Cisco Cisco Flex 7510 Wireless Controller White Paper
Copyright © 2011 Miercom Wireless LAN Controllers Page 4
When the incorrect 802.1x authentication credentials are supplied, devices cannot authenticate with the ACS 5.2
server. Failed authentications are displayed above in red. This prevents installation of rogue devices.
server. Failed authentications are displayed above in red. This prevents installation of rogue devices.
bandwidth available. As with Cisco, CAC
functionality is only supported as long as WAN
access to the controller is available.
functionality is only supported as long as WAN
access to the controller is available.
Aruba VBN 2.0 supports CAC in tunnel mode,
but does not support CAC in bridged mode,
which is the mode of operation used in a
branch deployment.
but does not support CAC in bridged mode,
which is the mode of operation used in a
branch deployment.
Port-based AP 802.1x
Authentication
Authentication
In a branch wireless deployment, there is a
threat of rogue devices being installed, which
could compromise the security of the network.
Port-based 802.1x authentication on the wired
network provided increased security by
requiring that proper credentials be entered.
These are checked against the ACS/Radius
server before the access point can join the
network. We evaluated the ability of each
solution to provide this level of network
security.
threat of rogue devices being installed, which
could compromise the security of the network.
Port-based 802.1x authentication on the wired
network provided increased security by
requiring that proper credentials be entered.
These are checked against the ACS/Radius
server before the access point can join the
network. We evaluated the ability of each
solution to provide this level of network
security.
Cisco FlexConnect uses the branch switch as
a proxy for authentication. Port security was
enabled on the branch switch. The AP was
provisioned with the proper 802.1x credentials,
connected to the switch port and verified that it
successfully joined the controller. The ACS
uses Radius and a shared secret, and the AP
supports the 802.1x supplicant which is
required to authenticate the AP to the edge
switch. Rogue APs will not authenticate and
will not receive an IP address. See
a proxy for authentication. Port security was
enabled on the branch switch. The AP was
provisioned with the proper 802.1x credentials,
connected to the switch port and verified that it
successfully joined the controller. The ACS
uses Radius and a shared secret, and the AP
supports the 802.1x supplicant which is
required to authenticate the AP to the edge
switch. Rogue APs will not authenticate and
will not receive an IP address. See
Figure 2
.
Neither Motorola nor Aruba support 802.1x
supplicant at the access point. The Motorola RFS
4000 controller features an area for 802.1x
authentication, but the Enable check box is
grayed out and the option cannot be selected.
supplicant at the access point. The Motorola RFS
4000 controller features an area for 802.1x
authentication, but the Enable check box is
grayed out and the option cannot be selected.
Bottom Line
For a large customer with deployments using a
wireless strategy to branches, resiliency of the
branch architecture and cost containment of
deployment are key considerations. The
FlexConnect architecture featured in the Cisco
Flex 7500 Wireless Controller was the only
solution in this test which thoroughly satisfied
these metrics.
wireless strategy to branches, resiliency of the
branch architecture and cost containment of
deployment are key considerations. The
FlexConnect architecture featured in the Cisco
Flex 7500 Wireless Controller was the only
solution in this test which thoroughly satisfied
these metrics.
FlexConnect architecture provides the ability to
authenticate clients locally with the access point
in the event that central authentication is
unavailable due to a controller or WAN link
failure. Roaming within the branch when the
WAN link is down, FlexConnect preserves
business functions. To provide the same level of
resiliency, the solution would require primary and
backup controllers for each branch location,
increasing the cost of branch deployment. Cisco
FlexConnect uses 802.1x authentication to
prevent rogue access points from being installed
in the branch, increasing network security.
authenticate clients locally with the access point
in the event that central authentication is
unavailable due to a controller or WAN link
failure. Roaming within the branch when the
WAN link is down, FlexConnect preserves
business functions. To provide the same level of
resiliency, the solution would require primary and
backup controllers for each branch location,
increasing the cost of branch deployment. Cisco
FlexConnect uses 802.1x authentication to
prevent rogue access points from being installed
in the branch, increasing network security.
Cisco FlexConnect featuring the Flex 7500
Wireless Controller is a well-executed solution for
providing Wireless Branch Survivability.
Wireless Controller is a well-executed solution for
providing Wireless Branch Survivability.
Figure 2: Failed Port Authentication
Source: Miercom, April 2011