802.11 Services Service Description Implementation

Distribution Services Association Used to create a logical connection between a mobile STA

and an AP 802.11

Reassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA moves across an ESS

802.11

Disassociation Used by AP to force mobile STA off the BSS or by mobile STA to inform AP it doesn’t need service anymore 802.11

STA Services Authentication Used to prove the identity of the STA and AP

WPA/WPAv2 (802.11I), CAPWAP

Deauthentication Used to eliminate a previously authenticated user from further use of the network

Privacy Used to protect frames in transit over wireless medium

Page 18: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 18

How STAs Connect to a WLAN Securely

•  802.11 spec defines authentication, deauthentication, and privacy services, but…

•  802.11 spec provides extremely weak (useless for 2010 requirements) mechanisms for these services:

-  Authentication/Deauthentication: Shared-Key Auth

-  Privacy: Wired Equivalent Privacy (WEP)

•  802.11I addendum adds strong(er) mechanisms for implementing STA security-related services:

-  Authentication/Deauthentication: PSK, 802.1X/EAP

-  Privacy: TKIP & CCMP

STA Services

Page 19: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 19

WPA/WPA2

•  A snapshot of the 802.11I Standard •  Commonly used with TKIP encryption WPA

•  Final version of 802.11I •  Commonly used with AES encryption WPA2

•  Personal (PSK) – Home Use •  Enterprise (802.1X/EAP) – Office Use

Authentication Mechanisms

Page 20: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 20

Authentication Best Practices: WPA2-Enterprise

•  Extensible Authentication Protocol (EAP) • Outside Methods (Protective Tunnel):

•  PEAP •  EAP-FAST •  TLS

•  Inside Methods (Authentication Credentials): •  EAP-MSCHAPv2 •  EAP-GTC

Strong Authentication

Page 21: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 21

802.1X/EAP Choreography 802.1X/EAP Three Party Model

802.1X Port Blocking Instantiated: Only Authentication Transaction Related Traffic Allowed Through the AP

Keys Plumbed, 802.1X Port Blocking Removed… Data Allowed Through AP

Page 22: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 22

802.1X/EAP Choreography

Distribution Services: Association/Reassociation/Disassociation

STA Services: Authentication/Deauthentication

STA Services: Privacy

Page 23: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 23

EAP Types: EAP-FAST

Page 24: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 24

EAP Types: PEAP

Page 25: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 25

EAP Types: EAP-TLS

Page 26: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 26

802.1X/EAP Choreography

Page 27: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 27

Key Management – Four-Way Handshake

Page 28: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 28

Key Management – Pairwise Transient Key (PTK)

Page 29: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 29

Key Management – Group Transient Key (GTK)

Page 30: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 30

Key Management – GTK Distribution

Page 31: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 31

802.1X/EAP Choreography

Distribution Services: Association/Reassociation/Disassociation

STA Services: Authentication/Deauthentication

STA Services: Privacy

Page 32: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 32

802.11 Services Service Description Implementation

Distribution Services Association Used to create a logical connection between a mobile STA

and an AP 802.11

Reassociation Similar to association service, except information about a mobile STA’s previous AP may be included; used as a STA moves across an ESS

802.11

Disassociation Used by AP to force mobile STA off the BSS or by mobile STA to inform AP it doesn’t need service anymore 802.11

Distribution Service to determine how to deliver frames 802.11, CAPWAP

Integration Service to determine how WLAN connects to other LANs

STA Services Authentication Used to prove the identity of the STA & AP

WPA/WPAv2 (802.11I), CAPWAP

Deauthentication Used to eliminate a previously authenticated user from further use of the network

Privacy Used to protect frames in transit over wireless medium

Data Delivery Used to provide reliable delivery of frames 802.11, CAPWAP

  So, What Do These Nine Services Accomplish?   What’s Missing?

Page 33: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 33

802.11 Architecture Basics

  ESS – Extended Service Set

  DS – Distribution System

BSS BSS

ESS

DS ????

Page 34: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 34

802.1X/EAP Choreography

Page 35: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 35

Device Mobility Problem Statement: • Specification for how STAs association, authenticate, and protect data privacy defined in context of a single AP (mostly…) • Specifications for how STAs transition securely in an ESS – hazy • Specifics of DS/Integration services not well defined for Enterprise

Page 36: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 36

Device Mobility Problem Statement: • Wireless devices move by definition

• Applications require session persistence, while maintaining security and other services

Requirement: Facilitate Fast Secure Roaming for Enterprise Class Devices in an Efficient and Scalable Way…

Page 37: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 37

Anatomy of a Device Roam

Page 38: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 38

Section Agenda

• CUWN Architecture Review • Basic Roaming Walkthrough

• Fast Secure Roaming Technologies

Page 39: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 39

CUWN Architecture Review

Real-Time 802.11/MAC Functionality:

•  Beacon Generation •  Probe Response •  Power management/Packet buffering •  802.11e/WMM scheduling, queueing •  MAC layer data encryption/decryption •  802.11 control messages

Data Encapsulation/De-Encapsulation Translational Bridging (H-REAP Local Switching) Fragmentation/De-Fragmentation

Non Real-Time 802.11/MAC Functionality: •  Assoc/Disassoc/Reassoc •  802.11e/WMM resource reservation •  802.1X/EAP •  Key management

802.11 Distribution Services 802.11 STA Services (Auth/Deauth/Privacy*) Wired/Wireless Integration Services

Page 40: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 40

802.1X/EAP Choreography Revisited

Page 41: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 41

Anatomy of a STA Roam Initial Device Connection to Network

Page 42: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 42

Anatomy of a STA Roam Client Roam

Page 43: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 43

Anatomy of a STA Roam

• The STA chooses when to roam • Each time the STA connects to a new BSSID, it must fully

reauthenticate and rekey •  IP Addresses get refreshed on roams (usually)

• How long does a roam take?

Summary of Important Points

Page 44: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 44

How Long Does an STA Roam Take?

• Time it takes for: Client to disassociate +

Probe for and select a new AP +

802.11 Association +

802.1X/EAP Authentication +

Rekeying +

IP address (re) acquisition

• All this can be on the order of seconds… Can we make this faster?

Page 45: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 45

How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact…

  Eliminating the (re)IP address acquisition challenge

  Eliminating full 802.1X/EAP reauthentication

Page 46: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 46

Roaming: Intra-Controller

•  Intra-controller roam happens when a STA moves association between APs joined to the same controller

•  Client must be re-authenticated and new security session established

•  Controller updates client database entry with new AP and appropriate security context

•  No IP address refresh needed

Page 47: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 47

Roaming: Inter-Controller Layer 2

Page 48: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 48

Roaming: Inter-Controller

•  L2 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto the same subnet

• Client must be re-authenticated and new security session established

• Client database entry moved to new controller

• WLCs must be in same mobility group or domain • No IP address refresh needed

• Account for mobility message exchange in network design

Layer 2

Page 49: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 49

Roaming: Inter-Controller Layer 3

Page 50: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 50

Roaming: Inter-Controller

•  L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets

 Client must be re-authenticated and new security session established

 Client database entry copied to new controller – entry exists in both WLC client DBs

 Original controller tagged as the “anchor”, new controller tagged as the “foreign”

 WLCs must be in same mobility group or domain

 No IP address refresh needed

 Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release

 Account for mobility message exchange in network design

 Account for asymmetric traffic path (EtherIP)

Layer 3

Page 51: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 51

How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact…

  Eliminating the (re)IP address acquisition challenge

  Eliminating full 802.1X/EAP reauthentication

Page 52: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 52

Cisco Centralized Key Management (CCKM)

• Cisco introduced CCKM in CCXv2 (pre-802.11I), so widely available, especially with application specific devices (ASDs)

• CCKM originally a core feature of the “Structured Wireless Aware Network” (SWAN) architecture

• CCKM ported to CUWN architecture in 3.2 release

•  In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range!

• CCKM is most widely implemented in ASDs, especially VoWLAN devices

• To work across WLCs, WLCs must be in the same mobility group

• CCX-based laptops may not fully support CCKM – depends on supplicant capabilities

Page 53: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 53

PMKID Caching

•  Optional component of 802.11I specification •  Defines a “PMK Security Association” (PMKSA) that gets stored by

authenticator •  PMKSA includes:

  PMKID   Lifetime   PMK (32 bytes)   BSSID (6 bytes)   Client's MAC (6 bytes)   AKM (Authentication and Key Management)

•  PMKID =

HMAC-SHA1-128 (PMK, “PMK Name” || BSSID || STA Mac)

Page 54: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 54

Opportunistic/Proactive Key Caching

CAPWAP

802.11 Disassociation Request:

“I Do Not Want to Be Associated to

This BSSID Anymore”

1. WLC extracts PMKID from 802.11 (Re)association request

2. WLC computes the new PMKID based on the PMKSA and other information it knows (BSSID, Client Mac)

3. WLC compares the values – if they match, full 802.1X/EAP authentication is skipped and the WLC & client go directly to the four-way handshake, then updates the PMKSA in the client DB

4.  If they don’t match, the WLC sends the STA an EAP-Identity Request to initiate the full 802.1X/EAP Authentication

Basic Mechanics

Page 55: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 55

Proactive Key Caching Basic Mechanics

Page 56: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 56

OKC/PKC

• Requires client/supplicant support • Supported in Windows since XP SP2

• Many ASDs support OKC and/or PKC • Check on client support for TKIP vs. CCMP – mostly CCMP

only

• Enabled by default on WLCs with WPAv2 • Requires WLCs to be in the same mobility group

•  Important design note: pre-positioning of roaming clients consumes spots in client DB

•  In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!

Key Data Points

Page 57: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 57

Standardization! 802.11R

•  802.11R is a ratified IEEE standard, based in large part on CCKM

•  802.11R: “Fast (Basic Service Set) BSS Transition” • Also includes dynamic QoS capabilities

• No commercially available clients at this point

• WiFi Alliance is planning/implementing 802.11R plugfests • Cisco WLCs have implemented 802.11R (unsupported) since

5.2 •  In highly controlled OTA test environments, 802.11R roam

times are comparable to CCKM OTA times

Page 58: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 58

How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact…

  Eliminating the (re)IP address acquisition challenge

  Eliminating full 802.1X/EAP reauthentication

Page 59: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 59

Design and Deployment Considerations

Page 60: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 60

Section Agenda

• Roaming Domains • Design Considerations for Roaming

• Client Roaming Behavior • Special Case: H-REAP Groups

Page 61: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 61

Roaming Domains

• Mobility Group – cluster of up to 24 controllers (regardless of type) that create a seamless roaming domain

• Fast secure roaming technologies work across controllers within a roaming domain

• Mobility messages exchanged either unicast or multicast depending on configuration

Mobility Group

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html#wpmkr1100509

Page 62: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 62

Roaming Domains

•  Mobility Domain is a seamless roaming domain of up to 3 Mobility Groups

•  Max of 72 WLCs

•  Seamless roaming == IP addressing is maintained

•  Fast secure roaming does work not across Mobility Group – clients crossing these boundaries will have to go through a full reauth, but will retain their IP address

Mobility Domain

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html#wpmkr1100509

Page 63: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 63

How Long Does a Client Really Take to Roam?

• Time to roam = Client to disassociate +

Probe for and select a new AP +

802.11 Association +

Mobility message exchange between WLCs +

Reauthentication +

Rekeying +

IP address (re) acquisition

• Network latency will have an impact on these times – consideration for controller placement

• With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary

Page 64: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 64

How Often Do Clients Roam?

•  It depends… types of clients and applications • Most client devices are designed to be “nomadic” rather than

“mobile”, though proliferation of small form factor, “smart” devices will probably change this…

• Nomadic clients usually are programmed to try to avoid roaming… so set your expectations accordingly

•  “SWAG” design rule of thumb: 10-20 roams per second for every 5000 clients

Page 65: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 65

Designing a Mobility Group/Domain

•  Less roaming is better – clients and apps are happier • While clients are authenticating/roaming, WLC CPU is doing

the processing – not as much of a big deal for 5508 which has dedicated management/control processor

•  L3 roaming & fast roaming clients consume client DB slots on multiple controllers – consider “worst case” scenarios in designing roaming domain size

•  Leverage natural roaming domain boundaries • Mobility Message transport selection: multicast vs. unicast

• Make sure the right ports and protocols are allowed

Design Considerations

Page 66: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 66

Special Case: FlexConnect Groups • Support for up to 20 FlexConnect Groups of up to 25

FlexConnect APs each

• APs in an FlexConnect share common configuration parameters like RADIUS servers

• Fast Secure Roaming via CCKM for locally switched clients is supported for all clients in an FlexConnect Group (L2 roaming only)

• CCKM keying material is provisioned locally – allows CCKM to work in standalone mode (existing clients when AP transitioned from connected mode)

* Note: FlexConnect is new branding for Hybrid REAP (H-REAP)

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70hreap.html#wp1133688

Page 67: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 67

Questions?

Page 68: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 68

Complete Your Online Session Evaluation

  Receive 25 Cisco Preferred Access points for each session evaluation you complete.

  Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.

  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

  Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

Page 69: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 69

Visit the Cisco Store for Related Titles

http://theciscostores.com

Page 70: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 70

Page 71: Secure Mobility in Cisco Unified WLAN Networks for Mobile Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2018 71

Thank you.