CiscoWorks Wireless LAN Solution Engine (WLSE) Express

CiscoWorks Wireless LAN Solution Engine Express (WLSE Express) является полноценным решением для управления беспроводными сетями на малых и средних предприятиях, в которых используются автономные точки доступа Cisco Aironet.

CiscoWorks WLSE Express обеспечивает контроль и безопасность беспроводной сети корпоративного уровня. Отличительной особенностью данного решения являются интегрированные сервисы по аутентификации, авторизации и учету.

Данное решение рассчитано на бюджет небольших организаций, поэтому имеет более скромную функциональность по сравнению с решением Cisco Unified Wireless Network.

Особенности и преимущества:

• Решение "все-в-одном" по организации управления и обеспечению безопасности беспроводных сетей
• Сокращает как единовременные издержки на развертывание, так и оперативные расходы
• Упрощает управление и контроль над большим количеством автономных точек доступа Cisco Aironet
• Увеличивает защищенность беспроводной сети:
  • Обнаруживает и блокирует "левые" точки доступа и неавторизованные ad-hoc сети
  • Помогает обеспечивать соблюдение политик безопасности
• Увеличивает производительность и отказоустойчивость беспроводной сети:
  • Обнаруживает радиочастотную интерференцию
  • Оптимизирует радио покрытие и настройки уровня сигнала
  • Позволяет осуществлять мониторинг производительности и ошибок
• Экономит время и ресурсы:
  • Автоматизирует настройку автономных точек доступа и беспроводных мостов Cisco Aironet
  • Содействует в проведении радиочастотного сканирования для оптимального выбора антенн и настроек точек доступа, таких как уровень сигнала и номер канала

CiscoWorks Wireless LAN Solution Engine Express 2.13

Organizations are adopting wireless LANs (WLANs) to increase business productivity and accessibility. Network managers need a solution that provides them with the control they need to effectively manage and secure their WLANs. CiscoWorks Wireless LAN Solution Engine Express (WLSE Express) plays a key role in the Cisco Autonomous WLAN solution for managing Cisco Aironet® access points.

CiscoWorks WLSE Express helps simplify and automate the deployment and security of WLANs, to ensure their smooth operation and dependability. CiscoWorks WLSE Express also includes an integrated authentication, authorization server, to provide localized management and security services for local WLAN users. Additionally, it provides WLAN intrusion detection IDS capabilities for detecting WLAN intrusions such as rogue access points, ad-hoc networks, and excess management frames on the air that typically signal a WLAN attack.

CiscoWorks WLSE Express provides a solution for small and medium-sized businesses (SMBs), and enterprise branch-office WLAN deployments of up to 100 Cisco Aironet access points. For medium-sized to large enterprises and wireless vertical markets where wireless management of hundreds to thousands of autonomous Cisco Aironet access points is needed, Cisco offers the CiscoWorks Wireless LAN Solution Engine (WLSE). Please refer to the CiscoWorks WLSE data sheet for additional details.

PRODUCT OVERVIEW

CiscoWorks WLSE Express is the integrated security and management solution for managing Cisco Aironet autonomous access points located in one or multiple locations. CiscoWorks WLSE Express can manage up to 50 Cisco Aironet access points or up to 100 Cisco Aironet access points through an optional license upgrade.

CiscoWorks WLSE Express provides comprehensive air/radio frequency (RF) and device-management capabilities in ways that simplify deployment, reduce operational complexity, and provide administrators visibility into the WLAN. By automating several RF and device-management tasks, CiscoWorks WLSE Express reduces the costs and time needed for WLAN deployment, management, and security.

By using Cisco Aironet access points as RF air monitors, CiscoWorks WLSE Express provides WLAN intrusion detection and protection. As part of the WLAN Intrusion Detection System (IDS), CiscoWorks WLSE Express quickly and securely detects, locates (Figure 1), and disables unauthorized (rogue) access points, helping to ensure that security policies are applied consistently throughout the network. The latest IDS addition is the Management Frame Protection (MFP), by which management frames between access points are authenticated, eliminating several WLAN attacks that arise due to spoofing of authorized devices. CiscoWorks WLSE Express enables MFP in the network and provides visibility into network events associated with MSP detection/protection. CiscoWorks WLSE Express further enhances the security of the WLAN by monitoring for ad-hoc networks, unauthorized WLAN client networks, client spoofing, and other WLAN attacks that may introduce security openings in the network. These capabilities can benefit any organization, including those that have not formally operationalized WLANs but want to guard against intruders.

CiscoWorks WLSE Express also provides an integrated and embedded user Authentication and Authorization server, making it an ideal solution for remote branch-office deployments with limited WAN bandwidth. It supports popular Extensible Authentication Protocol (EAP) types including Cisco LEAP, Protected EAP (PEAP), EAP Flexible Authentication via Secure Tunneling (EAP-FAST), and EAP- Transport Layer Security (EAP-TLS). It supports up to 500 users on the standard CiscoWorks WLSE Express, or up to 1000 users on the license-upgraded version of CiscoWorks WLSE Express, which supports 100 Cisco Aironet access points.

CiscoWorks WLSE also supports Voice over WLANs by enabling the deployment of voice with call admission control. This enables access points to prioritize/optimize WLAN bandwidth for voice traffic. It also monitors the health of the voice network, including calls with degraded QoS and jitter/loss.

Figure 1. CiscoWorks WLSE Express Location View: Rouge Access Point Location

CiscoWorks WLSE Express provides dynamic RF management through self-healing, which adjusts a Cisco Aironet access point's cell coverage area automatically when an adjacent access point becomes disabled or fails. It also helps optimize performance by detecting and locating RF interference while proactively monitoring usage and faults.

CiscoWorks WLSE Express' deployment wizard enables efficient access point deployment through contextual configurations that are automatically applied to access points as they are plugged into the network. Specific access-point configurations can be applied depending on flexible deployment criteria. This reduces access-point deployment times, increases security and configuration consistency, while reducing user-caused configuration errors.

CiscoWorks WLSE Express may be transparently integrated with other network management systems, operational support systems, and CiscoWorks applications through syslog messages, Simple Network Management Protocol (SNMP) traps, and an Extensible Markup Language (XML) interface. Its secure HTML-based user interface provides access anywhere, including through firewalls.

KEY FEATURES AND BENEFITS

Deployment

CiscoWorks WLSE Express speeds deployment by automating configuration and setup, reducing the overall cost to provision WLANs. The result is superior return on investment and enhanced productivity.

CiscoWorks WLSE Express offers the following capabilities:

• Automatic CiscoWorks WLSE Express setup-Factory-default CiscoWorks WLSE Express can be automatically configured from a Dynamic Host Configuration Protocol (DHCP) server. CiscoWorks WLSE Express configuration including the IP address, hostname, and default gateway can be specified on a DHCP server and automatically downloaded to CiscoWorks WLSE Express during the boot up. This enables easier CiscoWorks WLSE Express deployment in remote and branch-office locations, without requiring IT expertise at the remote site
• Automatic access-point configuration-CiscoWorks WLSE Express can automatically discover and configure newly deployed autonomous Cisco Aironet access points using DHCP, with the flexibility to assign different configurations based on the access-point device type, its source subnet, and its software version. CiscoWorks WLSE Express provides an easy-to-use deployment wizard to specify the configuration criteria up front. This allows administrators to automate deployment and simultaneously maintain control in rapidly expanding environments. The deployment wizard also simplifies and automates the setup of the Wireless Domain Services (WDS) that plays an important role in the Cisco Distributed WLAN Solution for seamless mobility and RF aggregation services. Access points such as Cisco Aironet 1100 Series, Aironet 1130 AG, or Aironet 1200 access points in the remote location can provide WDS services. For deployments that use Cisco Aironet access points as WDS, CiscoWorks WLSE Express can automatically designate a WDS access point and apply the right configuration to it without requiring manual setup.
• Assisted site surveys- Complete and reliable WLAN coverage is achieved only with a detailed site survey. CiscoWorks WLSE Express helps IT managers to perform cost-effective site surveys in-house without being experts in RF propagation and measurement. The assisted site survey tool automatically determines optimal frequency selection, transmit power, and other settings, which the administrator can then apply. The coverage areas can be defined to cover only specified areas. CiscoWorks WLSE Express also provides an automated re-site survey that periodically assesses the performance of the network with respect to baseline site-survey settings. When radio settings in the network are no longer optimal, CiscoWorks WLSE Express generates a notification allowing the administrator to quickly apply newer, more optimal radio settings.

Operations

CiscoWorks WLSE Express automates a wide range of repetitive time-consuming tasks, simplifying the management of Cisco Aironet access points and bridges to enhance productivity for network administrators.

• Centralized firmware updates-Access point and bridge firmware may be updated in mass. Updates may be assigned to a specific device or to groups. Tasks may be scheduled or executed on demand.
• Mass configuration changes-Configuring a group with hundreds of devices requires no more effort than configuring a single device. Configuration tasks may be scheduled or executed on demand. CiscoWorks WLSE Express supports all the configuration settings available on Cisco Aironet access points, including Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) security settings. Configuration updates are done using Secure Shell (SSH) Protocol. Specific RF settings such as channel and power as recommended by the CiscoWorks WLSE Express Site Survey Wizard can also be applied to devices based on a schedule.
• Dynamic grouping-The Device Groups feature makes administering the WLAN more effective and intuitive. Devices may be organized into hierarchical groups defined by the administrator. Groups may span multiple subnets.
• Automated discovery-CiscoWorks WLSE Express automatically discovers Cisco Aironet access points, bridges, and switches connected to access points using Cisco Discovery Protocol. Discovery may be scheduled or run on demand.
• Configuration archive-The CiscoWorks WLSE Express is able to store the last four configuration versions for each managed access point, allowing configuration tasks to be undone.
• VLAN configuration-VLANs on access points may be configured and monitored, allowing differentiation of LAN policies and services, such as security and quality of service (QoS), for different users on enterprise and public-access VLANs.
• MBSSID Support-CiscoWorks WLSE Express supports the configuration of multiple broadcast SSIDs. It supports up to 8 broadcast Service Set Identifications (SSIDs) per access point.
• Customizable thresholds-Administrators may define different faults and performance thresholds for specific sites and groups accompanied by specific actions and fault priorities. A centralized fault screen simplifies quick resolution of problems. Various WLAN health indicators such as network load, RF usage, errors, and client associations can be monitored.
• Fault status-CiscoWorks WLSE Express provides a centralized view of all access points and device groups. Color coding and group icons indicate fault status. Faults may be filtered and sorted by priority to facilitate viewing and resolving problems.
• Fault notification-Fault notification and forwarding are implemented with syslog messages, SNMP traps, and e-mail.
• Switch monitoring-Switches connected to access points are monitored for availability and the utilization of ports, CPU, and memory.

Security and WLAN Intrusion Detection

Organizations need to protect their RF environment and data networks from unauthorized access. Unauthorized (rogue) access points installed by employees or intruders create security breaches that put the entire network at risk. WLAN IDS quickly detects, locates, and automatically shuts down rogue access points. CiscoWorks WLSE Express provides effective rogue access-point switch-port tracing by monitoring and using the clients that are associated to rogue access points, thus providing a means of containing the rogue access point by shutting down the switch port connected to the rogue access point. Rogue access points can be filtered by Received Signal Strength Indicator (RSSI) threshold to avoid triggering alarms for access points that might be a neighboring network. CiscoWorks WLSE will also periodically monitor for changes in the status of rogue access points that are marked "Friendly" to alert the administrator in case its location and RSSI values change.

CiscoWorks WLSE Express detects unauthorized WLAN ad-hoc networks, and locates and identifies which wireless clients are participating in the network. It also detects clients spoofing authorized MAC addresses and generates notifications. CiscoWorks WLSE Express monitors per-channel excess wireless management frames such as excess association, disassociation, probe requests, responses, and authentication and de-authentication frames that may signal WLAN attacks such as denial-of-service (DoS) and "man-in-the-middle" attacks. EAP over LAN (EAPOL) flood-message monitoring provides a means to detect excess authentications requests by an intruder.

CiscoWorks WLSE Express provides a WLAN IDS dashboard that acts as a launch pad for all WLAN IDS features. The dashboard provides a summary of all WLAN IDS alarms. In addition, it displays WLAN IDS reports pertaining to rogue access points, unauthorized ad-hoc networks, and unregistered clients, which can be exported using comma separated value (CSV), PDF, and XML formats. These reports provide detailed information including the estimated location of the WLAN IDS fault, which access point detected it, its channel, and its basic service set identifier (BSSID). Administrators can select and enable specific WLAN IDS events they are interested in through a WLAN IDS profile. These WLAN IDS profiles can be customized per location to provide greater flexibility and control. Notifications can be sent through e-mail, syslog, or SNMP trap messages.

WLAN IDS protection can be tailored to suit individual needs:

• Integrated WLAN IDS-Standard Cisco Aironet access points are deployed with the radio (IEEE 802.11a, b, or g) placed in multifunction mode to service client devices and to provide WLAN intrusion monitoring. Intrusion detection information is gathered from the access points that scan the RF environment. Optionally, Cisco client cards and Cisco compatible client devices provide additional information about the RF environment. Rogue access point detection, unauthorized ad-hoc WLAN detection, and Excess Management Frame detection are supported using the integrated WLAN IDS.
• Dedicated WLAN IDS-A dedicated access point-only WLAN is deployed with the access point radio (802.11a, b, or g) placed in radio scan mode to support WLAN intrusion monitoring. Access points configured for dedicated IDS do not support clients. This solution provides continuous monitoring of the RF environment. Active-but-unassociated client device monitoring is supported to minimize the risk of clients associating to rogue access points and to protect the network from malicious intruders probing the RF environment for weaknesses.

Other security features of CiscoWorks WLSE Express include:

• Integrated Authentication and Authorization server-CiscoWorks WLSE Express provides an embedded User authentication and authorization server. For remote and branch-office locations, this provides WAN link survivability by providing local user-authentication services for both wired and wireless users. It supports popular EAP types including LEAP, PEAP, EAP-FAST, and EAP-TLS for up to
  500-1000 users. CiscoWorks WLSE Express also supports Lightweight Directory Access Protocol (LDAP) and Active Directory user directories for user authentication.
• Security policy monitoring-All access points on the network are monitored for consistent application of security policies. Alerts are generated for violations and can be delivered by e-mail, syslog, or SNMP trap notifications. Several policies including SSIDs, security schemes (Open, EAP), encryption, telnet, and HTTP settings can be monitored for enforcement.
• Secure user interface-CiscoWorks WLSE Express provides a secure HTML-based user interface that may be accessed anywhere, even through firewalls. In addition to the Web-based GUI, a command-line interface (CLI) like that in Cisco IOS Software provides direct console, Telnet, or SSH access for basic configuration and troubleshooting. CiscoWorks WLSE Express communicates with access points using HTTP Secure Sockets Layer (SSL) sessions for management.
• Role-based access model-CiscoWorks WLSE has a flexible, role-based user access model. For example, help desk personnel can be limited to viewing reports and faults. Several common authentication modules are supported, including TACACS+, and RADIUS. WLSE also enables centralized user administration by integrating with Cisco Secure ACS. Users can be defined and mapped to a user role centrally on Cisco Secure ACS.
• Management Frame Protection-CiscoWorks WLSE Express also provides Management Frame Protection (MFP), by which management frames between Access Points are authenticated, eliminating several WLAN attacks that arise due to spoofing of authorized devices. CiscoWorks WLSE Express enables MFP in the network and provides visibility into network events associated with MFP detection/protection.

Performance Optimization and High Availability

Interference detection and location is critical to maintaining a reliable WLAN. RF measurements sent to CiscoWorks WLSE Express include measurements for both 802.11 and non-802.11 interference. If the interference exceeds an administrator-defined threshold, a fault is generated so that the administrator can quickly locate and suppress the source of the interference.

• Air/RF scanning and monitoring-Cisco Aironet access points are multifunctional, with built-in RF scanning and measurement capabilities. CiscoWorks WLSE Express analyzes these RF measurements, provides notification if performance degrades, and displays air/RF coverage (Figure 2). It also analyzes RF measurements from Cisco Aironet and Cisco compatible client devices. Client air scanning and monitoring provide 10 to 20 times more RF measurement data than access-point RF measurements alone. Because WLAN clients can freely move about all areas of a building, the addition of client scanning and monitoring extends RF monitoring into areas most likely to contain rogue access points while allowing for more accurate detection.

Figure 2. CiscoWorks WLSE Express: RF Coverage

• Interference detection-CiscoWorks WLSE Express catalogs the physical location of all managed access points and creates a site map of the WLAN installation. This allows the wireless-aware network to detect points of interfering RF energy that affect network performance. The source of this energy could be a rogue access point or a device that operates in the same frequency range, such as a cordless telephone or leaky microwave oven. Interference detection and location is critical to maintaining a reliable WLAN. Administrators can define thresholds to generate fault notifications when detected interference levels are exceeded.
• Self-healing WLANs-CiscoWorks WLSE Express can detect and compensate for an access point that has failed by automatically increasing the power and cell coverage of surrounding access points. The self-healing process provides contiguous coverage to maximize the available coverage of the WLAN and minimize client impact.
• Automated resite surveys-CiscoWorks WLSE Express automatically reassesses radio throughput and performance to provide notification if performance falls below administrator-defined thresholds. New optimal settings can be found by running the site survey wizard, then applied to the network.
• Support for 802.11h/Dynamic Frequency Selection-Cisco Aironet 802.11a access points change the frequency when they detect radar transmission on the same channel to not interfere with the radar frequency. CiscoWorks WLSE Express will be notified of this and update its RF data model and Location Manager GUI coverage display to reflect the change.
• Warm standby redundancy-CiscoWorks WLSE Express supports redundancy through a primary and backup mechanism. If the primary fails, the backup automatically takes over. Data such as performance data, fault messages, and radio scans between the primary and backup is synchronized on a user-defined interval to minimize the loss of collected data when a backup takes over. A notification is generated during the switchover.

Reporting, Trending, Planning, and Troubleshooting

Real-time client tracking is a powerful tool for troubleshooting client network access issues. Using only a client name, user name (supported for Cisco LEAP and PEAP), or MAC address, it is easy to determine which access point a client is associated to in real-time. In addition, the previous 10 associations for the client and associated access points can be accessed to aid in troubleshooting.

CiscoWorks WLSE Express provides several reports to monitor the health of the network. Information about network usage, client association and usage, historical and current client usage statistics, Cisco Aironet access-point Ethernet and radio interfaces status, and error details are displayed in both graphical and tabular form. Reports may be generated both at the individual device level and the group level. All reports may be scheduled, delivered by e-mail, or exported in CSV, XML, and PDF formats.

CiscoWorks WLSE Express also provides comprehensive coverage display overlaid on floor maps to provide visibility into the RF environment. The CiscoWorks WLSE Express Location Manager tool can display a graphical view of radio coverage by data rate and signal strength. CiscoWorks WLSE also supports RF management for directional antennas. Details about device settings, including channel and power, can be overlaid on the coverage display.

CiscoWorks WLSE Express also provides reports to monitor the health of the Cisco Wireless LAN Services Module (WLSM) including the clients on each mobility group, client roaming summary and Wireless LAN Domain Services (WDS) status.

Deployment and Monitoring of Voice Over WLANS

CiscoWorks WLSE Express enables wireless network administrators to easily support voice over WLANs through a "Voice Express" configuration template. This enables the correct QoS and Call Admission Control (CAC) configurations to be deployed in supporting access points and wireless phones that support the WMM T-Spec standard for optimizing/prioritizing voice over data.

CiscoWorks WLSE Express monitors call statistics related to admission control, including rejected calls and calls in progress, which provide visibility into bandwidth usage for voice. It also supports Voice Traffic Stream Measurements from both access points and CCX v4 clients, which provide valuable information on roaming delay, calls with degraded QoS etc to aid in troubleshooting.

CiscoWorks WLSE Express provides client-association reports and client-tracking support for the Cisco Wireless IP Phone 7920. The client-tracking feature can be used for troubleshooting and finding associated access points.

Integration

When network faults are detected or user-defined performance thresholds are exceeded, CiscoWorks WLSE Express can generate notifications through SNMP traps and syslog messages. Integration with third-party network management systems is provided through these event messages. As part of the CiscoWorks network management series of products, CiscoWorks WLSE Express integrates with the CiscoWorks LAN Management Solution (LMS) and other CiscoWorks applications to increase the efficiency of managing a converged wired and wireless network. Device inventory and credentials, for example, can be imported or exported between CiscoWorks WLSE Express and CiscoWorks Resource Manager Essentials (RME) tool, an application that provides broad network management for a wide range of Cisco devices. If desired, device discovery may be turned off to allow automatic inventory synchronization with CiscoWorks RME. CiscoWorks WLSE Express uses the same default user roles as CiscoWorks LMS, but it allows customization. CiscoWorks WLSE Express can be launched from CiscoWorks LMS desktop.

CiscoWorks WLSE Express also provides an XML API for exporting data and for third-party integration. Devices in the network, detected faults and alarms, and reports and information collected from the network using SNMP can be exported to other external systems for customization.

CiscoWorks WLSE Express itself is a manageable device that supports SNMP MIB-II. CPU utilization and memory utilization of CiscoWorks WLSE Express can be monitored using SNMP.

FEATURES AND BENEFITS

Table 1 summarizes the features and benefits of CiscoWorks WLSE Express.

Table 1. Features and Benefits

SUPPORTED CISCO DEVICES

TECHNICAL SPECIFICATIONS

SUPPORTED WEB BROWSERS

• Mozilla Firefox 1.0.6

• Microsoft Internet Explorer Service Pack 1

CiscoWorks Wireless LAN Solution Engine Express 2.13