With most WLAN designs, security is the first capability folks worry about. Fortunately, WLAN technology contains robust security features with viable authentication and encryption mechanisms. A security solution can be designed in a variety of ways, however. This tip provides some best practices for designing effective security architectures.
We will cover specific design aspects of the Cisco Unified WLAN solution utilizing controller-based architectures. These design best practices have been developed over the course of multiple design initiatives with the Cisco solution and primarily from lessons learned from deploying the Cisco solution. Most of the information is related to the Cisco solution, but some of the lessons learned and best practices relate to the process behind deploying the designs.
In most organizations, the user community dictates the security architecture. It is not a one-size-fits-all approach. The recommended approach is to identify the user communities that will utilize the WLAN system and design the security accordingly.
As a foundation, the following user communities are a good place to start:
- Employees/visiting employees -- require access to corporate applications and need those applications to be secure
- Contractors -- on site temporarily, but for an extended period of time; require access to some corporate applications (other than just Internet)
- Guests -- need access to Internet only
- Voice -- users who have VoWiFi-capable phones
In most cases, security architecture designs for these user groups differ. For example, the following is a proposed security design for the above:
- Employees/visiting employees – 802.1x PEAP with single sign-on via Radius and Active Directory
- Contractors – 802.1x EAP-Fast
- Guests – daily username and password
- Voice – 802.1x EAP-Fast
The decision between centralized or distributed controller architecture is another key aspect in designing Cisco's solution. Multiple factors should be considered in determining which is right for you. The Cisco solution utilizes LWAP technology for the Unified solution. In this technology, the APs build a secure tunnel back to the controller via an LWAP tunnel. The technology uses IP to do this, so the concept of Layer 2 segmentation is no longer a consideration. In fact, the Ethernet connection from the AP to the Layer 2 switch cannot be a trunked interface. The LWAP tunneling capability allows for the controller to sit across a WAN connection, thereby providing the ability to centralize the controllers. This is very compelling in large distributed environments and is the model used in many VoIP solution designs.
It is important, however, to understand that in a centralized architecture, all the APs connect to the controller. Any routing off the WLAN is done by the router connected to the controller, which can create issues in centralized deployments. For example, if a user connected to an AP wants to print a document or retrieve a file from a local printer or server, the traffic from the AP is sent all the way back to the controller, then routed back across the WAN to the server or printer. This creates WAN backhauls for traffic between local client/server and printer resources. As you can imagine, this is not desirable.
A great feature of the Unified WLAN solution is the support for mobility and VoIP, but this feature requires very robust RF coverage, capacity and throughput, as well as failover coverage by the APs. Experience has shown that very tight cell areas and additional APs are required to supply the performance, scalability and availability needed for mission-critical transport (if the solution is just for Internet access, RF design can change significantly).
The recommended practice is to pilot the RF design and use both a standard site survey and the Cisco assisted site survey to develop a process for your unique environment. Test failover and mobility extensively to determine optimal cell size and throughput requirements.
Site demographics play a large role in determining AP placement and AP numbers. You can have sites with the exact same dimensions and building materials but totally different AP placements, based on the number of users and applications utilized in each site. Four standard site types are:
- Data only
- Data and Voice
- Internet only
(The assumption is that mobility is offered in 1, 2, and 3.)
These design considerations and best practices provide a foundation for deploying a robust WLAN solution with Cisco's gear. The key is to pilot and test these things yourself, and it is highly recommended that the pilot be designed for voice mobility. If the design can support voice mobility, it can cover 99% of the other applications a WLAN can support.
About the author:
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has more than 10 years of experience providing strategic, business and technical consulting services. Robbie lives in Atlanta and is a graduate of Clemson University. His background includes positions as a principal architect at International Network Services, Lucent, Frontway and Callisma.