Wireless LAN switching centralizes control of access points and wireless switching much like intelligent switching did for the wired world. The technology provides a structured blueprint and centralized troubleshooting tools needed to scale and secure wireless LANs beyond departments and across a corporation. In the current wireless LAN model, access points act as isolated systems providing 802.11 functions such as encryption and authentication. Wireless LAN switching moves these functions into a switch in order to more simply manage and upgrade large wireless infrastructures. Access points connected to the wireless switch then become Ethernet radios that require virtually no management.
Key to wireless LAN switching technology is the ability to maintain user identity across the wireless infrastructure so services and security can be delivered seamlessly to users or user groups from access point to access point. A wireless user accesses the network by attempting to make an association with the access point that has the strongest signal. That access point is connected to a wireless switch in the wiring closet or data center.
Acting as a repeater, the access point forwards the 802.11 association request to the wireless LAN switch, which in turn acknowledges the request. The wireless LAN switch authenticates the wireless user via the 802.1x protocol - validating user credentials through Remote Access Dial In User Service (RADIUS).
Once the authentication phase is complete, a RADIUS server passes encryption keys to the wireless LAN switch. The client independently derives the keys on his own and begins sending encrypted data.
Use of wireless switches gives network managers the flexibility to mix and match client security capabilities ranging from Layer 3 VPNs to Layer 2 authentication and encryption schemes such as 802.1x, Wireless Equivalent Privacy, Temporal Key Integrity Protocol and Advanced Encryption Standard without having to upgrade or reconfigure access points.
Wireless switches serve as the brains of a wireless LAN system by constantly monitoring air space, network growth and user density, and dynamically adjusting bandwidth, access control, quality of service and other parameters as mobile users roam through the corporation.
The technology is unique in its ability to control each access point's power and channel settings, and store configuration data. For instance, when an access point failure occurs, the wireless LAN switch automatically detects the failure and instructs nearby access points to adjust power and channel settings to compensate. When a new access point is installed, it is automatically discovered by a wireless LAN switch that uploads the appropriate power and channel settings.
Wireless LAN switching technology also can protect against the security threat of rogue access points. When a rogue access point is plugged into the network, wireless LAN switches validate the device with a trusted list of allowed devices, users and user policies. If the switch determines the device is "illegal," it proactively shuts down the rogue access point and automatically alerts the network manager.
With wireless LANs, network managers also face challenges in combining security with mobility. Wireless LAN switching technology integrates mobile IP, a standard that solves roaming issues across IP subnets, while maintaining user authentication state, and transparently reauthenticates users as they move to another access point.
Stateful policy engines enforce predefined rules on a per-user basis. As users move, their policies follow. With these capabilities, network managers can provide some users, such as guests, with only HTTP access, while employees receive access to a wider range of TCP ports and services.
With its roots established in the structured wired architectures of the past, Wi-Fi switching gives IT a similar control model, bringing with it a new way to manage change for enterprise wireless networks.
Andrade is director of technology at Aruba Wireless Networks Inc. and is a contributor to the IEEE 802.11i security specification. He can be reached at firstname.lastname@example.org.-- Network World (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.