RAATS WIFI




Wi-Fi is a Passion

blogs

Infrastructure Services



When you design a wireless network, you do not need only wireless knowledge. Since the wireless network uses the wired networks, there are infrastructure services that need to be taken into consideration during the design.

DHCP
DHCP provides the IP address, subnet masks, default gateway, DNS servers, lease duration, and some other configuration options. How are you using the scopes in your new network? Does every SSID have its own scope? Are access points in a different DHCP scope? These are some questions that should be asked during the design phase. You need to think about how big the subnets need to be, and also future growth. You want a separate subnet for the wired and wireless, but probably also for the guest wireless.

There are two options that are used to provide the WLAN controller IP address. That is option 43 and 60. Option 60 is used for specific vendors, for example, if you have different type of vendors or two types of access points that have their own controller.

DNS
As we all know, DNS is for resolving domain names to IP addresses. Wireless networks use DNS as an option to locate the wireless LAN controller instead of option 43 with DHCP. When there is no option 43 set, a Cisco access point will try to resolve CISCO-CAPWAP-CONTROLLER.localdomain.

Other options for locating the controller are stored in the NVRAM or a layer 3 subnet broadcast.

Network Time Protocol (NTP)
NTP is used for the accurate time, and that is very helpful with logging. When you do a debug on the controller and together a packet trace with a laptop, both times should be in sync to correlate the messages.

Firewall configuration
When there is a firewall between the access points and the wireless LAN controller, some new firewall rules need to be added. For CAPWAP ports UDP ports 5246 and 5247 should be allowed. For LWAPP, UPD ports 12222 and 12223 should be allowed. Those are the default ports for CAPWAP and LWAPP, but vendors can have other ports that need to be required.

ACL management
Access Control Lists are used on routers to control traffic, so be sure that there are no ACLs active that block traffic. ACLs can be like firewalls and sometimes the UDP ports for LWAPP and CAPWAP need to be added in an ACL rule as well.

VLAN management
With the DHCP part, I already explained that it is wise to separate the wired and wireless traffic, or wireless traffic and wireless guest traffic. With VLAN, it is possible to segment the networks. You can segment the network based on SSID or through RADIUS.

RADIUS and LDAP
RADIUS server is used for the authentication process with 802.1X. LDAP is the protocol to connect to a directory service, with the usernames and passwords, for example Microsoft Active Directory. There are different types of LDAP services and RADIUS services.

Public Key Infrastructure (PKI)

Not all companies have a PKI installed in their environment, but there are EAP types that need server certificates or client certificates (EAP-TLS, for example). If there is a PKI, this helps you to decide which EAP type needs to be selected.

RBAC implementation
Role-Base Access Control is a security solution that does authorisation based on roles or groups instead of single users. RBAC uses groups with roles and other capabilities assigned to those groups.

BYOD and MDM solutions
Bring your own device and the management tool, Mobile Device Management, are becoming more important within the business. Most employees prefer their own devices to work with. MDM can be operating in the cloud as a software as a service or on-premise. With on-premise, it will still work during an internet outage. MDM can operate together with Network Access Control (NAC) solution. If a client doesn’t have an antivirus, the access to the internet will be blocked and the user will be placed into a quarantine network. With designing a network with MDM included, take into consideration what type of onboarding will be needed (self or manually), which devices, which operating system and version, and if the devices need to be containerized and what features are needed.