Identifi - Site configuration

Main characteristics of site configuration is as below.

• Sites Based Configuration Enables Public Cloud Deployment
• APs Securely Managed via High-Grade VPN Encryption
• Site Specific Configuration and Role is Stored on the AP
• Local 802.1x and MAC Authentication Provides Resiliency

• Sites are logical AP groupings that can represent physical sites or logical/physical areas in a building/campus
• Site operation comprises the following features:
• Secure Control traffic to remote APs
• Common configuration and Role download/stored on the AP
• Local 802.1x at the AP  (Max of 2 Radius Servers)
• Fast Roaming amongst APs in the site (Session Distribution)
• Only supported between APs within the site
• Similar to Mobility between controllers
• Supports a group of 32 APs and up to 1000 Mobile Units (MU)
• 32 AP filter Rules
• B@AP topology

How to create site

Radius server configuration

Advance Features such as Load Control and Tunnel Encryption are also defined on per Site basis

AP Assignments tab allows selection of APs to join the site; APs can only belong to one Site

WLAN Assignments define the VNS that will be broadcasted by the Site

Secure Tunnel

• Secured CTP Management and Data Traffic  between APs and Controllers, based on IKEv2, IPSEC w/ AES and DH for public cloud & secure remote office wireless deployments
• Control Traffic (STFTP/SSH/TFTP/WASSP) – Configuration Request and Responses, Software Updates, AP reports, EAP traffic, Pre-Authentication Success messages.
• Configurable on a per AP or Site basis
• Supported on all APs
• Supported on all Controllers

IKE

• AP initiates the IKEv2 negotiation as part of the AP registration Protocol
• IKEv2 negotiation is responsible for establishing the security association (SA) which includes the creating the key that will be used during the transfer of encrypted data
• IKE fragmentation always ON
• Diffie-Hellman (DH) pair 2048 bit strength (key)
• Self-signed RSA certifications /w 2048 bits

IPSEC  (RFC3948)

• IPSEC is used to encrypt the WASSP Control tunnel
• Encryption: AES-CBC 128
• Message Authentication: SHA1 96 bits

IKE is the key exchange mechanism for the Virtual Private Network (VPN)s.  ISAKMP manages the exchange of cryptographic keys, used to setup a secure, authenticated tunnel between two Security Gateways (SG) or in this case the Wireless Access Point and Controller. This tunnel is called an ISAKMP Security Association (SA).

The Security Associations or Access Point will offer several ISAKMP proposals, these proposals will provide the means for ISAKMP SA to agree on which encryption, the hash algorithm (SHA), and which Diffie-Hellman exchange pair will be used to protect the IPSEC tunnel.

NAT processing and Fragmentation can effect the transportation of the IKE/IPSEC packets.

NAT traversal

• Encapsulation of IKE and ESP (IPSEC) in UDP port 4500 to allow traffic to pass through a device NAT or Firewall Appliance

Firewall and some NAT appliances can potentially block IP fragmented packets.

• In a Remote Branch / Cloud deployment, APs will be behind firewalls and NAT devices
• IKE is hard coded MTU 580 byte packets
• To allow IKE to traverse Firewall, IKE packets are fragmented using application level fragmentation (static MTU) to avoid IP fragmentation.
• IPSEC MTU adjustment
• Adjust the payload size using existing Dynamic ICMP MTU Discovery and/or AP Static MTU Size to avoid fragmentation.

Secure Tunnel - How to configure

Enable Secure Tunnel. Click to Enable or Disable secure tunnel. This feature, when enabled, provides encryption, authentication, and key management for data traffic between the AP and/or controllers.

Encrypt control traffic between AP & Controller - Supports encryption between an AP and Controller and/or between APs.

Encrypt control and data traffic between AP & Controller – All control and data traffic is encrypted and the AP skips the registration and authentication Phases when selected.  Deployments without tunneled topologies or Sites have no benefit by enabling Data Traffic Encryption.

Debug Mode – An IPSEC tunnel is established from the AP to Controller, however traffic is not encrypted.