Another wireless management approach is the use of wireless LAN Controllers.

Faced with the increasing number of hybrid networks, it is increasingly difficult to manage such composite networks. How should we eliminate management blind spots and eliminate these dead corners? This article recommends a new network architecture concept, using the use of line LAN Controllers.

The wireless LAN architecture is centered on wireless access points (AP. A wireless access point constitutes a cell. The client in the cell needs to send or receive data through this wireless access point to access other parts of the network. However, a traditional wireless access point, such as a wireless router, has a major defect. Each wireless access point is independent of each other. Even if most wireless access points are configured with the same security policy, the network administrator still has to configure each wireless access point. Obviously, this increases the workload of network administrators. Initialization Configuration and subsequent policy adjustments will be troublesome.

In addition, because each Wireless Access Point AP is independent of each other, deploying a unified security policy will become a luxury, and managing the security of wireless networks will become an impossible task. Because each wireless access point is only responsible for its own security policies. Therefore, the connection between a wireless network and a wired network is a blind spot in Enterprise Security. Because there is no central portal between the wireless network and the wired network. That is to say, there is no suitable local team data for monitoring to achieve intrusion detection and prevention, bandwidth control, service quality, and so on. To put it simply, the infinite network and wired network have become three different zones, affecting the security of the enterprise network.

To solve the problem between the wireless network and the wired network, Cisco proposes a unified wireless network architecture, its main function is to divide wireless access points into two parts: lightweight AP and wireless LAN control.

I. division of labor and cooperation, unified deployment

In fact, Cisco's solution to this problem is simple. It can be summarized in eight words, that is, "unified deployment of division of labor and cooperation ". The traditional Wireless Access Point mainly includes two processes: Real-time process and management process. Real-time processes include sending and receiving 802.11 Gb/s, AP beacon and probe information, and data encryption. management processes mainly include client authentication, security management, Qos, and so on. In traditional wireless access points, these real-time processes and management processes are all completed in the same wireless access point. Therefore, network administrators have to configure wireless access points even if they adopt the same configuration and security policy. Due to the inability to centrally configure and manage various wireless access points, this is the main cause of a three-zone relationship between the wireless network and the wired network.

In this regard, Cisco decided to implement division of labor, cooperation, and unified deployment. In short, Cisco divides wireless access points into two types: lightweight wireless access points and wireless LAN Controllers. Their short names are LAP and WLC. The lightweight wireless access point is only responsible for receiving and sending 802.11 Gb/s. Other functions are implemented through the wireless LAN controller. Because this lightweight Wireless Access Point has fewer features than traditional wireless routers, we call it lightweight. This is also the name.

Other processes are implemented by the wireless LAN controller. That is to say, the configuration files and security policies required for lightweight wireless access points are stored in the wireless LAN controller, which are shared by various wireless access points. For example, user authentication, Security Policy Management, RF channel and output power selection do not need to be configured and managed separately on various lightweight wireless access points. You only need to make relevant configurations in the wireless LAN controller, then these configurations will be automatically applied to various lightweight wireless access points. In this way, the division of labor, cooperation, and unified deployment management policies are implemented. Through this management policy, the vacuum zone between the wireless network and the wired network can be eliminated, improving the comprehensive security of the enterprise network.

2. Mutual authentication between LAP and WLC

Because the configuration files, security policies, and identity authentication of wireless access points rely on the wireless LAN Controller WLC. If attackers forge an illegal Wireless LAN controller, everything will become terrible. Therefore, when designing and deploying a lightweight wireless access point, the first thing to note is how to ensure the security of the wireless LAN controller. This is the basis for achieving Cisco's unified wireless network architecture.

The lightweight Wireless Access Point and the Wireless LAN controller use the Lightweight Access Point Protocol as the tunnel protocol for each other. Specifically, there are two tunnels. A tunnel is used to transmit some data from the client. In this case, the lightweight tunneling protocol uses the LWAPP format to encapsulate the data. Although this is not encrypted, the encapsulated data is relatively safe. Another tunnel Transmits some control information, which determines the operation mode, client authentication, and security policies of lightweight wireless access points. The lightweight tunnel protocol authenticates and encrypts the control information to ensure that the wireless LAN controller can manage and control various lightweight wireless access points safely. In Cisco's solutions, lightweight wireless access points and wireless LAN Controllers use digital certificates to authenticate each other. For example, a digital certificate may be installed on the device at the factory Time, And the lightweight Tunneling Protocol will use these digital certificates for verification in the background. To this end, the wireless LAN controller can be effectively prevented from being forged.

Therefore, before deploying a unified wireless network, you must ensure that the wireless LAN controller and lightweight wireless access network administrator can perform mutual authentication. Only when the security of the wireless LAN controller is guaranteed can the security of the enterprise's wireless network be ensured. Therefore, the network administrator needs to know some details about the authentication between them and solve possible problems during the authentication process, such as invalid digital certificates.