CISCO-LWAPP-MFP-MIB

This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight Access Point Protocol tunnel from Light-weight LWAPP Access Points. This MIB instrumentation provides the parameters used by the controller to control and monitor the behavior of the associated Access Points when following the newly defined Management Frame Protocol. The controller would pass the MFP settings configured by the user through this MIB to the APs through LWAPP messages. The APs then begin to validate and verify the integrity of 802.11 Management frames and report the anomalies found, if any, to the controller. The relationship between CC and the LWAPP APs can be depicted as follows. +......+ +......+ +......+ +......+ + + + + + + + + + CC + + CC + + CC + + CC + + + + + + + + + +......+ +......+ +......+ +......+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + AP + + AP + + AP + + AP + + AP + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, which includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. Reference [2] explains in detail about the communication between the controller and APs, while Reference [1] explains the AP-MN communication. To secure the 802.11 management traffic, the controller and the APs perform specific roles. The controller acts as the central entity to generate and distribute signature keys using which the APs generate integrity check values, also known as signatures, for individual management frames. The APs append this signature in the form of an Information Element to the respective management frame to be transmitted. This is needed to isolate those potential rogue APs whose frames may not carry the frame signature. The APs use the signature keys, generated and pushed to them by the controller for each BSSID reported as heard by the APs, to validate the integrity of the the management traffic originating from various 802.11 sources. Any anomalies observed by the APs are reported to the controller. The controller makes the information about such events available for a network management Station in the form of notifications. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 media access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. AP-Authentication With this feature enabled, the Access Points sending radio resource management neighbor packets with different RF network names will be reported as rogues. Basic Service Set Identifier ( BSSID ) The identifier of the Basic Service Set controlled by a single coordination function. The identifier is usually the MAC address of the radio interface that hosts the BSS. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity is also referred to as 'controller'. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the Central Controller. Management Frame Protection ( MFP ) A proprietary mechanism devised to integrity protect the otherwise unprotected management frames of the 802.11 protocol specification. Message Integrity Check ( MIC ) A checksum computed on a sequence of bytes and made known to the receiving party in a data communication, to let the receiving party make sure the bytes received were not compromised enroute. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Network Management Station ( NMS ) The system through which the network administrator manages the controller and the APs associated to it. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications, ANSI/IEEE Std 802.11, 1999 Edition. [2] Draft-obara-Capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol

MIB content (38 objects)

Informations

Organization
Cisco Systems Inc.
Contact info
Cisco Systems, Customer Service Postal: 170 West Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS Email: cs-wnbu-snmp@cisco.com

Revisions

2007-01-20 15:45
The objects cLClientLastSourceMacAddress, cLMfpClientProtection and cLMfpClientMfpEnabled have been added.
2006-04-10 15:45
Initial version of this MIB module.