Organizations are adopting wireless LANs (WLANs) to increase business productivity and accessibility. Network managers need an integrated solution that provides them with the control they need to effectively manage and secure their WLANs. The Cisco® Structured Wireless-Aware Network (SWAN) facilitates the adoption and control of WLANs by extending "wireless awareness" into important elements of the network infrastructure, providing the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs that organizations have come to expect from their wired LANs.
Cisco SWAN offers comprehensive WLAN management solutions that can scale to different customer deployments and sizes. CiscoWorks Wireless LAN Solution Engine (WLSE) is the management console for Cisco SWAN when Cisco Aironet® autonomous access points are used. CiscoWorks WLSE can manage hundreds to thousands of Cisco Aironet access points for medium-sized to large enterprises and wireless vertical markets from a centralized management console. CiscoWorks WLSE helps to simplify and automate the deployment and security of WLANs, helping ensure their smooth operation and availability.
Cisco SWAN for Cisco Aironet autonomous access points also includes a new management platform, the CiscoWorks Wireless LAN Solution Engine Express (WLSE Express), for small- and midsized-business or enterprise branch-office WLAN deployments of up to 100 Cisco Aironet access points. CiscoWorks WLSE Express includes the same WLAN management features of CiscoWorks WLSE, plus an integrated and embedded AAA server for user authentication, making it an ideal solution for remote branch-office deployments with limited WAN bandwidth. Please refer to the CiscoWorks WLSE Express data sheet for more details.
CiscoWorks WLSE is a centralized network management solution for managing the entire Cisco Aironet WLAN infrastructure. As the management component of the Cisco SWAN Cisco Aironet autonomous access point solution, CiscoWorks WLSE provides comprehensive air/radio frequency (RF) and device-management capabilities in ways that simplify deployment, reduce operational complexity, and provide administrators visibility into the WLAN. By automating several RF and device-management tasks, CiscoWorks WLSE reduces the costs and time needed for WLAN deployment, management, and security.
By using Cisco Aironet access points as air/RF monitors, CiscoWorks WLSE provides WLAN intrusion detection and protection. As part of the Cisco SWAN WLAN Intrusion Detection System (IDS), CiscoWorks WLSE quickly and easily detects, locates (Figure 1), and disables unauthorized (rogue) access points, helping to ensure that security policies are applied consistently throughout the network. CiscoWorks WLSE .further enhances the security of the WLAN by monitoring for unplanned (ad-hoc or peer-to-peer networks) networks, unauthorized WLAN client networks, client spoofing, and other WLAN attacks that may introduce security openings in the network. These capabilities can benefit any organization, including those that have not formally deployed WLANs but want to guard against intruders.
CiscoWorks WLSE provides dynamic RF management through self-healing, which enables a Cisco Aironet access point to adjust its cell-coverage area automatically when an adjacent access point becomes disabled or fails. It also helps optimize performance by detecting and locating RF interference while proactively monitoring usage and faults.
To facilitate Cisco Aironet access point rollout, CiscoWorks WLSE's deployment wizard allows administrators to create contextual access point configurations that can be automatically installed as the access points are plugged into the network. Specific access point configurations can be applied depending on flexible deployment criteria. This reduces deployment times, increases security and configuration consistency, while reducing user-caused configuration errors.
CiscoWorks WLSE may be transparently integrated with other network management systems, operations support systems, and CiscoWorks applications through syslog messages, Simple Network Management Protocol (SNMP) traps, and an Extensible Markup Language (XML) interface. CiscoWorks WLSE's secure HTML-based user interface provides access anywhere, including through firewalls.
KEY FEATURES AND BENEFITS
CiscoWorks WLSE speeds deployment by automating configuration and setup, reducing the overall cost to provision WLANs. The result is superior return on investment and enhanced productivity.
• Automatic access-point configuration---CiscoWorks WLSE can automatically discover and configure newly deployed Cisco Aironet autonomous access points using Dynamic Host Configuration Protocol (DHCP), with the flexibility to assign different configurations based on the access-point device type, its source subnet, and its software version. CiscoWorks WLSE provides an easy-to-use deployment wizard to specify the configuration criteria up front. This allows administrators to automate deployment and simultaneously maintain control in rapidly expanding environments. The deployment wizard also simplifies and automates the setup of the Wireless Domain Services (WDS) that plays an important role in the Cisco SWAN Cisco Aironet autonomous access point solution for mobility and RF aggregation services. For deployments that use Cisco Aironet access points as a WDS device, CiscoWorks WLSE can automatically designate a WDS access point and apply the right configuration to it without requiring manual setup.
• Assisted site surveys---Complete and reliable WLAN coverage is achieved only with a detailed site survey. Site surveys are essential during deployment, and they should be performed regularly thereafter to address changes in the environment. Site surveys once required special knowledge and were both expensive and time-consuming. Most organizations contracted with outside consultants, but CiscoWorks WLSE helps IT managers to perform cost-effective site surveys in-house without being experts in RF propagation and measurement. The assisted site survey tool automatically determines optimal frequency selection, transmit power, and other settings, which the administrator can then apply. The coverage areas can be defined to cover only specified areas. CiscoWorks WLSE also provides an automated re-site survey that periodically assesses the performance of the network with respect to baseline site-survey settings. When radio settings in the network are no longer optimal, CiscoWorks WLSE generates a notification allowing the administrator to quickly apply newer, more optimal radio settings.
CiscoWorks WLSE automates a wide range of repetitive, time-consuming tasks, simplifying the management of Cisco Aironet access points and bridges to enhance productivity for network administrators.
• Centralized firmware updates---Access point and bridge firmware may be updated in mass. Updates may be assigned to a specific device or to groups. Tasks may be scheduled or executed on demand.
• Mass configuration changes---Configuring a group with hundreds of devices requires no more effort than configuring a single device. Configuration tasks may be scheduled or executed on demand. CiscoWorks WLSE supports all the configuration settings available on Cisco Aironet access points, including Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) security settings. Configuration updates are done using Secure Shell (SSH) Protocol.
• Mass conversion to Cisco IOS® Software---CiscoWorks WLSE can perform mass upgrades of older Cisco Aironet 1200 and Aironet 350 series access points running VxWorks to newer Cisco IOS Software versions. (Many of the RF management and Cisco SWAN features require that access points run Cisco IOS Software.)
• Dynamic grouping---The Device Groups feature makes administering the WLAN more effective and intuitive. Devices may be organized into hierarchical groups defined by the administrator. Groups may span multiple subnets.
• Automated discovery---CiscoWorks WLSE automatically discovers Cisco Aironet access points, bridges, and switches connected to access points using Cisco Discovery Protocol. Discovery may be scheduled or run on demand.
• Configuration archive---The CiscoWorks WLSE is able to store the last four configuration versions for each managed access point, allowing configuration tasks to be undone.
• VLAN configuration---VLANs on access points may be configured and monitored, allowing differentiation of LAN policies and services, such as security and quality of service, for different users on enterprise and public-access VLANs.
• Multiple Basic Service Set Identifier (MBSSID) support---CiscoWorks WLSE supports the configuration of multiple broadcast Service Set Identifiers (SSIDs). It supports up to eight broadcast SSIDs per access point radio.
• Customizable thresholds---Administrators may define different faults and performance thresholds for specific sites and groups accompanied by specific actions and fault priorities. A centralized fault screen simplifies quick resolution of problems. Various WLAN health indicators such as network load, RF usage, errors, and client associations can be monitored.
• Fault status---CiscoWorks WLSE provides a centralized tree view of all access points and device groups. Color coding and group icons indicate fault status. Faults may be filtered and sorted by priority to facilitate viewing and resolving problems.
• Fault notification---Fault notification and forwarding are implemented with syslog messages, SNMP traps, and e-mail.
• Switch monitoring---Switches connected to access points are monitored for availability and the utilization of ports, CPU, and memory.
Security and WLAN Intrusion Detection
WLAN threat defense is provided for the Cisco SWAN Cisco Aironet autonomous access point solution through a WLAN intrusion detection system (IDS). Organizations need to protect their RF environment and data networks from unauthorized access. Unauthorized (rogue) access points installed by employees or intruders create security breaches that put the entire network at risk. Cisco SWAN WLAN IDS quickly detects, locates, and automatically shuts down rogue access points. CiscoWorks WLSE provides effective rogue access-point switch-port tracing by monitoring and using the clients that are associated to rogue access points, thus providing a means to contain the rogue access point by shutting down the switch port connected to the rogue access point.
CiscoWorks WLSE detects unauthorized WLANs, and locates and identifies which wireless clients are participating in the network. It also detects clients spoofing authorized MAC addresses and generates notifications. CiscoWorks WLSE monitors per-channel excess wireless management frames such as excess association, disassociation, probe requests, responses, and authentication and deauthentication frames that may signal WLAN attacks such as denial-of-service and "man-in-the-middle" attacks. EAP over LAN (EAPOL) flood-message monitoring provides a means to detect excess authentication requests by an intruder.
CiscoWorks WLSE provides a WLAN IDS dashboard that acts as a launch pad for all WLAN IDS features. The dashboard provides a summary of all WLAN IDS alarms. In addition, it displays WLAN IDS reports pertaining to rogue access points, unauthorized networks, and unregistered clients, which can be exported using comma separated value (CSV), PDF, and XML formats. These reports provide detailed information including the estimated location of the WLAN IDS fault, which access point detected it, its channel, and its basic service set identifier (BSSID). Administrators can select and enable specific WLAN IDS events they are interested in through a WLAN IDS profile. These WLAN IDS profiles can be customized per location to provide greater flexibility and control. Notifications can be sent through e-mail, syslog, or SNMP trap messages.
WLAN IDS protection can be tailored to suit individual needs:
• Integrated WLAN IDS---Standard Cisco Aironet access points are deployed with the radio (IEEE 802.11a, b, or g) placed in multifunction mode to service client devices and to provide WLAN intrusion monitoring. Intrusion detection information is gathered from the access points that scan the RF environment. Optionally, Cisco client cards and Cisco compatible client devices provide additional information about the RF environment. Rogue access-point detection, unauthorized WLAN detection, and excess management-frame detection are supported using the integrated WLAN IDS.
• Dedicated WLAN IDS---A dedicated access-point-only WLAN is deployed with the access-point radio (802.11a, b, or g) placed in radio scan mode to support WLAN intrusion monitoring. Access points configured for dedicated IDS do not support clients. This solution provides continuous monitoring of the RF environment. Active-but-unassociated client device monitoring is supported to minimize the risk of clients associating to rogue access points and to protect the network from malicious intruders probing the RF environment for weaknesses.
Other security features of CiscoWorks WLSE include:
• Security policy monitoring---All access points on the network are monitored for consistent application of security policies. Alerts are generated for violations and can be delivered by e-mail, syslog, or SNMP trap notifications. Several policies including SSIDs, security schemes (Open, EAP), encryption, and telnet and HTTP settings can be monitored for enforcement.
• Monitoring of IEEE 802.1X server availability---IEEE 802.1X Extensible Authentication Protocol (EAP) servers, including Cisco Secure access control servers (ACSs), are monitored for response time. Cisco LEAP, EAP-Flexible Authentication via Secure Tunneling (EAP-FAST), Protected EAP (PEAP), and generic RADIUS authentication types are supported.
• Secure user interface---CiscoWorks WLSE provides a secure HTML-based user interface that may be accessed anywhere, even through firewalls. In addition to the Web-based GUI, a command-line interface (CLI) like that in Cisco IOS Software provides direct console, Telnet, or SSH access for basic configuration and troubleshooting. CiscoWorks WLSE communicates with access points using HTTP Secure Sockets Layer (SSL) sessions for management.
• Role-based access model---CiscoWorks WLSE has a flexible, role-based user access model. For example, help desk personnel can be limited to viewing reports and faults. Several common authentication modules are supported, including TACACS+, RADIUS, and Microsoft NT Domain authentication.
Performance Optimization and High Availability
Interference detection and location is critical to maintaining a reliable WLAN. RF measurements sent to CiscoWorks WLSE include measurements for both 802.11 and non-802.11 interference. If the interference exceeds an administrator-defined threshold, a fault is generated so that the administrator can quickly locate and suppress the source of the interference.
• Air/RF scanning and monitoring---Cisco Aironet access points are multifunctional, with built-in RF scanning and measurement capabilities. CiscoWorks WLSE analyzes these RF measurements, provides notification if performance degrades, and displays air/RF coverage (Figure 2). It also analyzes RF measurements from Cisco Aironet and Cisco compatible client devices. Client air scanning and monitoring provide 10 to 20 times more RF measurement data than access-point RF measurements alone. Because WLAN clients can freely move about all areas of a building, the addition of client scanning and monitoring extends RF monitoring into areas most likely to contain rogue access points while allowing for more accurate detection.
Figure 2. Assisted Site Survey, Access Point Scan Mode
• Interference detection---CiscoWorks WLSE catalogs the physical location of all managed access points and creates a site map of the WLAN installation. This allows the wireless-aware network to detect points of interfering RF energy that affect network performance. The source of this energy could be a rogue access point or a device that operates in the same frequency range, such as a cordless telephone or leaky microwave oven. Interference detection and location is critical to maintaining a reliable WLAN. Administrators can define thresholds to generate fault notifications when detected interference levels are exceeded.
• Self-healing WLANs---CiscoWorks WLSE can detect and compensate for an access point that has failed by automatically increasing the power and cell coverage of surrounding access points. The self-healing process provides contiguous coverage to maximize the available coverage of the WLAN and minimize client impact.
• Automated re-site surveys---CiscoWorks WLSE automatically reassesses radio throughput and performance to provide notification if performance falls below administrator-defined thresholds. New optimal settings can be found by running the site survey wizard, and can then be applied to the network.
• Support for 802.11h/Dynamic Frequency Selection---When Cisco Aironet 802.11a access points detect radar transmission on the same channel, they change the frequency to not interfere with the radar frequency. CiscoWorks WLSE will be notified of this and update its RF data model and Location Manager GUI coverage display to reflect the changes.
• Warm standby redundancy---CiscoWorks WLSE supports redundancy through a primary and backup mechanism. If the primary WLSE fails, the backup WLSE automatically takes over. Data such as performance data, fault messages, and radio scans between the primary and backup WLSE is synchronized on a user-defined interval to minimize the loss of collected data when a backup WLSE takes over. A notification is generated during the switchover.
Reporting, Trending, Planning, and Troubleshooting
Real-time client tracking is a powerful tool for troubleshooting client network-access issues. Using only a client name, user name (supported for Cisco LEAP and PEAP), or MAC address, it is easy to determine which access point a client is associated to in real time. In addition, the previous 10 associations for the client and associated access points can be accessed to aid in troubleshooting.
CiscoWorks WLSE provides several reports to monitor the health of the network. Information about network usage, client association and usage, historical and current client-usage statistics, Cisco Aironet access point Ethernet and radio interfaces status, and error details are displayed in both graphical and tabular form. Reports may be generated both at the individual device level and the group level. All reports may be scheduled, delivered by e-mail, or exported in CSV, XML, and PDF formats.
CiscoWorks WLSE also provides comprehensive coverage display overlaid on floor maps to provide visibility into the RF environment. The CiscoWorks WLSE Location Manager tool can display a graphical view of radio coverage by data rate and signal strength. CiscoWorks WLSE also supports RF management for directional antennas. Details about device settings, including channel and power, can be overlaid on the coverage display.
When network faults are detected or user-defined performance thresholds are exceeded, CiscoWorks WLSE can generate notifications through SNMP trap and syslog messages. Integration with third-party network management systems is provided through these event messages As part of the CiscoWorks network management product line, CiscoWorks WLSE integrates with the CiscoWorks LAN Management Solution (LMS) and other CiscoWorks applications to increase the efficiency of managing a converged wired and wireless network. Device inventory and credentials, for example, can be imported or exported between CiscoWorks WLSE and CiscoWorks LMS's Resource Manager Essentials (RME) tool, an application that provides broad network management for a wide range of Cisco devices. If desired, device discovery may be turned off to allow automatic inventory synchronization with CiscoWorks RME. CiscoWorks WLSE uses the same default user roles as CiscoWorks LMS, but it allows customization. CiscoWorks WLSE can be launched from the CiscoWorks LMS desktop.
CiscoWorks WLSE also provides an XML API for exporting data and for third-party integration. Devices in the network, detected faults and alarms, reports, and information collected from the network using SNMP can be exported to other external systems for customization.
CiscoWorks WLSE itself is a manageable entity which supports SNMP MIB-II. CPU and memory utilization of CiscoWorks WLSE can be monitored using SNMP.
FEATURES AND BENEFITS
Table 1 summarizes the features and benefits of CiscoWorks WLSE.
Table 1. Features and Benefits
WLAN IDS with Rogue Access-Point Detection, Switch-Port Shutdown, Client MAC Spoofing, and WLAN Attack Detection
Eliminates security threats posed by malicious intruders and by employee-installed unauthorized access points
Automated Cisco Aironet Access Point Deployment using the CiscoWorks WLSE Deployment Wizard
Allows for rapid deployment and expansion of the WLAN
Notifies administrators quickly about conditions that may affect network performance
Self-Healing Adjusts Cell Coverage Area to Compensate for Disabled or Failed Access Points
Increases WLAN availability and optimizes WLAN performance
Assisted Site Survey Tool
Assisted site surveys performed by IT personnel reduce the costs, skills, and time required to make optimal radio settings for best network performance
Automated Re-Site Surveys
Maintains peak WLAN performance and reliable WLAN coverage by periodically reassessing the performance of optimal settings in the network
Automated Configuration and Bulk Firmware Updates
Simplifies daily operations and management
Access Point and bridge Security-Policy Misconfiguration Detection and Alerts
Enhances security by monitoring consistency throughout the network
Proactive Fault and Performance Monitoring
Increases WLAN availability
Access-Point-Group Usage Reports
Fast troubleshooting improves user satisfaction
XML Data Export
Facilitates integration with third-party applications
SUPPORTED CISCO DEVICES
For up-to-date device support information, please visit