Quản trị mạng - Chapter 7: Basic wireless concepts and configuration

1Chapter 7: Basic Wireless Concepts and Configuration CCNA Exploration 4.0 Học viện mạng Bach Khoa - Website: www.bkacad.com 2 Objectives • Describe the components and operations of basic wireless LAN topologies. • Describe the components and operations of basic wireless LAN security. • Configure and verify basic wireless LAN access. • Configure and troubleshoot wireless client access. Học viện mạng Bach Khoa - Website: www.bkacad.com 3 The Wireless LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 4 Why Use Wireless? • Business networks today are evolving to support people who are on the move. • Mobility environment: where people can take their connection to the network along with them on the road. • There are many different infrastructures (wired LAN, service provider networks) that allow mobility like this to happen, but in a business environment, the most important is the WLAN. • People now expect to be connected at any time and place What is WLAN RF Technology? Học viện mạng Bach Khoa - Website: www.bkacad.com 5 Học viện mạng Bach Khoa - Website: www.bkacad.com 6 Benefits of WLANs Học viện mạng Bach Khoa - Website: www.bkacad.com 7 Wireless Technologies Học viện mạng Bach Khoa - Website: www.bkacad.com 8 Wireless LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 9 Comparing a WLAN to a LAN • In an 802.3 Ethernet LAN, each client has a cable that connects the client NIC to a switch. The switch is the point where the client gains access to the network. • In a wireless LAN, each client uses a wireless adapter to gain access to the network through a wireless device such as a wireless router or access point. Học viện mạng Bach Khoa - Website: www.bkacad.com 10 Comparing a WLAN to a LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 11 Wireless standards Học viện mạng Bach Khoa - Website: www.bkacad.com 12 Wireless standards Học viện mạng Bach Khoa - Website: www.bkacad.com 13 Wi-Fi Certification Extra: Modulation Học viện mạng Bach Khoa - Website: www.bkacad.com 14 Extra: Modulation Học viện mạng Bach Khoa - Website: www.bkacad.com 15 Extra: Modulation Học viện mạng Bach Khoa - Website: www.bkacad.com 16 Extra: Modulation Học viện mạng Bach Khoa - Website: www.bkacad.com 17 Extra: Modulation Học viện mạng Bach Khoa - Website: www.bkacad.com 18 Extra: Modulation Học viện mạng Bach Khoa - Website: www.bkacad.com 19 802.11a Uses OFDM Modulation Học viện mạng Bach Khoa - Website: www.bkacad.com 20 802.11a 5-GHz Frequency Bands Học viện mạng Bach Khoa - Website: www.bkacad.com 21 802.11b Access Point Coverage Học viện mạng Bach Khoa - Website: www.bkacad.com 22 802.11b Scalability Học viện mạng Bach Khoa - Website: www.bkacad.com 23 802.11a Access Point Coverage Học viện mạng Bach Khoa - Website: www.bkacad.com 24 802.11a Scalability (Indoor UNII-1 and UNII-2) Học viện mạng Bach Khoa - Website: www.bkacad.com 25 Học viện mạng Bach Khoa - Website: www.bkacad.com 26 Wireless Infrastructure Components Học viện mạng Bach Khoa - Website: www.bkacad.com 27 Extra: Wireless LAN Frame Học viện mạng Bach Khoa - Website: www.bkacad.com 28 Wireless Access Points Học viện mạng Bach Khoa - Website: www.bkacad.com 29 Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) Học viện mạng Bach Khoa - Website: www.bkacad.com 30 RTS/CTS Học viện mạng Bach Khoa - Website: www.bkacad.com 31 Extra: RTS/CTS • The optional request-to-send and clear-to-send (RTS/CTS) function allows the access point to control use of the medium for stations activating RTS/CTS. • With most radio NICs, users can set a maximum frame-length threshold for when the radio NIC activates RTS/CTS. – For example, a frame length of 1,000 bytes triggers RTS/CTS for all frames larger than 1,000 bytes. • If the radio NIC activates RTS/CTS, it first sends an RTS frame to an access point before sending a data frame. The access point then responds with a CTS frame, indicating that the radio NIC can send the data frame. • With the CTS frame, the access point provides a value in the duration field of the frame header that holds off other stations from transmitting until after the radio NIC initiating the RTS can send its data frame. This avoids collisions between hidden nodes. • The RTS/CTS handshake continues for each frame, as long as the frame size exceeds the threshold set in the corresponding radio NIC. Học viện mạng Bach Khoa - Website: www.bkacad.com 32 Extra: RTS/CTS Học viện mạng Bach Khoa - Website: www.bkacad.com 33 802.11 Frame Format Học viện mạng Bach Khoa - Website: www.bkacad.com 34 802.11 Frames Type (cont) Học viện mạng Bach Khoa - Website: www.bkacad.com 35 Configurable Parameters for Wireless Endpoints Học viện mạng Bach Khoa - Website: www.bkacad.com 36 Configurable Parameters for Wireless Endpoints 2.4-GHz Channel Sets Học viện mạng Bach Khoa - Website: www.bkacad.com 37 Học viện mạng Bach Khoa - Website: www.bkacad.com 38 802.11 Topologies: Ad hoc Network Học viện mạng Bach Khoa - Website: www.bkacad.com 39 802.11 Topologies: Infrastructure • Basic Service Sets Học viện mạng Bach Khoa - Website: www.bkacad.com 40 802.11 Topologies: Infrastructure • Extended Service Sets Học viện mạng Bach Khoa - Website: www.bkacad.com 41 Extra: Roaming Học viện mạng Bach Khoa - Website: www.bkacad.com 42 Extra: Roaming Học viện mạng Bach Khoa - Website: www.bkacad.com 43 Extra: Scanning • The 802.11 standard defines both passive and active scanning, whereby a radio NIC searches for access points. • Passive scanning is mandatory where each NIC scans individual channels to find the best access-point signal. Periodically, access points broadcast a beacon, and the radio NIC receives these beacons while scanning and takes note of the corresponding signal strengths. The beacons contain information about the access point, including SSID and supported data rates. The radio NIC can use this information along with the signal strength to compare access points and decide on which one to use. • Active scanning is similar, except the radio NIC initiates the process by broadcasting a probe frame, and all access points within range respond with a probe response. Active scanning enables a radio NIC to receive immediate response from access points, without waiting for a beacon transmission. The issue, however, is that active scanning imposes additional overhead on the network because of the transmission of probe and corresponding response frames. Học viện mạng Bach Khoa - Website: www.bkacad.com 44 Client and Access Point Association • Beacon Học viện mạng Bach Khoa - Website: www.bkacad.com 45 Client and Access Point Association Học viện mạng Bach Khoa - Website: www.bkacad.com 46 Client and Access Point Association Step 3 - 802.11 Association Học viện mạng Bach Khoa - Website: www.bkacad.com 47 Extra: Authentication and Association • Open Authentication and Shared Key Authentication are the two methods that the 802.11 standard defines for clients to connect to an access point. • The association process can be broken down into three elements: 1. Probe 2. Authentication 3. Association. Học viện mạng Bach Khoa - Website: www.bkacad.com 48 Extra: Open Authentication • The Open Authentication method performs the entire authentication process in clear text. • Open Authentication is basically a null authentication, which means there is no verification of the user or machine. • Open Authentication is usually tied to a WEP key. A client can associate to the access point with an incorrect WEP key or even no WEP key. A client with the wrong WEP key will be unable to send or receive data, since the packet payload will be encrypted. • Keep in mind that the header is not encrypted by WEP. Only the payload or data is encrypted. Học viện mạng Bach Khoa - Website: www.bkacad.com 49 Extra: Shared Key Authentication • Shared Key Authentication works similarly to Open Authentication, except that it uses WEP encryption for one step. • Shared key requires the client and the access point to have the same WEP key. • An access point using Shared Key Authentication sends a challenge text packet to the client. If the client has the wrong key or no key, it will fail this portion of the authentication process. The client will not be allowed to associate to the AP. • Shared key is vulnerable to a man-in-the-middle attack, so it is not recommended. Học viện mạng Bach Khoa - Website: www.bkacad.com 50 Extra: ARS • When a source node sends a frame, the receiving node returns a positive acknowledgment (ACK). – This can cause consumption of 50% of the available bandwidth. • This overhead when combined with the collision avoidance protocol overhead reduces the actual data throughput to a maximum of 5.0 to 5.5 Mbps on an 802.11b wireless LAN rated at 11 Mbps. • Performance of the network will also be affected by signal strength and degradation in signal quality due to distance or interference. • As the signal becomes weaker, Adaptive Rate Selection (ARS) may be invoked and the transmitting unit will drop the data rate from 11 Mbps to 5.5 Mbps, from 5.5 Mbps to 2 Mbps or 2 Mbps to 1 Mbps. Học viện mạng Bach Khoa - Website: www.bkacad.com 51 Planning the Wireless LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 52 Planning the Wireless LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 53 Planning the Wireless LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 54 Planning the Wireless LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 55 Activity 7.1.5.2 Học viện mạng Bach Khoa - Website: www.bkacad.com 56 Activity 7.1.5.2 Học viện mạng Bach Khoa - Website: www.bkacad.com 57 Wireless LAN Security Học viện mạng Bach Khoa - Website: www.bkacad.com 58 Wireless LAN Security Threats Unauthorized Access Học viện mạng Bach Khoa - Website: www.bkacad.com 59 Wireless LAN Security Threats Học viện mạng Bach Khoa - Website: www.bkacad.com 60 Wireless LAN Security Threats • Denial of Service Học viện mạng Bach Khoa - Website: www.bkacad.com 61 Extra: Securing a WLAN Học viện mạng Bach Khoa - Website: www.bkacad.com 62 Extra: SSID • Most access points have options like ‘SSID broadcast’ and ‘allow any SSID.’ These features are usually enabled by default and make it easy to set up a wireless network. – Using the ‘allow any SSID’ option lets the access point allow access to a client with a blank SSID. – The ‘SSID broadcast’ sends beacon packets, which advertise the SSID. • Disabling these two options do not secure the network, since a wireless sniffer can easily capture a valid SSID from normal WLAN traffic. • SSIDs should not be considered a security feature. Học viện mạng Bach Khoa - Website: www.bkacad.com 63 Wireless Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 64 Extra: Wireless Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 65 Extra: Encryption Methods • Many encryption methods, such as the 802.11 Wired Equivalent Privacy (WEP), are symmetric—that is, the same key that does the encryption is also the one that performs the decryption. • If a user activates WEP, the NIC encrypts the payload (frame body and cyclic redundancy check [CRC]) of each 802.11 frame before transmission using an RC4 stream cipher provided by RSA security. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. As a result, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies. Học viện mạng Bach Khoa - Website: www.bkacad.com 66 Extra: Encryption Methods • Wi-Fi Protected Access – The Wi-Fi Protocol Access (WPA) standard provided by the Wi-Fi Alliance provides an upgrade to WEP that offers dynamic key encryption and mutual authentication. – Most wireless vendors now support WPA. WPA clients utilize different encryption keys that change periodically. This makes it more difficult to crack the encryption. Học viện mạng Bach Khoa - Website: www.bkacad.com 67 Wireless Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 68 Wireless Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 69 Wireless Security Protocols • Encryption Học viện mạng Bach Khoa - Website: www.bkacad.com 70 Securing a Wireless LAN Học viện mạng Bach Khoa - Website: www.bkacad.com 71 Configure Wireless LAN Access Học viện mạng Bach Khoa - Website: www.bkacad.com 72 Configuring the Wireless Access Point Học viện mạng Bach Khoa - Website: www.bkacad.com 73 Setup: Basic Setup Học viện mạng Bach Khoa - Website: www.bkacad.com 74 Administration: Management Học viện mạng Bach Khoa - Website: www.bkacad.com 75 Configuring Basic Wireless Settings Học viện mạng Bach Khoa - Website: www.bkacad.com 76 Security Mode • Select the mode you want to use: PSK-Personal, PSK2- Personal, PSK-Enterprise, PSK2-Enterprise, RADIUS, or WEP. Học viện mạng Bach Khoa - Website: www.bkacad.com 77 Mode Parameters • Enterprise modes are not configured in this chapter Học viện mạng Bach Khoa - Website: www.bkacad.com 78 Configure Encryption and Key Học viện mạng Bach Khoa - Website: www.bkacad.com 79 Configure a wireless NIC: Scan SSID Học viện mạng Bach Khoa - Website: www.bkacad.com 80 Configure a wireless NIC: Scan SSID Học viện mạng Bach Khoa - Website: www.bkacad.com 81 Select the Wireless Security Protocol • Practice: 7.3.2.4 Học viện mạng Bach Khoa - Website: www.bkacad.com 82 Troubleshooting Simple WLAN Problems Học viện mạng Bach Khoa - Website: www.bkacad.com 83 Systematic Approach to WLAN Troubleshooting • Step 1 - Eliminate the client device as the source of the problem. • Step 2 - Confirm the physical status of WLAN devices. • Step 3 - Inspect wired links. Học viện mạng Bach Khoa - Website: www.bkacad.com 84 Updating the Access Point Firmware Học viện mạng Bach Khoa - Website: www.bkacad.com 85 Incorrect Channel Settings Học viện mạng Bach Khoa - Website: www.bkacad.com 86 Incorrect Channel Settings: Solution Học viện mạng Bach Khoa - Website: www.bkacad.com 87 Solving RF Interference Học viện mạng Bach Khoa - Website: www.bkacad.com 88 Solving RF Interference • Site Surveys Học viện mạng Bach Khoa - Website: www.bkacad.com 89 Site Survey • Two categories: Manual and utility assisted. • Manual site surveys can include a site evaluation to be followed by a more thorough utility-assisted site survey. A site evaluation involves inspecting the area with the goal of identifying potential issues that could impact the network. Specifically, look for the presence of multiple WLANs, unique building structures, such as open floors and atriums, and high client usage variances, such as those caused by differences in day or night shift staffing levels. • Note: you do not conduct site surveys as part of this course Học viện mạng Bach Khoa - Website: www.bkacad.com 90 Access Point Misplacement Học viện mạng Bach Khoa - Website: www.bkacad.com 91 Access Point Misplacement: Solution Học viện mạng Bach Khoa - Website: www.bkacad.com 92 Access Point Misplacement: Solution • Ensure that access points are not mounted closer than 7.9 inches (20 cm) from the body of all persons. • Do not mount the access point within 3 feet (91.4 cm) of metal obstructions. • Install the access point away from microwave ovens. Microwave ovens operate on the same frequency as the access point and can cause signal interference. • Always mount the access point vertically (standing up or hanging down). • Do not mount the access point outside of buildings. • Do not mount the access point on building perimeter walls, unless outside coverage is desired. • When mounting an access point in the corner of a right-angle hallway intersection, mount it at a 45-degree angle to the two hallways. The access point internal antennas are not omnidirectional and cover a larger area when mounted this way. Học viện mạng Bach Khoa - Website: www.bkacad.com 93 Problems with Authentication and Encrytion Học viện mạng Bach Khoa - Website: www.bkacad.com 94 Problems with Authentication and Encrytion Học viện mạng Bach Khoa - Website: www.bkacad.com 95 Problems with Authentication and Encrytion Học viện mạng Bach Khoa - Website: www.bkacad.com 96 Summary Học viện mạng Bach Khoa - Website: www.bkacad.com 97