accounting (AAA) override can be applied to Cisco Identity Based Networking Services (IBNS) WLAN clients.
  • Untagged packets: Untagged packets received from the LAN receive the following treatment:
    • Figure summarizes these points. The 802.11e QoS packets received from the WLAN receive this treatment: Non-QoS packets that are received from the WLAN will be given best-effort priority (default silver) when they are transmitted on the LAN by the controller. Figure summarizes these points.
    Content 6.1 Implementing WLAN QoS 6.1.8 WLAN QoS Configuration Introducing Cisco WCS
    The Cisco Wireless Control System (WCS) is a Cisco Unified Wireless Network Solution management tool that adds to the capabilities of the web user interface and command line interface (CLI), moving from individual controllers to a network of controllers. WCS includes the same configuration, performance monitoring, security, fault management, and accounting options used at the controller level and adds a graphical view of multiple controllers and managed access points. Figure is a representation of the Cisco Unified Wireless Network Solution of which WCS is an integral part. The WCS user interface enables operators to control all permitted Cisco Unified Wireless Network Solution configuration, monitoring, and control functions through Internet Explorer 6.0 or later. Operator permissions are defined by the administrator using the WCS user interface Administration menu that enables the administrator to manage user accounts and schedule periodic maintenance tasks. A later lesson will cover WCS in more detail. This topic uses WCS to configure QoS on the WLAN. QoS-Configurable Profiles
    By default, the WLAN priority is set by the slot timers that EDCF uses. Figure shows the section of the web page where you can configure a bandwidth contract rate for each of the four access categories. Each bandwidth contract rate is further divided into average and peak rates of User Datagram Protocol (UDP) or non-UDP traffic. We recommend using the default bandwidth rate parameters. On the same web page, you can configure the “Over the Air QoS” settings that control the maximum RF usage from each WMM access category. By default, these settings are all set at 100 percent. The Queue Depth field controls the internal queue depth for each respective access category. The defaults for both parameters are listed in the Over the Air QoS Defaults table. Figure shows where to enter the parameters. Over the Air QoS Defaults
    Access Category RF Usage Queue Depth Platinum 100 percent 100 Gold 100 percent 75 Silver 100 percent 50 Bronze 100 percent 25 The mapping from 802.1p to WMM access categories can also be specified at a broad, controller-wide level. Figure shows examples of editing bronze and platinum profiles. The only option for the Protocol Type drop-down field is 802.1p. Current (version 3.2) controller codes have the default mappings as listed in the Access Category table. Access Category
    Access Category 802.1p Priority Platinum 6 Gold 5 Silver 3 Bronze 1 Configuring WLAN IDs for QoS
    Figure shows how WLAN IDs can be configured individually for QoS on a controller. The general WMM or 802.11e policy for wireless client interaction to the access point can be controlled at the WLAN ID of the wireless controller. The three possible values are listed and described in the Configuring WLAN ID Parameters table. Configuring WLAN ID Parameters
    Parameter Value Description Disabled The Disabled parameter ignores the WMM or 802.11e QoS request. Allowed The Allowed parameter offers QoS to WMM- or 802.11e-capable wireless clients and default QoS for non-WMM/802.11e wireless clients. Required The Required parameter requires all wireless clients to be WMM or 802.11e compliant and to use any WLAN ID that this parameter defines. Note
    The WLAN ID is the association from the WLAN service set identifier (SSID) to a unique internal number, which in turn associates to security policies and the existing Ethernet interface of the controller.
    Content 6.2 Introducing Wireless Security 6.2.1 The Need for WLAN Security Because WLANs use radio waves, WLANs are open to hackers who try to access sensitive information or disrupt network operations. Hackers can drive past potential targets using wireless sniffing tools to find unprotected networks. This is called war driving. Many corporations, retail operations, offices, and homes are open to intruders. The vulnerability of wireless networks arises from the false belief that the spread spectrum modulation technique of several of the 802.11 wireless LAN standards (including 802.11b) has built-in security. Engineers developed spread spectrum during World War II as a means of preventing enemy jamming of radio communications. Modern WLAN vendors mistakenly assumed that their use of spread spectrum also provided security. In the intended military applications, spread spectrum attempts to provide security by changing the "spreading codes" with a secret key making deciphering the signal without the code nearly impossible. However, the 802.11 standard describes the spreading codes publicly to provide 802.11 component interoperability. A hacker only needs an 802.11-compliant radio network interface card (NIC) to connect to a vulnerable WLAN. Most wireless devices that are sold today are wireless network-ready. End users often do not change the default settings or implement only standard Wired Equivalent Privacy (WEP) security, which is not an optimal solution for secure wireless networks. Figure lists some of the vulnerabilities that arise from WLAN design and the 802.11 standard. The following subtopics briefly describe WLAN vulnerabilities. SSID
    The SSID is a network-naming scheme and configurable parameter that both the client and the access point must share. The SSID feature serves to segment logically the users and access points that form part of a wireless subsystem. The 802.11 standard requires that a user's radio NIC has the same SSID as the access point to enable association and communications. In the absence of optional security features, the SSID is a form of password and is the only "security" mechanism that the access point needs to establish a connection. Most access points broadcast the SSID multiple times per second within the body of each beacon frame, so a hacker can easily use an 802.11 analysis tool to identify the SSID. In fact, Windows XP and Windows Vista sniff for SSIDs and automatically configure the radio NIC in the end user device. This means that even if a user starts with unmatched SSIDs, he or she may well be able to associate with an SSID revealed by the Windows XP scan for available networks. To make the hacker’s task even easier, many WLAN deployments use the access point default SSID. If you try your own war driving looking for “linksys”, you will find out how prevalent this practice is. Even deactivating SSID broadcasting to delete the SSID from the beacon frames will not stop hackers from finding the SSID. Hackers simply need to wait until someone associates or re-associates with the network. MAC Filtering
    A client that is connecting to an access point must go through the process of authenticating and associating. Some WLANs support filtering using a MAC address. Network administrators construct tables manually on the access