#===========================================================================================================================
#Wi-Fi
#1.CSMA/CA is uset to facilitate half-duplex communication
#2.Wireless communications are regulated by various international and national bodies
#3.Wireless signal coverage area must be considered:
# -signal range / distance
# -signal
# absorbation -
# reflection -
# refraction - radio wave changes its bend as a result of entering another medium, where the signal propagates at a different speed
# diffraction - ... blind zones as a result
# scattering - when the radio wave goes trough the dust, fog, smog etc
# interference- when one wave goes the same way with other wave
# SSID - Service Set ID
# BSSID - Access Point (AP) MAC address on the wireless interface
# BSA - Basic Service Area - the area around the AP, where the wireless network works normally
# BSS - is a group of devices whichh are wirelesly connected via an AP
# ESS - Extended Service Set - the area where the wireless network provides (many AP)
# MBSS - Mesh Basic Service Set. Includes RAP (Root AP) and MAPs (Mesh APs)
#Example ESS
#---------------------------|
#===Extended Service Set====|
#---------------------------|
# AP1 Description |
# SSID: Home |
# BSSID: aaaa.bbbb.1122 |
# Channel: 1 |
#---------------------------|
# AP2 Description |
# SSID: Home |
# BSSID: aaaa.eeee.1056 |
# Channel: 6 |
#---------------------------|
#In 802.11 the upstream wired network (switch) is called the DS (Distribution System)
#Each wireless BSS or ESS is mapped to a VLAN in the network
#ACCOCIATION PROCESS
#1. Not authenticated, not accociated
#2. Authebticated, not accociated
#3. Authebticated and accociated
#The station must be authenticated and accociated with AP to send traffic through it
#There are two ways a station can scan for a BSS
# -active scanning - the station sends probe requests and listens for a probe response from AP
# -passive scannig - the station listens for a Beacon messages from an AP
#Beacon messages are sent periodically by APs to advertise the BSS.
#802.11 Message Types
#There are three 802.11 message types:
# 1.Management - used to manage the BSS
-Beacon
-Probe requests, Probe response
-Authentication
-Authentication request, Accociation response
# 2.Control - used to control access to the medium (radio frequency). Assists with delivery of management and data frames
-RTS -Request to Send
-CTS -Clear to Send
-ACK
# 3.Data
#There are three main AP deploy methods:
# 1.Autonomous AP are self contained systems that don`t rely on WLC (Wireless LAN Controller) and configured individually.
# 2.Lightweight APs handle "real-time" operations like transmitting/recieving RF traffic. Other functions are carried out by
# a WLC, for example RF Management, Sequrity, QoS. This is called Split-MAC archetecture.
# The WLC is also use centrally configure the lightweight APs.
# The WLC and lightweight APs authenticate each other using digital certificates installed on each device (x.509 stand cert)
# This ensures that only authorized APs can join the network
# The WLC and lightweight APs use a protocol called CAPWAP (Control and Provisioning of Wireless Access Points) to communicate
# The protocol based on an older protocol called LWAPP (Lightweight Access Point Protocol)
# The WLC creates 2 CAPWAP tunnels to each AP
# Control tunnel (UDP 5246) - to communicate, control, manage APs
# Data tunnel (UDP 5247) - all traffic from wireless clients is sent through this tunnel to the WLC. It doesn`t go directly to the wired network.
# Traffic in this tunnel is not encrypted by default, but you can configure it to be encrypted with DTLS (Datagram Transport Layer Security)
# !!! Because all traffic from wireless clients is tunneled to the WLC with CAPWAC, APs connect to switch access ports, not trunk ports.
# !!! But between switches and APs LAN must be taggeg (trunk)
#Some key benefits of using WLC
# -Scalability
# -Dynamic channel assignment
# -Transmit power optimisation
# -Self-healing wireless coverage - cover the hole, in case one of AP down
# -Seamless roaming - clients can roam between APs with no noticeable delay
# -Client load balancing
# -Security / QoS management
#Lightweight APs can be configured to operate in various modes:
# -local - this is default mode where APs offers a BSS (multipal BSSs) for clients to accociated
# -Flex Connect Mode - Like a lightweight AP in local mode. It offers one or more BSSs for clients to associate with
however Flex Connect allows the AP to locally switch traffic between the wired and wireless networks,
if the tunnels to the WLC go down.
# -Sniffer - the AP does not offer a BSS for clients, it is dedicated to capturing 802.11 frames and sending them to
a device running software such as Wireshark
# -Monitor - the AP doesn`t offer a BSS for clients, it is dedicated to recieving 802.11 frames to disassociate the roque
device from the AP.
# -Roque detector - the ap doesn`t even use its radio, it is listens to the traffic on the wired network only, but if recieves
a list of suspected roque clients and AP MAC addresses on the wired network and correlating it with the innformation
it recieves from the WLC, it can decect roque devices.
# -SE Connect (Spectrum Expert Connect) - The AP doesn`t offer a BSS for clients, it is dedicated to RF spectrum analysis
on all channels. It can send information to software such as Cisco Spectrum Expert on a PC to collect and analyze
the data. Example - to find a source of the interference.
# -Bridge / Mesh - like the autonomous APs Outdoor Bridge mode, the lightweight AP can be dedicated bridge between sites
even over long distance. A Mesh can made between the AP.
# -Flex plus Bridge - adds functionality to the bridge / Mesh mode, allows wireless APs to locally forward traffic
even if connectivity to the WLC is lost.
###Cloud Bases APs
#Cloud based AP archetecture is in between autonomous AP and split-MAC archetecture
# -Autonomous APs that are centrally managed in the cloud
#Cisco Meraki is a popular cloud-based Wi-Fi solution
#The Meraki dashboard can be used to configure APs, monitor the network, generate perfomance report, etc.
Meraki also tells each AP which channel to use, what power,etc
#However, data traffic is not sent to the cloud it is sent directly to the wired network like when using autonomous APs
#Only management / control traffic is sent too the cloud.
###WLC Deployment
#It is a split-MAC archetecture, there are four main WLC deployment models:
# 1.Unified - the WLC is a hardware appliance in a central locatiion of the network
# 2.Cloud-based - the WLC is a VM running on a server, usually in a private cloud in a data center
# 3.Embedded - the WLC is integrated within a switch
# 4.Mobility Express - the WLC is integrated within an AP
#========================================================================================================
##Security. There are multiple ways to authenticate: Password, Username+Password, Certificate
##Encryption: Protocols, Group key)
##Integrity (MIC = Message Integrity Check) - add to messages to help protect their integrity
#========================================================================================================
##Authentication Methods:
# -Open Authentication
# -WEP (Wired Equvivalent Privacy)
# -EAP (Extensible Authentication Protocol)
# -LEAP (Lightweight EAP)
# -EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
# -PEAP (Protected EAP)
# -EAP-TLS (EAP Transport Layer Security)
#802.1x -is used to limit network access for clients connected to a LAN or WLAN until they authenticate
# -Supplicant - the device that wants to connect to the network
# -Authenticator - the device that provides access to the network
# -Authentication Server (AS) - the device that recieves clients credentials and permit/denies access
#========================================================================================================
#Encryption and integrity Methods
# TKIP (Temproral Key Integrity Protocol)
# -Based on WEP, but more secure
# -Should not be used in modern networks
# -WPA
#
# CCMP (Counter/CBC-MAC Protocol)
# -AES counter mode for encryption
# -CBC-MAC for MIC (Message Integrity Check)
# -WPA2
#
# GCMP (Galois/Counter Mode Protocol)
# -AES counter mode for encryption
# -GMAC for MIC (Message Integrity Check)
# -WPA3
#========================================================================================================
#Wi-Fi Protected Access
# WPA/WPA2/WPA3 support two authentication modes:
# -Personal mode - PSK (Pre-shared key)
# -Enterprise mode - 802.1x is used with authentication server (RADIUS erver)
#
# WPA
# -TKIP (based on WEP) provides encryption/MIC
# -802.1x authentication (Enterprise Mode) or PSK (Personal Mode)
#
# WPA2
# -CCMP provides encryption/MIC
# -802.11x authentication (Enterprise Mode) or PSK (Personal Mode)
#
# WPA3
# -GCMP provides encryption/MIC
# -802.11x authentication (Enterprise Mode) or PSK (Personal Mode)
# -WPA3 also provides several additional security features, for example:
# -PMF (Protected Management Frames), protecting 802.11 management frames from eavesdropping/forging
# -SAE (Simulataneous Authentication of Equals) protects the four-way handshake when using personal mode
# -Forward secrecy prevents data from being decrypted after it has been transmitted over the air.
So, an attacer can`t capture wireless frames and then try to decrypt them later.
#========================================================================================================
#Connection
# WLC====Native VLAN for Mgmt + TRUNK====SWITCH-----access VLAN Mgmt----AP