Analysis of WLAN-Wireless Local Area Network

Overview

What is WLAN

WLAN stands for Wireless LAN (Wireless Local Area Network), which refers to a wireless local area network constructed through wireless technology. Broadly speaking, WLAN refers to a network constituted by replacing part or all of the transmission media in a wired LAN with wireless signals such as radio waves, lasers, and infrared rays.

Through WLAN technology, users can easily access the wireless network and move freely within the wireless network coverage area, completely free from the shackles of the wired network.

WLAN given Wi-Fi

  • WLAN: WLAN is a combination of computer network and wireless communication technology (Wi-Fi), and is a wireless extension of wired networks.

  • Wi-Fi: Wi-Fi is a wireless local area network technology based on the IEEE 802.11 standard.

    In daily life, Wi-Fi is often used as a synonym for 802.11.
    Wi-Fi is also a trademark of the manufacturer of the Wi-Fi Alliance and is used as a brand certification for Wi-Fi products. The Wi-Fi Alliance was established in 1999 and was called the Wireless Ethernet Compatibility Alliance (WECA). In October 2002, it was officially renamed the Wi-Fi Alliance.

Basic WLAN networking architecture

Overall networking architecture

FAT AP

Insert picture description here
basic concepts

  • AP (Access Point, access point): Provides wireless access services based on the 802.1 1 standard for STA (Station, wireless terminal), which serves as a connection between wired and wireless networks.
  • FAT AP (Fat AP): An AP capable of independent autonomy and self-management. The FAT AP architecture is also called an autonomous network architecture.

Architecture characteristics

  • When deploying a single AP, FAT AP has better independence and does not require additional deployment of centralized control equipment, which is convenient to deploy and low in cost.
  • However, in enterprises, as WLAN coverage increases and access users increase, the number of FAT APs that need to be deployed will also increase. And each FAT AP works independently and lacks a unified control device, so it becomes very troublesome to manage and maintain these FAT APs.
FIT AP

Insert picture description here

basic concepts

  • AC (Access Controller): In the AC+FIT AP network architecture, AC controls and manages all FIT APs in the wireless LAN.

Architecture characteristics

  • AC is responsible for WLAN access control, forwarding and statistics, AP configuration monitoring, roaming management, AP network management agent, and security control.
  • FIT AP (thin AP) is responsible for simple functions such as encryption and decryption of 802.1 1 messages, 80211 physical layer functions, AC management, and air interface statistics.
  • The communication protocol used between AC and AP is CAPWAP.

Compared with the FAT AP architecture, the advantages of the AC+FIT AP architecture are as follows

  • Easier configuration and deployment
  • Higher security
  • Easy to update and expand

Wired side networking concept

AC-AP networking mode
  • Layer 2 networking: The network between AP and AC is either a direct connection or a Layer 2 network.

    Because the second-tier networking is relatively simple, it is suitable for simple and temporary networking and can be configured for relatively fast networking, but it is not suitable for large-scale networking architecture.

  • Three-layer networking: The network between AP and AC is a three-layer network.

    In actual networking, one AC can connect to dozens or even hundreds of APs. The networking is generally more complicated. In large-scale networking, Layer 3 networking is generally used. .

AC connection
  • Direct connection network

    In the direct-connected networking, AP and AC are connected in series with the upper network, and all data must pass through the AC to reach the upper network .

    In the direct-connected network, the AC acts as both an AC and an aggregation switch, and the data services and management services of the AP are forwarded and processed by the AC.

Insert picture description here

  • Bypass networking

    In the bypass networking, the AC is connected to the direct connection network between the AP and the uplink network, and no longer directly connects to the AP.

    In the bypass networking, the AC is connected to the directly connected network between the AP and the uplink network, which only plays a role of control and management, and does not participate in data forwarding. AP's service data can directly reach the uplink network without passing through the AC .

Insert picture description here

CAPWAP

CAPWAP (Control And Provisioning of Wireless Access Points Protocol Specification, wireless access point control and configuration protocol): This protocol defines how to manage and configure the AP, that is, the AC realizes the centralized management and control of the AP through the CAPWAP tunnel.

CAPWAP tunnel function

  • State maintenance between AP and AC.
  • The AC manages the AP through the CAPWAP tunnel and delivers service configuration.
  • When the tunnel forwarding mode is adopted, the AP transmits the data sent by the STA through the CAPWAP tunnel to realize the interaction with the AC.

Insert picture description here

Wireless side networking concept

Wireless communication system

In a wireless communication system, information can be images, text, sound, and so on. Information needs to be converted into a digital signal that is convenient for circuit calculation and processing through source coding, and then converted into radio waves after channel coding and modulation.

Insert picture description here

BSS/BSSID/SSID
  • BSS (Basic Service Set)

    It is the area covered by an AP. In the service area of ​​a BSS, STAs can communicate with each other.

  • BSSID (Basic Service Setldentifier)

    It is an identity of the wireless network, expressed by the MAC address of the AP.

  • Service Set Identifier SSID (Service Set Identifier)

    It is an identification of the wireless network, represented by a string. In order to facilitate users to identify different wireless networks, use SSID instead of BSSID.

Insert picture description here

VAP

Earlier APs only supported one BSS. If multiple BSSs are to be deployed in the same space, multiple APs need to be placed, which not only increases the cost, but also takes up channel resources. In order to improve this situation, current APs usually support the creation of multiple virtual APs (Virtual Access Points, VAPs).

  • Virtual Access Point VAP

    VAP is multiple APs virtualized on one physical entity AP. Each virtualized AP is a VAP. Each VAP provides the same functions as physical physical APs. All VAPs are sharing the bandwidth and computing power of an AP .
    Each VAP corresponds to 1 BSS. In this way, one AP can provide multiple BSSs, and different SSIDs can be set for these BSSs.

Insert picture description here

ESS

In order to meet the needs of actual business, the coverage of the BSS needs to be expanded. At the same time, when the user moves from one BSS to another BSS, and cannot perceive the change of the SSID, it can be realized through the extended service set ESS
.

  • ESS (Extend Service Set)

    It is composed of multiple BSSs that use the same SSID, that is , the SSIDs of all APs are the same . It is a larger-scale virtual BSS composed of multiple BSSs using the same SSID.

Insert picture description here
In the above figure, the transition from AP1 to AP2 will experience a roaming process. (Roaming refers to the function that the mobile communication system can still provide services to the mobile terminal after it leaves the service area where it is registered and moves to another service area)

WLAN workflow

AP goes online

AP obtains IP address

The AP must obtain an IP address to be able to communicate with the AC, and the WLAN network can work normally.

The ways for AP to obtain IP address include the following

  • Static mode: Log in to the AP device to manually configure the IP address.
  • DHCP mode: By configuring the DHCP server, the AP acts as a DHCP client to request an IP address from the DHCP server.

Typical solution

  • Use the AC's DHCP service to assign an IP address to the AP.
  • Use equipment in the network, such as a core switch or a dedicated DHCP server, to assign IP addresses to APs.
CAPWAP tunnel establishment

AC realizes centralized management and control of AP through CAPWAP tunnel.

  • Discovery phase (AP discovers AC phase)
    AP finds available AC by sending Discovery Request message

    AP finds AC in two ways

    • Static mode: The AC's static IP address list is pre-configured on the AP.

    • Dynamic mode:
      DHCP mode: During the process of obtaining an IP address through DHCP, the AC’s IP
      broadcast mode is obtained: AP will send a Discovery Request message broadcast to request the AC’s IP address, and the AC will respond with a Discovery Response message after receiving it.

  • During the establishment of the CAPWAP tunnel, the
    AP is associated with the AC to complete the establishment of the CAPWAP tunnel. Including data tunnel and control tunnel.

    • Data tunnel: Service data packets received by the AP are forwarded to the AC through the CAPWAP data tunnel. At the same time, you can also choose to
      encrypt the data tunnel with Datagram Transport Layer Security (DTLS) , and enable the DTLS encryption function. CAPWAP data messages will be encrypted and decrypted by DTLS.
    • Control tunnel: realize the interaction of management messages between AP and AC through CAPWAP control tunnel. At the same time, you can also choose to perform DTLS encryption on the control tunnel. After the DTLS encryption function is enabled, CAPWAP control messages will be encrypted and decrypted by DTLS.
AP access control

After the AP discovers the AC, it sends a Join Request message. After receiving it, the AC will determine whether to allow the AP to access, and respond to the Join Response message.

AC supports three authentication methods for APs: MAC authentication, serial number (the identifier of each AP-SN, is unique) authentication and non-authentication.

AP version upgrade (optional)

The AP judges whether the current system software version is consistent with that specified on the AC according to the parameters in the received Join Response message. If they are inconsistent, the AP requests the software version by sending an Image Data Request message, and then performs a version upgrade. The upgrade methods include AC mode, FTP mode (insecure), and SFTP mode (secure FTP mode).

The AP restarts after the software version is updated, and repeats the previous three steps.

CAPWAP tunnel maintenance

The port number of the AP side of the tunnel is randomly generated, and the destination port number of the AC side is 5246 .

  • Data tunnel maintenance: Keepalive messages are exchanged between AP and AC to detect the connectivity status of the data tunnel.

  • Control tunnel maintenance: AP and AC exchange Echo messages to detect the connection status of the control tunnel.

AP online process diagram

Insert picture description here

To ensure that the AP can go online, the AC needs to be pre-configured with the following content

  • Create AP group

    Each AP will join and can only join one AP group, which is usually used for common configuration of multiple APs.

  • Configure network interworking

    Configure a DHCP server to assign IP addresses to APs and STAs. You can also configure the AC device as a DHCP server.

    Configure the network interworking between the AP and the DHCP server; configure the network interworking between the AP and the AC.

  • Configure the country code and country code of the AC (domain management template)

    Used to identify the country where the AP radio frequency is located. Different country codes specify different AP radio frequency characteristics, including AP transmit power and supported channels.

  • Configure the source interface or source address (to establish a tunnel with the AP)

    Each AC must uniquely specify an IP address or interface. The AP attached to the AC device learns this IP address or the IP address configured under this interface, which is used for communication between the AC and the AP, and the establishment of a CAPWAP tunnel.

  • Configure the network element name of the AC (optional)

    Each AC is a network element. Different AC devices can be distinguished by setting the name of the AC network element to a value with practical significance, so that users can manage the AC device conveniently.

  • Configure automatic upgrade when AP goes online (optional)

    Automatic upgrade means that the AP automatically compares its version with the AP version configured on the AC or SFTP or FTP server during the online process. If the version is inconsistent, the upgrade is performed, and then the AP automatically restarts and goes online again.

  • Add AP device (configure AP authentication mode)

    There are three ways to add APs: import APs offline, automatically discover APs, and manually confirm APs in the unauthenticated list.

WLAN service configuration delivery

The AC sends a Configuration Update Request request message to the AP, and the AP responds with a
Configuration Update Response message. The AC then
sends the AP 's service configuration information to the AP.

Configure radio
  • Configure basic radio parameters

    Configure the working bandwidth and channel, antenna gain, transmit power, coverage distance parameters, working frequency band, etc. of the specified radio frequency.

  • Create RF template

    Basic radio parameters are configured directly under the radio interface, and other radio parameters are configured under the radio template.

    The radio frequency templates are divided into 2G radio frequency templates and 5G radio frequency templates, which are effective for 2.4GHz radio frequency and 5GHz radio frequency respectively.

  • AP or AP group

    When the radio profile is referenced to an AP group, AP, AP radio or AP group radio, the configuration under the radio profile can be automatically delivered to the designated AP and take effect.

Configure VAP
  • Create SSID template

    SSID is used to specify different wireless networks. When searching for accessible wireless networks on the STA, the displayed network name is the SSID.

    The SSID template is mainly used to configure the SSID name of the WLAN network.

  • Create a security template

    Configure the WLAN security policy to authenticate the wireless terminal (STA) and encrypt the user's message to protect the security of the WLAN network and the user.

  • Create VAP template

    Configure various parameters under the VAP template, and then reference the VAP template in the AP group or AP, the VAP will be generated on the AP, and the VAP is used to provide wireless access services for the STA.

  • Configure data forwarding method

    The data in the WLAN network includes control messages (management messages) and data messages. For example, in a bypass networking, configuration data messages are forwarded directly through the switching and routing equipment; in a direct connection networking, data messages are forwarded through the AC.

  • Configure service VLAN

    The Layer 2 service data packets sent by the VAP to the AP will carry the VLAN-ID of the service VLAN.

  • AP or AP group

    Binding the VAP template to the AP or AP group means that the AP delivers WLAN services.

The overall process diagram is as follows

Insert picture description here

STA access

After the CAPWAP tunnel is established, the user can access the wireless network.

The STA access process is divided into six phases: scanning phase, link authentication phase, association phase
, access authentication phase, DHCP, and user authentication.

scanning

STA can search the surrounding wireless networks regularly through active scanning, and obtain the surrounding wireless network information.

According to whether the Probe Request frame (probe request frame) carries SSID, active scanning can be divided into two types:

Active scanning method with designated SSID

The client sends the specified SSID carrying a Probe Request; STA Probe Request frames sent sequentially to each channel, looking for the AP and the STA have the same SSID, possible to provide only refers to
a given SSID of the wireless AP and services after receiving the probe request responses probe response.

Active scanning method with empty SSID

The client sends a broadcast Probe Request, and the client periodically sends Probe Request frames in the list of supported channels to scan the wireless network. When the AP receives the Probe Request frame, it will respond to the Probe Response frame to announce the available wireless network information.

Link authentication

In order to ensure the security of the wireless link, the AP needs to complete the authentication of the STA during the access process.

The 802.11 link defines two authentication mechanisms: open system authentication and shared key authentication.

  • Open system authentication: that is, no authentication, any STA can access successfully.

  • Shared key authentication: STA and AP are pre-configured with the same shared key to verify whether the key configurations on both sides are the same. If they are consistent, the authentication is successful; otherwise, the authentication fails.

Related

After link authentication is completed, the STA will continue to initiate link service negotiation, and the specific negotiation is implemented through Association messages.

The terminal association process is essentially the process of link service negotiation. The negotiation content includes: supported rate, channel, etc.

Insert picture description here

Access authentication

Access authentication distinguishes users and restricts their access rights before they access the network. Compared with link authentication, access authentication is more secure.

Mainly include: PSK certification and 802.1X certification.

DHCP

The STA obtains its own IP address, which is a prerequisite for the STA to go online normally.

If the STA obtains an IP address through DHCP, the AC device or the aggregation switch can be used as a DHCP server to assign an IP address to the STA. Generally, the aggregation switch is used as the DHCP server.

User Authentication

User authentication is an "end-to-end" security structure, including: 802.1X authentication, MAC authentication and PoR1l authentication.

WLAN business data forwarding

The data in CAPWAP includes control messages (management messages) and data messages.

Control messages are forwarded through the control tunnel of CAPWAP. User data messages are divided into tunnel forwarding (also called "centralized forwarding") and direct forwarding (also called "local forwarding").

Guess you like

Origin blog.csdn.net/qq_40741808/article/details/106746760