1Chapter 7

Chap 7 – Configure Wireless Routers

Learning Objectives

•Describe the components and operations of basic wireless LAN topologies.

•Describe the components and operations of basic wireless LAN security.

•Configure and verify basic wireless LAN access.•Configure and troubleshoot wireless client access.

2Chapter 7

Why Wireless?

•Mobility

•Scalability

•Flexibility

•Short & long term cost savings

•Installation advantages

•Reliability in harsh environments

•Reduced installation time

3Chapter 7

Basic Wireless LAN Topologies • Wireless signals are electromagnetic waves• No physical medium is necessary • The ability of radio waves to pass through walls and cover great distances makes wireless

a versatile way to build a network.

4Chapter 7

Wired Versus Wireless

•RF does not have boundaries, allowing data frames traveling over the RF media to be available to anyone that can receive the RF signal.

•RF is unprotected from outside signals, whereas cable is in an insulating sheath. Radios operating independently in the same geographic area but using the same or a similar RF can interfere with each other.

•RF transmission is subject to range limitations, as the signal is attenuated severely with distance from a transmitter. Wired LANs have cables that are of an appropriate length to maintain signal strength.

•RF bands are regulated differently in various countries. The use of WLANs is subject to additional regulations and sets of standards that are not applied to wired LANs.

5Chapter 7

Wireless LANs

Fa0/1

S2

PC1172.17.10.21/24

(VLAN 10)

Fa0/11

Computer

PC2172.17.20.22/24

(VLAN 20)

Computer

PC3172.17.30.23/24

(VLAN 30)

Fa0/18

S3 S1Fa0/1

Fa0/6

Computer

Fa0/2 Fa0/2

Fa0/3

Fa0/1

Fa0/4Fa0/3Fa0/4

Fa0/4

Fa0/2 Fa0/3

R1Fa0/0.10

172.17.10.1/24

Fa0/0.30172.17.30.1/24

Fa0/5

Computer

PC6172.17.30.24/24

(VLAN 30)

•802.11 wireless LANs extend the 802.3 Ethernet LAN infrastructures to provide additional connectivity options.

•However, additional components and protocols are used to complete wireless connections

6Chapter 7

Wireless LAN Standards

7Chapter 7

IEE 802.11n• The IEEE 802.11n draft standard is intended to improve WLAN

data rates and range without requiring additional power or RF band allocation.

• 802.11n uses multiple radios and antennae at endpoints, each broadcasting on the same frequency to establish multiple streams.

• The multiple input/multiple output (MIMO) technology splits a high data-rate stream into multiple lower rate streams and broadcasts them simultaneously over the available radios and antennae.

• This allows for a theoretical maximum data rate of 248 Mb/s using two streams.

8Chapter 7

Wi-Fi™Wi-Fi™ Alliance:

• WECA changed its name to Wi-Fi• Wireless Fidelity Alliance• 170+ members• Over 350 products certified

Wi-Fi’s™ Mission• Certify interoperability of WLAN products (802.11)• Wi-Fi™ is the “stamp of approval”• Promote Wi-Fi™ as the global standard

9Chapter 7

Wireless Infrastructure Components

•Wireless NICs are most often associated with mobile devices, such as laptop computers. In the 1990s , wireless NICs for laptops were cards that slipped into the PCMCIA slot. PCMCIA wireless NICs are still common, but many manufacturers have begun building the wireless NIC right into the laptop.

•Desktops located in an existing, non-wired facility can have a wireless PCI NIC installed.

•To quickly set up a PC, mobile or desktop, with a wireless NIC, there are many USB options available as well.

10Chapter 7

Wireless Infrastructure Components

•An access point (AP) connects wireless clients (or stations) to the wired LAN. Client devices do not typically communicate directly with each other; they communicate with the AP.

•Access points convert the TCP/IP data packets from their 802.11 frame encapsulation format in the air to the 802.3 Ethernet frame format on the wired Ethernet network.

11Chapter 7

Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)

• Access points oversee a distributed coordination function (DCF) called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA).

• Devices on a WLAN must sense the medium for energy and wait until the medium is free before sending. Because all devices are required to do this, the function of coordinating access to the medium is distributed.

• If an access point receives data from a client station, it sends an acknowledgement to the client that the data has been received. This acknowledgement keeps the client from assuming that a collision occurred and prevents a data retransmission by the client.

12Chapter 7

Hidden Nodes

•If two clients can connect to an access point, but not each other due to their distance from each other, neither of those stations sense the other on the medium, and they may end up transmitting simultaneously.

•This is known as the hidden node (or station) problem.

•PC1 and PC2 can reach AP

•PC1 and PC2 cannot reach each other

•PC1 Doesn’t detect PC2 activity

•PC1 transmits at the same time as PC2

•A collision occurs

13Chapter 7

Shared Service Set Identifier (SSID)

•A unique identifier that clients use to distinguish between multiple WLANs in the same vicinity. •Can be any alphanumeric, case-sensitive entry from 2 to 32 characters long. •Several access points on a network can share an SSID.

14Chapter 7

Frequency Selection

•Best practices for WLANs that require multiple access points are to use non-overlapping channels. •If there are three adjacent access points, use channels 1, 6, and 11. •If there are just two, select any two that are 5 channels apart, such as channels 5 and 10

15Chapter 7

802.11 Wireless LAN Topologies

Computer

PC1172.17.20.22/24

Computer

PC2172.17.20.23/24

Adhoc

•The IEEE 802.11 standard refers to an ad hoc network as an Independent Basic Service Set (IBSS)

16Chapter 7

802.11 Wireless LAN Topologies

Fa0/1

S2

PC1172.17.10.21/24

(VLAN 10)

Fa0/11

Computer

PC2172.17.20.22/24

(VLAN 20)

Computer

PC3172.17.30.23/24

(VLAN 30)

Fa0/18

S3 S1Fa0/1

Fa0/6

Computer

Fa0/2 Fa0/2

Fa0/3

Fa0/1

Fa0/4Fa0/3Fa0/4

Fa0/4

Fa0/2 Fa0/3

R1Fa0/0.10

172.17.10.1/24

Fa0/0.30172.17.30.1/24

Fa0/5

Basic Service Set (BSS)

•The coverage area for both an IBSS and a BSS is the Basic Service Area (BSA)

17Chapter 7

802.11 Wireless LAN Topologies

Fa0/1

S2

PC1172.17.10.21/24

(VLAN 10)

Fa0/11

Computer

PC2172.17.20.22/24

(VLAN 20)

Computer

PC3172.17.30.23/24

(VLAN 30)

Fa0/18

S3 S1Fa0/1

Fa0/6

Computer

Fa0/2 Fa0/2

Fa0/3

Fa0/1

Fa0/4Fa0/3Fa0/4

Fa0/4

Fa0/2 Fa0/3

R1Fa0/0.10

172.17.10.1/24

Fa0/0.30172.17.30.1/24

Fa0/5

Computer

PC6172.17.30.24/24

(VLAN 30)

Extended Service Set (ESS)

•An ESS generally includes a common SSID to allow a user to roam from access point to access point

18Chapter 7

A key part of the 802.11 process is discovering a WLAN and subsequently connecting to it. The primary components of this process are:

• Beacons - Frames used by the WLAN network to advertise its presence.

• Probes - Frames used by WLAN clients to find their networks.

• Authentication - A process which is an artifact from the original 802.11 standard, but still required by the standard.

• Association - The process for establishing the data link between an access point and a WLAN client.

Client / AP Association

19Chapter 7

Client / AP Association

Probe SSID +Supported

Rates

Probe Response SSID +Supported

Rates + Security Implementation

1. Probing

Authentication Request Type + Key

2. Authentication

Authentication Response Type + Key +

successful/unsuccessful

20Chapter 7

Client / AP Association

Association Request Client MAC + AP MAC (BSSID) + ESS Identifier (ESSID)

Association Response

Successful/unsuccessful +Association ID (AID)

3. Association

21Chapter 7

•Position access points above obstructions.

•Position access points vertically near the ceiling in the center of each coverage area, if possible.

•Position access points in locations where users are expected to be. For example, conference rooms are typically a better location for access points than a hallway.

WLAN Planning

22Chapter 7

Wireless Security Issues

• War driving - driving around a neighborhood with a laptop and an 802.11b/g client card looking for an unsecured 802.11b/g system to exploit.

• Hacker/Cracker - malicious intruders who enter systems as criminals and steal data or deliberately harm systems.

• Rogue Access Point - installed by employees without authorisation. Employees install access points intended for home use on the enterprise network. These APs typically do not have the necessary security configuration, so the network ends up with a security hole.

Unauthorised Access

23Chapter 7

Wireless Security IssuesMan-In-The-Middle Attack

•A hacker selects a station as a target and uses packet sniffing software, such as Wireshark, to observe the client station connecting to an access point. The hacker might be able to read and copy the target username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response, which is passed in clear text between station and access point.

•If an attacker is able to compromise an access point, the attacker can potentially compromise all users in the BSS. The attacker can monitor an entire wireless network segment and wreak havoc on any users connected to it.

24Chapter 7

Wireless Security IssuesDenial of Service

•A hacker using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which defeat the CSMA/CA function used by the stations. The access points, in turn, flood the BSS with simultaneous traffic, causing a constant stream of collisions.

•Another DoS attack that can be launched in a BSS is when an attacker sends a series of disassociate commands that cause all stations in the BSS to disconnect. When the stations are disconnected, they immediately try to reassociate, which creates a burst of traffic. The attacker sends another disassociate command and the cycle repeats itself.

25Chapter 7

Wireless Security Protocols

•Today, the standard that should be followed in most enterprise networks is the 802.11i standard. This is similar to the Wi-Fi Alliance WPA2 standard.

•For enterprises, WPA2 includes a connection to a Remote Authentication Dial In User Service (RADIUS) database.

26Chapter 7

•If stricter security is required, network login can be enforced prior to granting clients access to the WLAN.

•This login process is managed by the Extensible Authentication Protocol (EAP).

•IEEE developed the 802.11i standard for WLAN authentication and authorisation to use IEEE 802.1x.

Extensible Authentication Protocol (EAP)

Computer

Client Access Point AAA Server

27Chapter 7

Extensible Authentication Protocol (EAP)

Computer

Client Access Point AAA Server

•The 802.11 association process creates a virtual port for each WLAN client at the access point, but blocks all data frames, except for 802.1x-based traffic.

•The 802.1x frames carry the EAP authentication packets via the access point to a server that maintains authentication credentials. This server is an Authentication, Authorization, and Accounting (AAA) server running a RADIUS protocol.

•If the EAP authentication is successful, the AAA server sends an EAP success message to the access point, which then allows data traffic from the WLAN client to pass through the virtual port.

•Before opening the virtual port, data link encryption between the WLAN client and the access point is established to ensure that no other WLAN client can access the port that has been established for a given authenticated client.

28Chapter 7

Encryption

•Although TKIP addresses all the known weaknesses of WEP, the AES encryption of WPA2 is the preferred method, because it brings the WLAN encryption standards into alignment with broader IT industry standards and best practices, most notably IEEE 802.11i.

•Both protocols encrypt the Layer 2 payload, and carry out a message integrity check (MIC) to help ensure against a message being tampered with.

29Chapter 7

Configuring the AP• With a PC is connected to the access point via a wired

connection, access the web utility with a web browser - enter the WRT300N default IP address, 192.168.1.1, in the address field.

• Setup - Enter your basic network settings (IP address).

• Management - Click the Administration tab and then select the Management screen. The default password is admin. To secure the access point, change the password from its default.

• Wireless - Change the default SSID in the Basic Wireless Settings tab. Select the level of security in the Wireless Security tab and complete the options for the selected security mode.

30Chapter 7

Wireless Settings

Network Mode

• Wireless-N, Wireless-G, and 802.11b devices are in the network, keep Mixed, the default setting.

• Wireless-G and 802.11b devices, select BG-Mixed.

• Wireless-N devices, select Wireless-N Only.

• Wireless-G devices, select Wireless-G Only.• • Wireless-B devices, select Wireless-B Only.

• To disable wireless networking, select Disable.

31Chapter 7

Network Name (SSID)

• The SSID must be identical for all devices in the wireless network. It is case-sensitive and must not exceed 32 characters (use any of the characters on the keyboard). For added security, change the default SSID (linksys) to a unique name.

• SSID Broadcast - When wireless clients survey the local area for wireless networks to associate with, they detect the SSID broadcast by the access point.

• To broadcast the SSID, keep Enabled, the default setting, to turn off the broadcast, select Disabled.

Wireless Settings

32Chapter 7

• Security Mode - Select the mode you want to use: PSK-Personal, PSK2-Personal, PSK-Enterprise, PSK2-Enterprise, RADIUS, or WEP.

• Mode Parameters - Each of the PSK and PSK2 modes have configurable parameters. PSK2-Enterprise security version, requires a RADIUS server attached to the access point. Need to provide RADIUS Server IP address and port number (normally 1812).

• Encryption - Select the algorithm required, AES or TKIP. (AES is a stronger encryption method than TKIP.)

• Pre-shared Key - Enter the key shared by the router and other network devices. It must have 8 to 63 characters. Key Renewal - Enter the key renewal period, which tells the router how often it should change encryption keys.

Security Settings

33Chapter 7

Security SettingsThere are seven wireless security modes supported by the WTR300N, listed here in the order seen in the GUI, from weakest to strongest:

• WEP • PSK-Personal, or WPA-Personal in v0.93.9 firmware or older• PSK2-Personal, or WPA2-Personal in v0.93.9 firmware or

older• PSK-Enterprise, or WPA-Enterprise in v0.93.9 firmware or

older• PSK2-Enterprise, or WPA2-Enterprise in v0.93.9 firmware or

older• RADIUS• Disabled (no encryption)"Personal" in a security mode indicates that no AAA

server is used. "Enterprise" in the security mode name means a AAA server and EAP authentication is used.

34Chapter 7

Configuring a Wireless NIC

•Verify that the wireless client has successfully connected to the correct wireless network, as there be many WLANs available with which to connect.

•PCs running Microsoft Windows XP have a built-in wireless networks monitor and client utility.

35Chapter 7

Configuring a Wireless NIC

36Chapter 7

Configuring a Wireless NIC

•Select preferred authentication method - WPA2 and PSK2 are preferred because of their strength.

•Select the Data encryption method - AES is a stronger cipher than TKIP, but ensure choice matches AP configuration.

•After selecting the encryption method, enter and confirm the Network key – ensure that it matches key set in AP.

37Chapter 7

Troubleshooting in a WLAN

1. Check the client – IP address, SSID, encryption type, encryption key, RF channel.

2. Poor performance – range from AP, other RF transmitters in the locality, overlapping RF channels in an ESS.

3. Check the AP –ping a wired interface, access the web-base GUI, check all parameters.

38Chapter 7

Chap 7 – Configure Wireless Routers

Learning Objectives

•Describe the components and operations of basic wireless LAN topologies.

•Describe the components and operations of basic wireless LAN security.

•Configure and verify basic wireless LAN access.•Configure and troubleshoot wireless client access.

39Chapter 7

AnyQuestions?

40Chapter 7

Lab Topology

PC1172.17.10.21/24

VLAN 10

Fa0/11

Computer

PC2172.17.20.22/24

VLAN 20

Chap 7.3.2 – Basic Wireless Config

Fa0/5

Fa0/18

Computer

R1Fa0/0

Fa0/7

R1 Sub-interfaces:

Fa0/0.10 172.17.10.1/24Fa0/0.20 172.17.20.1/24Fa0/0.88 172.17.88.1/24

Computer

Internet172.17.88.25

Internet172.17.88.25

Computer

Computer

WPC1DHCP

WPC2DHCP

WPC3DHCP