WLAN Infrastructure
Jan 24, 2016
WLAN Infrastructure
Wireless
Wireless DataNetworks
Broadband PCSBroadband PCSMetricomMetricom
Local WideCoverage Area
SatelliteSatellite
Spread
Spectrum
Wireless
LANs
Spread
Spectrum
Wireless
LANs
Circuit & Packet DataCellular, CDPD, RAM, ARDIS
Circuit & Packet DataCellular, CDPD, RAM, ARDIS
Narrowband PCSNarrowband PCS
Dat
a R
ates
9.6 Kbps
19.6 Kbps
56 Kbps
1 Mbps
2 Mbps
4 Mbps
10 Mbps
InfraredWireless
LANs
InfraredWireless
LANs
Narrow BandWireless LANsNarrow Band
Wireless LANs
802.11 Products
54 Mbps
License Free ISM Band
ExtremelyLow
VeryLow
Low Medium High VeryHigh
UltraHigh
SuperHigh
Infrared VisibleLight
Ultra-violet
X-Rays
Audio
AM BroadcastShort Wave Radio FM Broadcast
Television Infrared wireless LAN
Cellular (840MHz)NPCS (1.9GHz)
902-928 MHz26 MHz
Older Product
5 GHz(IEEE 802.11A)
HyperLANHyperLAN2
Future Technology
2.4 – 2.4835 GHz83.5 MHz
(IEEE 802.11B)Current Product
Notes: Very little spectrum is for unlicensed use.
Channels- 802.11b
Spectrum: 83MHz
Channels: Three 22MHz stationary channels. Only 3 non-overlapping.
Speeds: 1, 2, 5.5, and 11 Mbps data rate
1 2 3 4 5 6 7 8 9 10 112400
2483
1 Mbps DSSS
5.5 Mbps DSSS
11 Mbps DSSS
2 Mbps DSSS
Coverage
Bandwidth
Blue= 11Mb
Green=11Mb
Red=11Mb
Total Bandwidth=33MB
Site Survey Channel Mapping
Channel 1
Channel 6
Channel 11
Channel 1
Channel 6
Channel 11
Channel 11
Channel 1
Channel 6
Channel 11
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
Site Survey Bandwidth Layout
30mW Cell Size Comparison
30 milli-Watt client and Access Point range capabilities
11 Mbps DSSS 80-100 feet radius
5.5 Mbps DSSS100-200 feet radius
2 Mbps DSSS200-275 feet radius
Cell Size Comparison, Cont.
• Full Antenna Power – 30mW
• 3 Access Points
• Reduce Antenna power - 5mW
• 18 Access Points
• Fewer users per access point
1 6 11
1
6
11
1
11 6
6
11
1
1
6
11
1
11
6
6
11
1
1
2
Antennas
• Antennas extend range by changing the shape of the signal
• Different applications call for different antennas
• Measurements given in “gain” – dBI
• Cable type/length greatly affects “gain”
Antennas, Cont.
Maximum CoverageAutorate Negotiation
Wireless for StudentsDiPole Indoor, Patch Outdoor
Class 1 Class 3
Hallway
1000’
850’
Class 4Class 2
AP’s on Isolated LAN with PIX
Class 8 Class 10 Class 11Class 9
Building Courtyard
1000’
1 6
1 6
11
1
Antennas, Cont.
Maximum CoverageAutorate Negotiation
Cabling Only Available at Store FrontYagi Antennas and DiPole
2000’
850’
1
6
11
1
6
11
Products Evolving
• Better radios – better reception, improved bandwidth
• Better management
• Easier to deploy (in-line power)
• More security
• New standards
Inline Power
100mW Cell Size Comparison
100 milli-Watt client and Access Point range capabilities
11 Mbps DSSS 100-150 feet radius
5.5 Mbps DSSS150-250 feet radius
2 Mbps DSSS250-350 feet radius
802.11a (fall?)
Spectrum (US*):
50mW from 5.150 – 5.250 GHz
250mW from 5.250 - 5.350 GHz
1W from 5.725 – 5.825 GHz
Speeds:
6, 12, and 24Mbps for compliances
54Mbps+ expected
Channels:
20 MHz channels
Vendors? 8 - 15
Wired or Wireless…• Wireless pilots encouraged, but would not
invest heavily – technology changing
• Wireless is not a replacement for wired networks at this time
Some Problems
Interference potential
802.11b Other Frequency HoppingBluetooth HomeRFCordless Phone
Building A Building B
Problems with just plugging it in– Colliding channel allocations?
– How to implement authentication (WEP)?
– Coordination between autonomous departments?
– Interference with other devices?
– On different subnets?
– Different accesses policies?
– Dueling Access Points?
– Signal leakage between buildings?
– Building codes?
You are not in control.
Wireless Networks are Public Public networks will be designed, installed, and managed by TIS on
department’s behalf (and on departments funding) Public networks must be authenticated Installation will be professional, following UT building codes and practices Spectrum will be allocated/adjudicated by TIS Public interest will be considered over private interest in wireless conflicts There are always exceptions
Which Vendor?
Authentication
Authentication Schemes
• SSIDs (Service Set Identifiers)– Broadcast in clear by unit and clients. Anyone can hear and insert.
• WEP (Wired Equivalent Privacy)– Uses RC4, problems with exchanging keys. Either sent in clear or have to be
manually configured and then exposed on client.
• MAC (hardware address restrictions)– Restrict based on Ethernet hardware address. Hard to manage across all access
points. Any card can pretend to be any MAC address.
Authentication Schemes, Cont.
• UTEID (home grown)– http://www.tis.utexas.edu/network/pubaccess/
– UT’s home grown digitally signed fat cookie application. Doesn’t provide encryption, but doesn’t require any custom software and is compatible with all OSes.
• 802.1X / EAP / LEAP– Extended Authentication Protocol, Lightweight Extended Authentication Protocol– Solves authentication and key distribution problem. Evolving standard and isn’t
supported on some OSes. LEAP doesn’t use same secured mechanisms as EAP-TLS.
• VPN (Virtual Private Network)– Requires client software. All traffic has to go to VPN gateway and back –
obviates local routing/switching.
SSID
- Broadcast in clear by AP and client, anyone can add to their client
- Must be manually configured on all clients- Provides no encryption of signals- Provides no user authentication/accounting
WEP
+ Provides some encryption (still vulnerable to same attack as wired networks ala dsniff)
- Uses shared key which is exposed to other clients- Key must be manually configured on all clients (or
sent in clear)- Has various crypto defects- Provides no user authentication/accounting
MAC
- Requires obtaining hardware addresses of all clients
- MAC address can be duplicated by any client- Must be maintained on all APs (not scalable)- Provides no encryption- Provides no user authentication/accounting
UT EID
+ Provides user authentication utilizing well known mechanism (already in use on wired ports)
+ Requires no additional software and is available on all platforms
- Funnels all traffic through central gateway which obviates local switching/routing
- No encryption provided- Home grown – unclear how to integrate with new
offerings
802.1x/EAP Authentication
EAP over LAN
EthernetLaptop computer
802.1X Authenticator/Bridge
Radius Server
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Challenge
EAP-Response (cred) Radius-Access-Request
EAP-Success
Access blockedPort connect
Radius-Access-Accept
Access allowed
RADIUSEAPOL
EAP over Wireless
Ethernet
Access Point
Radius Server
EAPOL-Start
EAP-Request/IdentityEAP-Response/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Challenge
EAP-Response (cred) Radius-Access-Request
EAP-Success
Access blockedAssociation
Radius-Access-Accept
RADIUSEAPOW
Laptop computer
Wireless
802.11802.11 Associate
Access allowed
EAPOW-Key (WEP)
Future EAP Client Work ?
• Microsoft placing 802.11 EAP Native supplicant in,
–Win2K, WinCE
• What about other Microsoft OSes?–Win9x/WinNT (need LEAP)
• What about other OSes?–Linux, MacOS (need LEAP)
Steps to Re-association:
Adapter listens for beaconsfrom APs.
Adapter evaluates APbeacons, selects best AP.
Adapter sends associationrequest to selected AP (B).
AP B confirms associationand registers adapter.
Access Point
A
Access Point
B
Roaming from Access Point A to Access Point B
AP B informs AP A of re-association with AP B.
AP A forwards buffered packetsto AP B and de-registers adapter.
Change AP Association
802.1X/EAP/LEAP+ Provides user authentication/accounting in scalable
manner
+ Provides encryption (still vulnerable to same attack as wired networks ala dsniff)
- Evolving standard
- Requires client software not extant on all platforms
- Network equipment more likely to be proprietary
- Will require inve$tment in new authentication infrastructure
- LEAP doesn’t support same encryption features
VPN
+ Provides user authentication
+ Provides encryption
- Requires software on all clients
- Funnels all traffic through VPN gateway, obviates local switching/routing
- Dedicated expen$ive VPN gateway hardware needed at high traffic rates, and new authentication infrastructure
What about other devices?Handheld?
• EAP (Extensible Authentication Protocol)• VPN (IP SEC)• PPP (PPTP, PPPOE)• LEAP (Lightweight & Efficient Application
Protocol) – card drivers, only one time user/password authentication
We don’t decide…UTEID:
• Already deployed
• Could transition to VPN from UTEID easily or run in parallel
• 802.1x would mean flag day for any mechanism and isn’t ready for deployment
…see what the industry decides
Multicast Applications
• Multicast Support is in WLAN infrastructure
• Multicast has problems when Clients Roam– Router/L2 Switch is unaware of Client move
– Router/Switch still sends multicast stream to original AP
– Multicast stream terminated when Router/L2 timesout due to non-response to multicast query
• No IGMP leave is sent by AP or Client