If you're entering the Wi-Fi world and concerned about security or session accounting, take a good look at the ORiNOCO AS-2000. This platform overcomes wireless administration, security, and accounting issues by leveraging existing elements of your network.
Now that we've evaluated and installed the device, we examine how it handles monitoring. Last of a 3-part series.
The AS Manager can be used to monitor the AS-2000, primarily using SNMP GETs and TRAPs. The Monitoring and Diagnostics menu retrieves MIB-II counters for the interfaces table, IP, ICMP, ARP, TCP, UDP, and SNMP. For example, the interfaces table will include established PPP sessions. (Click on image to enlarge.)
Admins can drill down to individual session stats using the PPP monitor (Click on image at right to enlarge.) . Here, one can see the dynamic IP address assigned to each NIC (MAC address).
To diagnose problems, use the Remote Link Test monitor (left). Like Link Test in the Client Manager, this monitor evaluates signal strength and quality between the AS-2000 and a test station. The main panel lists all radios broadcasting with the same network name as the AS-2000, with and without an active AS Client session. Select a station to initiate a test -- results can be logged on-demand or at a specified interval.
The AS Manager also listens to incoming SNMP TRAPs (right). This is mostly useful to detect system-level events, like a yanked power cord (coldStart) or Ethernet cable (linkDown). The detail for PPP events is minimal -- if you need to monitor session activity, see your RADIUS server log. In a production network, we would forward AS-2000 TRAPs to an EMS for persistent storage, severity-based email/pager notification, etc.. An HP OpenView plug-in is available (untested).
Anyone investing in wireless infrastructure must be concerned about protecting that investment as technology matures. The cost of a single AS-2000 and a few ORiNOCO cards is modest. But consider the university purchasing hundreds of AS-2000s to outfit the entire campusthey must be convinced that this infrastructure can evolve.
The AS-2000 dual-slot design and downloadable firmware make it conceivable to support new 5 GHz PC cards when available, increasing transmission rate. Existing 2.4 GHz PC cards can be updated with new firmware and drivers to support Wi-Fi standards evolutionfor example, adding support for 802.1x in Windows/XP drivers.
The relationship between AS-2000 security features and the evolving 802.1x standard is more difficult to explain. 802.1x provides a framework for port-based authentication and key distribution. Using the Extensible Authentication Protocol (EAP) over Ethernet, a port access entity (an Ethernet switch or wireless bridge) authenticates a "supplicant" by consulting a back-end authentication server. This generic framework can be implemented with different EAP typesexamples include EAP-MD5 for Ethernet port authentication or EAP-TLS for Wi-Fi port authentication.
According to Agere's Dorothy Stanley, Microsoft's Windows/XP implements EAP-TLS for mutual authentication by digital certificate. First, each PC connects to a wired network to download a machine certificate. Thereafter, PCs use certificates for 802.1x wireless port authentication. Customers must deploy and maintain a certificate infrastructure, including Microsoft authentication servers (IAS and AD). TLS provides secure key exchange, but standard WEP is used for payload encryption.
In contrast, the AS-2000 does not require digital certificatesAS Clients authenticate with any method compatible with RADIUS and CHAP, including SecurID. With the AS-2000, CHAP rides over an encrypted associationin 802.1x, identity is sent as cleartext. Both solutions automate key exchange, but the AS-2000 uses them to initialize a stateful RC4 encryption engine, avoiding the weakest part of WEP. Microsoft is releasing 802.1x for Windows XP and 2000Agere's AS Client is available now for other Windows platforms.
Nonetheless, we believe that integrated OS support is important to simplify installation and configuration, creating the so-called "zero configuration" plug-and-play environment. Agere is on-board with XP - it supports 802.1x/EAP-TLS in beta XP drivers now and will add it to access point products like the new AP-2000 later this year.
This article was originally published on Friday Sep 7th 2001
Other 802.11 standards are extending the 802.1x framework to build wireless authentication above the MAC level, supporting further authentication types, and improving WEP encryption. Agere is actively involved in these effortsnew 802.11i standards and market demand can be expected to influence AS-2000 evolution.
The Bottom Line
If you're entering the Wi-Fi world and concerned about security or session accounting, take a good look at the ORiNOCO AS-2000. Whether you're a university, enterprise, or public Internet access provider, this platform overcomes wireless administration, security, and accounting issues by leveraging RADIUS and DHCP servers that may already exist in your network. If strong security and accounting are not among your requirements, consider products in the ORiNOCO access point line, starting with the AP-500. Based on our experience, environments with Windows 95/98/ME clients will have the smoothest rideNT shops may wait for kinks to be ironed out.