The work involved in updating wireless access points and clients for 802.11i compliance—not to mention verifying that they are compliant in the first place—is daunting, but actually migrating users to the new security framework can be equally complicated and requires a combination of strategies.
The simplest way to enable an 802.11i pilot project is to configure a new ESSID (Extended Service Set Identifier) with the AES-CCMP (Advanced Encryption Standard-Counter Mode/CBC-MAC Protocol) settings necessary for compliance. This new ESSID would run parallel with the existing ESSID.
As an alternate migration strategy, Cisco Systems Inc. recommends that administrators add another cipher to existing ESSIDs. To ease the process of moving users to a new cipher, the 802.11i specification allows devices to support mixed-mode encryption. This enables administrators to configure an ESSID to support both AES and older TKIP (Temporal Key Integrity Protocol) or WEP (Wired Equivalent Privacy) encryption schemes simultaneously.
To test these migration strategies, eWEEK Labs deployed a WPA (Wi-Fi Protected Access)-enabled network using Ciscos Aironet 1200 and Proxim Corp.s Orinoco AP-4000 access points, in conjunction with Funk Software Inc.s Steel-Belted Radius Server 4.71. For 802.1x authentication, we used EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security).
For clients, we used a pair of Dell Inc.s Latitude D505 laptops, each of which was equipped with Intel Corp.s Pro/Wireless 2200BG internal WLAN adapters. We configured Intels ProSet/Wireless software as the 802.1x client supplicant.
After determining that the network was working as expected, we proceeded with the upgrade, from WPA to 802.11i. We updated the access points with 802.11i-compliant firmware and ensured that each client had Version 9.0 of the Intel Pro/Set with driver Version 188.8.131.52.
Our ability to use both the parallel network and multiple ciphers to successfully migrate to 802.11i with minimal impact to current users depended largely on the access points with which we tested. This disparity could lead to migration headaches in heterogeneous hardware environments.
Both the Aironet and Orinoco access points support multiple encryption ciphers simultaneously. However, we preferred Proxims use of Security Profiles, which allowed us to selectively apply single or multiple encryption schemes per ESSID. Unfortunately, Proxim requires each ESSID on the same access point to use different VLAN (virtual LAN) tags. This meant we had to adjust settings on our wired infrastructure to support a separate pilot network.
On the other hand, Cisco activates ciphers on a per-device basis, and we had trouble figuring how to apply specific encryption to an ESSID from the Web interface until Cisco engineers provided us with sample command-line scripts. The Aironet devices also allowed us more freedom to apply multiple ESSIDs to the same VLAN.
Administrators should carefully investigate devices encryption options as well as their VLAN capabilities before embarking on an 802.11i deployment.