Migration to 802.11i Will Be a Bumpy Ride

By Andrew Garcia  |  Posted 2005-01-03 Print this article Print

The work involved in updating wireless access points and clients for 802.11i compliance is daunting, but actually migrating users to the new security framework can be equally complicated.

The work involved in updating wireless access points and clients for 802.11i compliance—not to mention verifying that they are compliant in the first place—is daunting, but actually migrating users to the new security framework can be equally complicated and requires a combination of strategies.

The simplest way to enable an 802.11i pilot project is to configure a new ESSID (Extended Service Set Identifier) with the AES-CCMP (Advanced Encryption Standard-Counter Mode/CBC-MAC Protocol) settings necessary for compliance. This new ESSID would run parallel with the existing ESSID.

Click here to read about how legacy hardware issues and costs may slow adoption of 802.11i.
As an alternate migration strategy, Cisco Systems Inc. recommends that administrators add another cipher to existing ESSIDs. To ease the process of moving users to a new cipher, the 802.11i specification allows devices to support mixed-mode encryption. This enables administrators to configure an ESSID to support both AES and older TKIP (Temporal Key Integrity Protocol) or WEP (Wired Equivalent Privacy) encryption schemes simultaneously.

To test these migration strategies, eWEEK Labs deployed a WPA (Wi-Fi Protected Access)-enabled network using Ciscos Aironet 1200 and Proxim Corp.s Orinoco AP-4000 access points, in conjunction with Funk Software Inc.s Steel-Belted Radius Server 4.71. For 802.1x authentication, we used EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security).

For clients, we used a pair of Dell Inc.s Latitude D505 laptops, each of which was equipped with Intel Corp.s Pro/Wireless 2200BG internal WLAN adapters. We configured Intels ProSet/Wireless software as the 802.1x client supplicant.

After determining that the network was working as expected, we proceeded with the upgrade, from WPA to 802.11i. We updated the access points with 802.11i-compliant firmware and ensured that each client had Version 9.0 of the Intel Pro/Set with driver Version

Our ability to use both the parallel network and multiple ciphers to successfully migrate to 802.11i with minimal impact to current users depended largely on the access points with which we tested. This disparity could lead to migration headaches in heterogeneous hardware environments.

Both the Aironet and Orinoco access points support multiple encryption ciphers simultaneously. However, we preferred Proxims use of Security Profiles, which allowed us to selectively apply single or multiple encryption schemes per ESSID. Unfortunately, Proxim requires each ESSID on the same access point to use different VLAN (virtual LAN) tags. This meant we had to adjust settings on our wired infrastructure to support a separate pilot network.

On the other hand, Cisco activates ciphers on a per-device basis, and we had trouble figuring how to apply specific encryption to an ESSID from the Web interface until Cisco engineers provided us with sample command-line scripts. The Aironet devices also allowed us more freedom to apply multiple ESSIDs to the same VLAN.

Administrators should carefully investigate devices encryption options as well as their VLAN capabilities before embarking on an 802.11i deployment.

Check out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.
Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel