CISCO-DOT11-CONTEXT-SERVICES-MIB
This MIB supports managing the devices offering WDS and WNS services. The hierarchy of the devices offering the wireless domain and network services looks like the following. += = = = + | | | WNS | (Campus level) | | += = = = + / \ / \ / \ / \ \/ \/ += = =+ += = =+ | | | | | WNS | | WNS | | | | | += = =+ += = =+ / \ \ / \ \ / \ \ / \ \ \/ \/ \/ +=====+ +=====+ +=====+ | | | | | | | WDS | | WDS | | WDS | ( Subnet | | | | | | level- +=====+ +=====+ +=====+ Single / \ \ \ broadcast / \ \ \ domain ) / \ \ \ / \ \ \ / \ \ \ \/ \/ \/ \/ +~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+ + + + + + + + + + AP + + AP + + AP + + AP + + + + + + + + + +~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+ .. . . . . . . . . . . . . . . . . . . . . . . . \/ \/ \/ \/ \/ +.....+ +.....+ +-.-.-.+ +~-~-~+ +......+ + + + + + + + + + + + MN + + MN + + WGB + + AP + + MN + + + + + + + + + + + +.....+ +.....+ +-.-.-.+ +~-~-~+ +......+ . . . . . . . . . . . . \/ \/ \/ ++++++++ +......+ +......+ + + + + + + + EN + + MN + + MN + + + + + + + ++++++++ +......+ +......+ The diagram above depicts the overall campus network hierarchy and the services being offered at various levels in the hierarchy. Here, Infrastructure Node Authentication services are offered by the device providing WNS at the root (Campus) level. WNS at this level thus span an enterprise campus that resides in a geographic location. WNS are offered at various levels as shown in the hierarchy to achieve scalability. WNS at the subsequent levels other than the root level include authentication services for MNs and are typically confined to a single building. At the broadcast domain level, the WDS include authentication and registration services for the APs. An AP provides Proxy Authentication and registration services for the MNs. The APs that connect to parent APs through the wireless interface ( as shown by the dotted lines ) are Repeater-APs. The WGBs are managed in the same manner as the MNs. However, the Ethernet Nodes ( EN ) that are connected to the WGB won't be served as part of the WDS. GLOSSARY Access Point ( AP ) Any entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. Wireless Bridge An 802.11 entity that provides wireless connectivity between two wired LAN segments and is used in point- to-point or point-multipoint configurations. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. WorkGroup Bridge ( WGB ) A work-group bridge is a non-STP AP with an 802.11 primary port and a secondary Ethernet port that provides access to a non-STP secondary Ethernet LAN segment. STP refers to the IEEE 802.1D Spanning Tree Protocol. An 'STP AP' executes the 802.1D STP and the 802.1D STP is operated on an 'STP link'. A 'non-STP AP' does not execute the 802.1D STP. Repeater-AP A repeater is a 'wireless AP' that is attached to a parent AP on an 802.11 primary port. The Ethernet port is disabled in a Repeater-AP. Infrastructure Node ( IN ) This term refers to Access Points, Wireless Bridges and those devices that implement and offer WNS and WDS as shown in the network hierarchy. Ethernet Node ( EN ) The node that gets the uplink to the Wireless AP via the WGB. This node connects to the WGB through its primary Ethernet port. Context The mobility context for an MN includes its current mobility bindings with the APs, IP/802 address bindings, cached configuration parameters, QoS state, IP group membership, authentication state, accounting statistics, and other dynamically derived protocol state information. Wireless Domain Services The set of services being offered at a particular broadcast domain that may be an IP subnet or a particular VLAN. The services include the following. 1. MN security credential caching to provide seamless, secure intra-subnet roaming. 2. Authenticated context transfer for roaming client within the subnet. Since, by definition, the WDS are bound to one subnet ( broadcast domain ), if implemented in a device spanning multiple subnets, the implementation should take care to provide separate set of services for each of the subnets. Wireless Network Services The set of services that can be visualized as being offered at various levels other than the lowest (subnet) level of a hierarchical campus network. At the root level, Infrastructure Authentication services for all the devices in the network that provide WNS and WDS are offered. In case if WNS are not distributed at several levels as shown in the hierarchy above and is confined to be offered only at a single root level, the services offered also include authentication services for the MNs. WNS Entity The logical entity that resides in an infrastructure node and offers WNS to the descendants of that infrastructure node in the wireless services hierarchy. WDS Entity The logical entity that resides in an infrastructure node and offers WDS to the descendants of that infrastructure node in the wireless services hierarchy. WS Entity Refers to one of WNS / WDS Entities. Parent Node The node that immediately precedes an infrastructure node in the hierarchy. For mobile nodes, the parent APs provide proxy wireless services by talking to their immediate parent nodes that offer WDS. Root Node The infrastructure node that is at the highest level in the services hierarchy and that offers WNS. The WNS entity acts as the IN Authenticator for the rest of the infrastructure nodes. In case if WNS are not distributed, the root node also acts as the Mobile Node Authenticator ( See description below ). Descendant A node that is in the sub-tree of the campus hierarchy tree rooted at the node providing WNS. Infrastructure Node ( IN ) Authenticator The logical entity that communicates with the AAA server and provides authentication Services for the infrastructure nodes. Details of the IN Authenticator have to be configured in the device providing WDS manually. The AP learns about the IN Authenticator automatically upon registering with its immediate parent. The WDS also includes MN authentication services if the entity providing WDS is at the root level in the hierarchy. Mobile Node ( MN ) Authenticator The logical entity that communicates with the AAA server and provides authentication Services for mobile nodes. An infrastructure node learns the whereabouts of the MN Authenticator from the root node. Wireless Network Manager ( WNM ) The network management system that manages the entire hierarchy of devices providing WNS and WDS. Advertisement The process by which the Access Points identify their parent nodes providing WDS. APs listen to the advertisements of the WDS entities and gets registered with one of those entities to facilitate secured context transfer. WLCCP Wireless LAN Context Control Protocol. Used to establish and manage the network topology and securely manage the 'operational context' for mobile stations in a campus network. AAA Authentication, Authorization, Accounting A node will request network access by executing a protocol to an authentication server that provides protocols and services for providing authentication, authorization and session accounting. Service Set Identifier ( SSID ) 802.11 Service Set Identifier. An SSID identifies a set of mobile nodes grouped into a logical 'service set' and the APs that provide access for the service set. Wired Equivalent Privacy (WEP) This protocol uses a pseudo random generator and RC4 stream cipher and is specified by the 802.11 standard as the algorithm for encryption and authentication over the wireless segment of the LAN. Temporal Key Integrity Protocol ( TKIP ) This protocol provides initialization vector hashing and a Message Integrity Check ( MIC ) to ensure data integrity. TKIP includes use of dynamic keys to defeat capture of passive keys. TKIP uses the RC4 cipher as WEP but the difference is that TKIP changes temporal keys every 10,000 packets thereby providing a dynamic distribution network that enhances the security of the network. Cisco Key Integrity Protocol ( CKIP ) A proprietary implementation similar to TKIP. CKIP implements key permutation for protecting the CKIP key against attacks. Other features of CKIP include expansion of encryption key to 16 bytes of length for key protection and MIC to ensure data integrity. Wireless services at subnet level ================================= +========+ | | | WDS | ( Subnet level - Broadcast | | domain ) +========+ / \ / \ / \ / \ / \ \/ \/ +~-~-~+ +~-~-~+ + + + + + AP + + AP + + + + + +~-~-~+ +~-~-~+ . . . . . . . . . . . . . . . . . . \/ \/ \/ +......+ +-.-.-.+ +~-~-~-+ + + + + + + + MN + + WGB + + AP + + + + + + + +......+ +-.-.-.+ +~-~-~-+ The above diagram depicts how wireless services are being offered in an infrastructure node implementing WDS. In such a network, the WDS entity provides authentication services to both the infrastructure and mobile nodes. The other entities in the diagram are the Mobile Node ( MN ), the Workgroup Bridge (WGB) and another AP-in-repeater mode. The Repeater-APs first perform initial authentication with the AAA server ( through WDS ) and then perform infrastructure authentication and registration with the WDS entity. The WGBs go through the same procedure as the MNs for authentication and registration with the WDS entity.