of wireless IDS. Traditional wired IDSs focus on Layer 3 and higher, but the nature of the RF medium and wireless standards mandate IDS at the physical and data link layers. The RF medium has several vulnerabilities, such as the unlicensed spectrum, which is subject to interference and is not contained by physical security boundaries. Standard vulnerabilities include unauthenticated management frames, session hijacking, and replay-type attacks. IDS protection includes rogue detection and location mapping, IDS attack signatures, client exclusion and containment, and high-resolution location tracking. Cisco offers wireless intrusion prevention system (IPS) options based on the architecture selection:

• WLAN controller-based
• Autonomous access point
• Autonomous access point with partner integration

WPA and WPA2 Modes
WPA has two modes: Enterprise and Personal. Both modes provide encryption support and user authentication. WPA provides authentication support using IEEE 802.1x and preshared keys (IEEE 802.1x is recommended for enterprise deployments). WPA also provides encryption support using TKIP. TKIP includes MIC and per-packet keying via IV hashing and broadcast key rotation. WPA2 authentication is identical to WPA authentication except that the encryption WPA2 uses is AES-CCMP. Figure shows a table comparing the two WPA2 modes:

• Enterprise mode: Enterprise mode refers to products that are tested to be interoperable in both the preshared key and IEEE 802.1x or EAP modes of operation for authentication. When IEEE 802.1x is used, a AAA server (the RADIUS protocol for authentication and key management and centralized management of user credentials) is required. Enterprise mode is targeted to enterprise environments.
• Personal mode: Personal mode is a term given to products tested to be interoperable in the preshared key-only mode of operation for authentication. This mode requires manual configuration of a preshared key on the access point and clients. A preshared key authenticates users via a password, or identifying code, on both the client station and the access point. No authentication server is needed. Personal mode is targeted to small office-home office (SOHO) environments.

WPA2 Issues
WPA2 solved the remaining security issues of WPA. Because AES is used for encryption, more computing power is required, and the hardware must be changed to support WPA2. The client (supplicant) must have a WPA2 driver that supports EAP. This standard is not prevalent and can be a limitation. The RADIUS server must also understand EAP. Although many RADIUS servers support EAP, not all of them do. PEAP carries EAP types within a TLS-secured channel. When TLS is used, a server certificate is used. This feature allows dynamic keys. Compared to WPA, WPA2 is CPU-intensive. More computing power is required for AES encryption support, requiring hardware upgrades rather than a firmware upgrade only. Some older access points will never support WPA2 because hardware upgrades are not available. New equipment is WPA-ready, and only a software upgrade is required. Figure summarizes these points.

---

Content 6.3 Managing WLANs 6.3.1 Cisco Unified Wireless Network Business Drivers
The modern business climate requires anywhere, anytime connectivity. A worldwide revolution is occurring in business. Mobile users, traveling executives, wireless applications, and advanced services such as VoIP over Wi Fi are driving WLAN expansion and adoption. Mobility changes the way that organizations conduct business. Network managers need to protect their networks and deliver secure WLAN access for their organizations. These managers need a wireless infrastructure that embraces the unique attributes of RF technology and effectively supports today’s business applications. They need to keep their wired network secure while laying a foundation for the smooth integration of new applications that embrace wireless technology. Network managers need a WLAN solution that takes full advantage of existing tools, knowledge, and network resources to cost-effectively address critical WLAN security, deployment, and control issues. The Cisco WLAN solution consists of Cisco Wireless LAN Controllers and their associated lightweight access points that are controlled by the operating system, all concurrently managed by the operating system user interface. This lesson presents these elements as listed in Figure . The Cisco Unified Wireless Network is an end-to-end unified wired and wireless network that cost-effectively addresses WLAN security, deployment, management, and control issues. Cisco’s unique approach addresses all layers of the WLAN network, from client devices and access points to the network infrastructure, network management, and the delivery of advanced wireless services. As shown in Figure , the Cisco Unified Wireless Network is composed of five interconnected elements that work together as building blocks to deliver a unified enterprise-class wireless solution.

• Client devices: Cisco is leading the development of interoperable, standards-based client devices through the Cisco Compatible Extensions program. This program helps to ensure the widespread availability of client devices from a variety of suppliers that are interoperable with a Cisco WLAN infrastructure. Cisco Compatible Extensions client devices deliver “out of the box” wireless mobility, quality of service (QoS), network management, and enhanced security.
• Mobility platform: Cisco Aironet lightweight access points provide ubiquitous network access for a variety of indoor and outdoor wireless environments, including wireless mesh. The Cisco solution supports a wide array of deployment options, such as single or dual radios, integrated or remote antennas, and rugged metal enclosures. These solutions operate as plug-and-play wireless devices with zero-touch configuration.
• Network unification: The Cisco Unified Wireless Network includes a solid migration path into all major Cisco switching and routing platforms through Cisco Wireless LAN Controllers. Cisco Wireless LAN Controllers are responsible for system-wide WLAN functions.
• Excellent network management: The Cisco Unified Wireless Network delivers the same level of security, scalability, reliability, ease of deployment, and management for WLANs that organizations expect from their wired LANs. Cisco’s excellent WLAN management interface is the industry-leading Cisco Wireless Control System (WCS). Cisco WCS brings ease of use to WLAN management. Cisco WCS provides a powerful foundation that allows information technology (IT) managers to design, control, and monitor their enterprise wireless networks from a centralized location, simplifying operations and reducing the total cost of ownership.
• Unified advanced services: The Cisco Unified Wireless Network cost effectively supports new mobility applications, emerging Wi-Fi technologies, and advanced threat detection and prevention capabilities. Cisco services are more comprehensive than other wireless point product vendors’ services are. Cisco’s solution supports these features:
  • Advanced features, such as wireless VoIP and future unified cellular and Wi-Fi VoIP
  • Emerging technologies, such as location services for critical applications, high-value asset tracking, IT management, and location-based security
  • Advanced wireless security features, such as Network Admission Control (NAC), Self-Defending Network, Cisco Identity Based Networking Services (IBNS), intrusion detection systems (IDSs), and guest access for end-to-end network security.

Cisco Unified Wireless Network Components
The following Cisco WLAN products, listed in Figure , support the five interconnecting elements of the Cisco Unified Wireless Network and business-class WLANs:

• Client devices: Cisco strongly recommends using Cisco Compatible