Cisco Systems OL-8335-02 Cisco WLAN Solution Security

5-2

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Chapter5 Configuring Security Solutions

Cisco WLAN Solution Security

Cisco WLAN Solution Security

Cisco WLAN Solution Security includes the following sections:

•Security Overview, page 5-2

•Layer 1 Solutions, page 5-2

•Layer 2 Solutions, page 5-2

•Layer 3 Solutions, page 5-3

•Rogue Access Point Solutions, page 5-3

•Integrated Security Solutions, page 5-4

The Cisco WLAN Solution Security solution bundles potentially complicated Layer1, Layer 2, and

Layer 3 802.11 Access Point security components into a simple policy manager that customizes

system-wide security policies on a per-WLAN basis. The Cisco WLAN Solution Security solution

provides simple, unified, and systematic security management tools.

One of the biggest hurdles to WLAN deployment in the enter prise is WEP encryption, which is weak

standalone encryption method. A newer problem is the availability of low-cost access points, which can

be connected to the enterprise network and used to mount man- in-the-middle and denial-of-service

attacks. Also, the complexity of add-on security solutions has prevented many IT managers from

embracing the benefits of the latest advances in WLAN security.

The Cisco WLAN Solution Operating System Security solution ensures that all clients gain access

within an operator-set number of attempts. Should a client fail to gain access within that limit, it is

automatically excluded (blocked from access) until the operator-set timer expires. The Operating System

can also disable SSID broadcasts on a per-WLAN basis.

If a higher level of security and encryption is required, the network administrator can also implement

industry-standard security solutions, such as: 802.1X dynamic keys with EAP (extensi ble authentication

protocol), or WPA (Wi-Fi protected access) dynamic keys. The Cisco WLAN Solution WPA

implementation includes AES (advanced encryption standard), TKIP + Michael (temporal key integrity

protocol + message integrity code checksum) dynamic keys, or WEP (Wired Equivalent Privacy) static

keys. Disabling is also used to automatically block Layer 2 access after an oper ator-set number of failed

authentication attempts.

Regardless of the wireless security solution selected, all Layer2 wired communications between Cisco

Wireless LAN Controllers and Cisco 1000 Series lightweight access points are secured by passing da ta

through LWAPP tunnels.