Chap 7

1
Chap 7 Configure Wireless Routers Learning
Objectives

• Describe the components and operations of basic
  wireless LAN topologies.
• Describe the components and operations of basic
  wireless LAN security.
• Configure and verify basic wireless LAN access.
• Configure and troubleshoot wireless client access.

2
Why Wireless?

• Mobility
• Scalability
• Flexibility
• Short long term cost savings
• Installation advantages
• Reliability in harsh environments
• Reduced installation time

3
Basic Wireless LAN Topologies

• Wireless signals are electromagnetic waves
• No physical medium is necessary
• The ability of radio waves to pass through walls
  and cover great distances makes wireless a
  versatile way to build a network.

4
Wired Versus Wireless

• RF does not have boundaries, allowing data frames
  traveling over the RF media to be available to
  anyone that can receive the RF signal.
• RF is unprotected from outside signals, whereas
  cable is in an insulating sheath. Radios
  operating independently in the same geographic
  area but using the same or a similar RF can
  interfere with each other.
• RF transmission is subject to range limitations,
  as the signal is attenuated severely with
  distance from a transmitter. Wired LANs have
  cables that are of an appropriate length to
  maintain signal strength.
• RF bands are regulated differently in various
  countries. The use of WLANs is subject to
  additional regulations and sets of standards that
  are not applied to wired LANs.

5
Wireless LANs

• 802.11 wireless LANs extend the 802.3 Ethernet
  LAN infrastructures to provide additional
  connectivity options.
• However, additional components and protocols are
  used to complete wireless connections

Fa0/0.10 172.17.10.1/24
Fa0/0.30 172.17.30.1/24
S3
S1
Fa0/1
Fa0/1
Fa0/5
Fa0/2
Fa0/2
Fa0/3
Fa0/4
Fa0/3
Fa0/4
PC6 172.17.30.24/24 (VLAN 30)
Fa0/2
Fa0/3
S2
Fa0/1
Fa0/4
Fa0/11
Fa0/6
Fa0/18
PC1 172.17.10.21/24 (VLAN 10)
PC2 172.17.20.22/24 (VLAN 20)
PC3 172.17.30.23/24 (VLAN 30)
6
Wireless LAN Standards
7
IEE 802.11n

• The IEEE 802.11n draft standard is intended to
  improve WLAN data rates and range without
  requiring additional power or RF band allocation.
  
• 802.11n uses multiple radios and antennae at
  endpoints, each broadcasting on the same
  frequency to establish multiple streams.
• The multiple input/multiple output (MIMO)
  technology splits a high data-rate stream into
  multiple lower rate streams and broadcasts them
  simultaneously over the available radios and
  antennae.
• This allows for a theoretical maximum data rate
  of 248 Mb/s using two streams.

8
Wi-Fi

• Wi-Fi Alliance
• WECA changed its name to Wi-Fi
• Wireless Fidelity Alliance
• 170 members
• Over 350 products certified
• Wi-Fis Mission
• Certify interoperability of WLAN products
  (802.11)
• Wi-Fi is the stamp of approval
• Promote Wi-Fi as the global standard

9
Wireless Infrastructure Components

• Wireless NICs are most often associated with
  mobile devices, such as laptop computers. In the
  1990s , wireless NICs for laptops were cards that
  slipped into the PCMCIA slot. PCMCIA wireless
  NICs are still common, but many manufacturers
  have begun building the wireless NIC right into
  the laptop.
• Desktops located in an existing, non-wired
  facility can have a wireless PCI NIC installed.
• To quickly set up a PC, mobile or desktop, with a
  wireless NIC, there are many USB options
  available as well.

10
Wireless Infrastructure Components

• An access point (AP) connects wireless clients
  (or stations) to the wired LAN. Client devices do
  not typically communicate directly with each
  other they communicate with the AP.
• Access points convert the TCP/IP data packets
  from their 802.11 frame encapsulation format in
  the air to the 802.3 Ethernet frame format on the
  wired Ethernet network.

11
Carrier Sense Multiple Access with Collision
Avoidance (CSMA/CA)

• Access points oversee a distributed coordination
  function (DCF) called Carrier Sense Multiple
  Access with Collision Avoidance (CSMA/CA).
• Devices on a WLAN must sense the medium for
  energy and wait until the medium is free before
  sending. Because all devices are required to do
  this, the function of coordinating access to the
  medium is distributed.
• If an access point receives data from a client
  station, it sends an acknowledgement to the
  client that the data has been received. This
  acknowledgement keeps the client from assuming
  that a collision occurred and prevents a data
  retransmission by the client.

12
Hidden Nodes

• PC1 and PC2 can reach AP
• PC1 and PC2 cannot reach each other
• PC1 Doesnt detect PC2 activity
• PC1 transmits at the same time as PC2
• A collision occurs

• If two clients can connect to an access point,
  but not each other due to their distance from
  each other, neither of those stations sense the
  other on the medium, and they may end up
  transmitting simultaneously.
• This is known as the hidden node (or station)
  problem.

13
Shared Service Set Identifier (SSID)

• A unique identifier that clients use to
  distinguish between multiple WLANs in the same
  vicinity.
• Can be any alphanumeric, case-sensitive entry
  from 2 to 32 characters long.
• Several access points on a network can share an
  SSID.

14
Frequency Selection

• Best practices for WLANs that require multiple
  access points are to use non-overlapping
  channels.
• If there are three adjacent access points, use
  channels 1, 6, and 11.
• If there are just two, select any two that are 5
  channels apart, such as channels 5 and 10

15
802.11 Wireless LAN Topologies
Adhoc

• The IEEE 802.11 standard refers to an ad hoc
  network as an Independent Basic Service Set (IBSS)

16
802.11 Wireless LAN Topologies
Basic Service Set (BSS)
Fa0/0.10 172.17.10.1/24
Fa0/0.30 172.17.30.1/24
S3
S1
Fa0/1
Fa0/1
Fa0/5

• The coverage area for both an IBSS and a BSS is
  the Basic Service Area (BSA)

Fa0/2
Fa0/2
Fa0/3
Fa0/4
Fa0/3
Fa0/4
Fa0/2
Fa0/3
S2
Fa0/1
Fa0/4
Fa0/11
Fa0/6
Fa0/18
PC1 172.17.10.21/24 (VLAN 10)
PC2 172.17.20.22/24 (VLAN 20)
PC3 172.17.30.23/24 (VLAN 30)
17
802.11 Wireless LAN Topologies
Extended Service Set (ESS)
Fa0/0.10 172.17.10.1/24
Fa0/0.30 172.17.30.1/24
S3
S1
Fa0/1
Fa0/1
Fa0/5
Fa0/2
Fa0/2
Fa0/3
Fa0/4
Fa0/3
Fa0/4
PC6 172.17.30.24/24 (VLAN 30)
Fa0/2
Fa0/3
S2
Fa0/1
Fa0/4

• An ESS generally includes a common SSID to allow
  a user to roam from access point to access point

Fa0/11
Fa0/6
Fa0/18
PC1 172.17.10.21/24 (VLAN 10)
PC2 172.17.20.22/24 (VLAN 20)
PC3 172.17.30.23/24 (VLAN 30)
18
Client / AP Association

• A key part of the 802.11 process is
  discovering a WLAN and subsequently connecting to
  it. The primary components of this process are
• Beacons - Frames used by the WLAN network to
  advertise its presence.
• Probes - Frames used by WLAN clients to find
  their networks.
• Authentication - A process which is an artifact
  from the original 802.11 standard, but still
  required by the standard.
• Association - The process for establishing the
  data link between an access point and a WLAN
  client.

19
Client / AP Association
Probe SSID Supported Rates
1. Probing
Probe Response SSID Supported
Rates Security Implementation
Authentication Request Type Key
2. Authentication
Authentication Response Type
Key successful/unsuccessful
20
Client / AP Association
Association Request Client
MAC AP MAC (BSSID) ESS Identifier (ESSID)
3. Association
Association Response
Successful/unsuccessful Association ID (AID)
21
WLAN Planning

• Position access points above obstructions.
• Position access points vertically near the
  ceiling in the center of each coverage area, if
  possible.
• Position access points in locations where users
  are expected to be. For example, conference rooms
  are typically a better location for access points
  than a hallway.

22
Wireless Security Issues
Unauthorised Access

• War driving - driving around a neighborhood with
  a laptop and an 802.11b/g client card looking for
  an unsecured 802.11b/g system to exploit.
• Hacker/Cracker - malicious intruders who enter
  systems as criminals and steal data or
  deliberately harm systems.
• Rogue Access Point - installed by employees
  without authorisation. Employees install access
  points intended for home use on the enterprise
  network. These APs typically do not have the
  necessary security configuration, so the network
  ends up with a security hole.

23
Wireless Security Issues
Man-In-The-Middle Attack

• A hacker selects a station as a target and uses
  packet sniffing software, such as Wireshark, to
  observe the client station connecting to an
  access point. The hacker might be able to read
  and copy the target username, server name, client
  and server IP address, the ID used to compute the
  response, and the challenge and associate
  response, which is passed in clear text between
  station and access point.
• If an attacker is able to compromise an access
  point, the attacker can potentially compromise
  all users in the BSS. The attacker can monitor an
  entire wireless network segment and wreak havoc
  on any users connected to it.

24
Wireless Security Issues
Denial of Service

• A hacker using a PC as an access point, can flood
  the BSS with clear-to-send (CTS) messages, which
  defeat the CSMA/CA function used by the stations.
  The access points, in turn, flood the BSS with
  simultaneous traffic, causing a constant stream
  of collisions.
• Another DoS attack that can be launched in a BSS
  is when an attacker sends a series of
  disassociate commands that cause all stations in
  the BSS to disconnect. When the stations are
  disconnected, they immediately try to
  reassociate, which creates a burst of traffic.
  The attacker sends another disassociate command
  and the cycle repeats itself.

25
Wireless Security Protocols

• Today, the standard that should be followed in
  most enterprise networks is the 802.11i standard.
  This is similar to the Wi-Fi Alliance WPA2
  standard.
• For enterprises, WPA2 includes a connection to a
  Remote Authentication Dial In User Service
  (RADIUS) database.

26
Extensible Authentication Protocol (EAP)
AAA Server
Client
Access Point

• If stricter security is required, network login
  can be enforced prior to granting clients access
  to the WLAN.
• This login process is managed by the Extensible
  Authentication Protocol (EAP).
• IEEE developed the 802.11i standard for WLAN
  authentication and authorisation to use IEEE
  802.1x.

27
Extensible Authentication Protocol (EAP)
AAA Server
Client
Access Point

• The 802.11 association process creates a virtual
  port for each WLAN client at the access point,
  but blocks all data frames, except for
  802.1x-based traffic.
• The 802.1x frames carry the EAP authentication
  packets via the access point to a server that
  maintains authentication credentials. This server
  is an Authentication, Authorization, and
  Accounting (AAA) server running a RADIUS
  protocol.
• If the EAP authentication is successful, the AAA
  server sends an EAP success message to the access
  point, which then allows data traffic from the
  WLAN client to pass through the virtual port.
• Before opening the virtual port, data link
  encryption between the WLAN client and the access
  point is established to ensure that no other WLAN
  client can access the port that has been
  established for a given authenticated client.

28
Encryption

• Both protocols encrypt the Layer 2 payload, and
  carry out a message integrity check (MIC) to help
  ensure against a message being tampered with.

• Although TKIP addresses all the known weaknesses
  of WEP, the AES encryption of WPA2 is the
  preferred method, because it brings the WLAN
  encryption standards into alignment with broader
  IT industry standards and best practices, most
  notably IEEE 802.11i.

29
Configuring the AP

• With a PC is connected to the access point via a
  wired connection, access the web utility with a
  web browser - enter the WRT300N default IP
  address, 192.168.1.1, in the address field.
• Setup - Enter your basic network settings (IP
  address).
• Management - Click the Administration tab and
  then select the Management screen. The default
  password is admin. To secure the access point,
  change the password from its default.
• Wireless - Change the default SSID in the Basic
  Wireless Settings tab. Select the level of
  security in the Wireless Security tab and
  complete the options for the selected security
  mode.

30
Wireless Settings

• Network Mode
• Wireless-N, Wireless-G, and 802.11b devices are
  in the network, keep Mixed, the default setting.
• Wireless-G and 802.11b devices, select BG-Mixed.
• Wireless-N devices, select Wireless-N Only.
• Wireless-G devices, select Wireless-G Only.
• Wireless-B devices, select Wireless-B Only.
• To disable wireless networking, select Disable.

31
Wireless Settings

• Network Name (SSID)
• The SSID must be identical for all devices in the
  wireless network. It is case-sensitive and must
  not exceed 32 characters (use any of the
  characters on the keyboard). For added security,
  change the default SSID (linksys) to a unique
  name.
• SSID Broadcast - When wireless clients survey the
  local area for wireless networks to associate
  with, they detect the SSID broadcast by the
  access point.
• To broadcast the SSID, keep Enabled, the default
  setting, to turn off the broadcast, select
  Disabled.

32
Security Settings

• Security Mode - Select the mode you want to use
  PSK-Personal, PSK2-Personal, PSK-Enterprise,
  PSK2-Enterprise, RADIUS, or WEP.
• Mode Parameters - Each of the PSK and PSK2 modes
  have configurable parameters. PSK2-Enterprise
  security version, requires a RADIUS server
  attached to the access point. Need to provide
  RADIUS Server IP address and port number
  (normally 1812).
• Encryption - Select the algorithm required, AES
  or TKIP. (AES is a stronger encryption method
  than TKIP.)
• Pre-shared Key - Enter the key shared by the
  router and other network devices. It must have 8
  to 63 characters. Key Renewal - Enter the key
  renewal period, which tells the router how often
  it should change encryption keys.

33
Security Settings

• There are seven wireless security modes
  supported by the WTR300N, listed here in the
  order seen in the GUI, from weakest to strongest
• WEP
• PSK-Personal, or WPA-Personal in v0.93.9 firmware
  or older
• PSK2-Personal, or WPA2-Personal in v0.93.9
  firmware or older
• PSK-Enterprise, or WPA-Enterprise in v0.93.9
  firmware or older
• PSK2-Enterprise, or WPA2-Enterprise in v0.93.9
  firmware or older
• RADIUS
• Disabled (no encryption)

"Personal" in a security mode indicates that no
AAA server is used. "Enterprise" in the security
mode name means a AAA server and EAP
authentication is used.
34
Configuring a Wireless NIC

• Verify that the wireless client has successfully
  connected to the correct wireless network, as
  there be many WLANs available with which to
  connect.
• PCs running Microsoft Windows XP have a built-in
  wireless networks monitor and client utility.

35
Configuring a Wireless NIC
36
Configuring a Wireless NIC

• Select preferred authentication method - WPA2
  and PSK2 are preferred because of their strength.
• Select the Data encryption method - AES is a
  stronger cipher than TKIP, but ensure choice
  matches AP configuration.
• After selecting the encryption method, enter and
  confirm the Network key ensure that it matches
  key set in AP.

37
Troubleshooting in a WLAN

• 1. Check the client IP address, SSID,
  encryption type, encryption key, RF channel.
• 2. Poor performance range from AP, other RF
  transmitters in the locality, overlapping RF
  channels in an ESS.
• 3. Check the AP ping a wired interface, access
  the web-base GUI, check all parameters.

38
Chap 7 Configure Wireless Routers Learning
Objectives

• Describe the components and operations of basic
  wireless LAN topologies.
• Describe the components and operations of basic
  wireless LAN security.
• Configure and verify basic wireless LAN access.
• Configure and troubleshoot wireless client access.

39
Any Questions?
40
Lab Topology
Chap 7.3.2 Basic Wireless Config
R1 Sub-interfaces Fa0/0.10 172.17.10.1/24 Fa0/0.
20 172.17.20.1/24 Fa0/0.88 172.17.88.1/24
Fa0/0
WPC1 DHCP
Internet 172.17.88.25
Internet 172.17.88.25
Fa0/5
Fa0/7
WPC2 DHCP
Fa0/11
Fa0/18
WPC3 DHCP
PC2 172.17.20.22/24 VLAN 20
PC1 172.17.10.21/24 VLAN 10