CISCO-LWAPP-WLAN-SECURITY-MIB

This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Access Point Protocol tunnel from Cisco Light-weight LWAPP Access Points. Information provided by this MIB is for WLAN security related features as specified in the CCKM, CKIP specifications. The relationship between the controller and the LWAPP APs is depicted as follows: +......+ +......+ +......+ + + + + + + + CC + + CC + + CC + + + + + + + +......+ +......+ +......+ .. . . .. . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ + + + + + + + + + AP + + AP + + AP + + AP + + + + + + + + + +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ + + + + + + + + + MN + + MN + + MN + + MN + + + + + + + + + +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, that includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. GLOSSARY 802.1x The IEEE ratified standard for enforcing port based access control. This was originally intended for use on wired LANs and later extended for use in 802.11 WLAN environments. This defines an architecture with three main parts - a supplicant (Ex. an 802.11 wireless client), an authenticator (the AP) and an authentication server(a Radius server). The authenticator passes messages back and forth between the supplicant and the authentication server to enable the supplicant get authenticated to the network. Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. Advanced Encryption Standard ( AES ) In cryptography, the Advanced Encryption Standard (AES), also known as Rijndael, is a block cipher adopted as an encryption standard by the US government. It is expected to be used worldwide and analysed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). AES was adopted by National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November 2001 after a 5-year standardisation process. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity also referred to as 'controller'. Cisco Centralized Key Management ( CCKM ) Client and AP exchange several EAPOL packets in the process of EAP authenticaton to determine dynamic session key (NSK), which is used for encrypting packets between them. When client moves to new-AP, it has to mutually authenticate with the new-AP and derive new NSK. This is being done by using complete EAP authentication (which is time consuming and causes noticeable delay in the voice application). Till that time, no data packets are being transmitted between new-AP and client. CCKM implementation in first controller caches client's credentials like session, vlanid, ssid, etc. and propagates the same to other controllers in mobility group. Currently a set of controller can be configured as part of a mobility group. If client roams across access points associated to this set of controllers, then with CCKM implementation in place, the L2 authentication will not happen. To make this happen a CCKM cache is maintained on each controller and the first controller where client gets associated update rest of the controllers in mobility group. On later reassociations, controller validates the CCKM specific IE present and allow associations. Wireless LAN Access Points (APs) manufactured by Cisco Systems have features and capabilities beyond those in related standards (e.g., IEEE 802.11 suite of standards, Wi-Fi recommendations by WECA, 802.1X security suite, etc). A number of features provide higher performance. For example, Cisco AP transmits a specific Information Element, which the clients adapt to for enhanced performance. Similarly, a number of features are implemented by means of proprietary Information Elements, which Cisco clients use in specific ways to carry out tasks above and beyond the standard. Other examples of feature categories are roaming and power saving. Cisco Key Integrity Protocol ( CKIP ) A proprietary implementation similar to TKIP. CKIP implements key permutation for protecting the CKIP key against attacks. Other features of CKIP include expansion of encryption key to 16 bytes of length for key protection and MIC to ensure data integrity. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the Central Controller. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Mobile Node and client are used interchangeably. Multilinear Modular Hash ( MMH ) This is a message authentication code. The original message is run through the hash (with a secret key), and the code is the result. The code is sent along with the original message. The receiver of the message calculates the hash over the original message (also with the secret key) and compares the final message authentication code with the code sent with the message. If the two codes match, the receiver can be assured that the original message is authentic. Pre-Shared Key ( PSK ) Pre-shared keys are normally used for interoperability purposes. The basic idea is that two parties sharing a common secret can communicate securely. This idea has been used since cryptography first sprung onto the scene. Temporal Key Integrity Protocol ( TKIP ) A security protocol defined to enhance the limitations of WEP. Message Integrity Check and per-packet keying on all WEP-encrypted frames are two significant enhancements provided by TKIP to WEP. Wired Equivalent Privacy ( WEP ) A security method defined by 802.11. WEP uses a symmetric key stream cipher called RC4 to encrypt the data packets. Wi-Fi Protected Access ( WPA ) Wi-Fi Protected Access (WPA and WPA2) are security systems created in response to several serious weaknesses found in Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications, Amendment 6, MAC Security Enhancements. [2] draft-obara-capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol

MIB content (27 objects)

1.3.6.1.4.1.9.9.521 ciscoLwappWlanSecurityMIB
1.3.6.1.4.1.9.9.521.0 ciscoLwappWlanSecurityMIBNotifs
1.3.6.1.4.1.9.9.521.1 ciscoLwappWlanSecurityMIBObjects
1.3.6.1.4.1.9.9.521.1.1 clwsCckmConfig
1.3.6.1.4.1.9.9.521.1.2 clwsCkipConfig
1.3.6.1.4.1.9.9.521.2 ciscoLwappWlanSecurityMIBConform
1.3.6.1.4.1.9.9.521.2.1 ciscoLwappWlanSecurityMIBCompliances
1.3.6.1.4.1.9.9.521.2.2 ciscoLwappWlanSecurityMIBGroups
1.3.6.1.4.1.9.9.521.1.1.1 cLWSecDot11EssCckmTable
1.3.6.1.4.1.9.9.521.1.1.2 cLWSecDot11EssCkipTable
1.3.6.1.4.1.9.9.521.1.1.1.1 cLWSecDot11EssCckmEntry
1.3.6.1.4.1.9.9.521.1.1.2.1 cLWSecDot11EssCkipEntry
1.3.6.1.4.1.9.9.521.1.1.1.1.1 cLWSecDot11EssCckmWpaSupport
1.3.6.1.4.1.9.9.521.1.1.1.1.2 cLWSecDot11EssCckmWpa1Security
1.3.6.1.4.1.9.9.521.1.1.1.1.3 cLWSecDot11EssCckmWpa1EncType
1.3.6.1.4.1.9.9.521.1.1.1.1.4 cLWSecDot11EssCckmWpa2Security
1.3.6.1.4.1.9.9.521.1.1.1.1.5 cLWSecDot11EssCckmWpa2EncType
1.3.6.1.4.1.9.9.521.1.1.1.1.6 cLWSecDot11EssCckmKeyMgmtMode
1.3.6.1.4.1.9.9.521.1.1.1.1.7 cLWSecDot11EssPskFmt
1.3.6.1.4.1.9.9.521.1.1.1.1.8 cLWSecDot11EssPsk
1.3.6.1.4.1.9.9.521.1.1.2.1.1 cLWSecDot11EssCkipSecurity
1.3.6.1.4.1.9.9.521.1.1.2.1.2 cLWSecDot11EssCkipKeyIndex
1.3.6.1.4.1.9.9.521.1.1.2.1.3 cLWSecDot11EssCkipKeyLength
1.3.6.1.4.1.9.9.521.1.1.2.1.4 cLWSecDot11EssCkipKeyFmt
1.3.6.1.4.1.9.9.521.1.1.2.1.5 cLWSecDot11EssCkipKey
1.3.6.1.4.1.9.9.521.1.1.2.1.6 cLWSecDot11EssCkipMMHMode
1.3.6.1.4.1.9.9.521.1.1.2.1.7 cLWSecDot11EssCkipKPEnable

Informations

Organization: Cisco Systems, Inc.
Contact info: Cisco Systems, Customer Service Postal: 170 West Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS Email: cs-wnbu-snmp@cisco.com

Revisions

2006-04-11 00:00: Initial version of this MIB module.