Redpaper - IBM · PDF file4.1.5 Cisco Secure Access Control Server ... 5.2.3 IBM Embedded Security System ... 5.3 IBM Eserver xSeries 226

ibm.com/redbooks Redpaper

Front cover

Deploying the IBM SecureWireless Networking Solution for Cisco Systems

Byron BraswellJoe Earhart

Scott FribergJamel Lynch

Justyna NowakMichaelle Walcutt

Sample deployment scenarios

Best practices

Site survey

http://www.redbooks.ibm.com/


International Technical Support Organization

Deploying the IBM Secure Wireless Networking Solution for Cisco Systems

February 2005

© Copyright International Business Machines Corporation 2005. All rights reserved.Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.

First Edition (February 2005)

This edition applies to Version 5.1 of WebSphere Everyplace Connection Manager, Version 3.53 of IBM Access Connections, Version 8.2 of DB2 Express, Version 3.3.1 of Cisco Secure Access Control Server.

This document created or updated on October 20, 2005.

Note: Before using this information and the product it supports, read the information in “Notices” on page vii.

Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiTrademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixThe team that wrote this Redpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixBecome a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xComments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xQualification criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Chapter 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Wireless technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1.1 The 802.11 standard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.1.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.1.3 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.1.4 Is wireless important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.1.5 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 Scope of document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Qualification criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2. Target client market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1 SMB client requirements for wireless networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1.1 A recommended solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Customer checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2.1 Site survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 3. Details of architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.1 Context diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.2 Summary of the project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.3 Design points and architectural decisions in SMB environment . . . . . . . . . . . . . . . . . . 15

3.3.1 Identify client's need and wants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3.2 Describe functional and non-functional requirements for a new solution . . . . . . . 163.3.3 Create use cases to eventually design appropriate system architecture . . . . . . . 183.3.4 Choose appropriate technology and runtime of the solution. . . . . . . . . . . . . . . . . 203.3.5 Perform product mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.3.6 Create operational model as the base for the deployment of the solution . . . . . . 25

3.4 Wireless LAN security considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.4.1 Wireless infrastructure security on device and data contained within. . . . . . . . . . 263.4.2 Encryption key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.4.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.4.4 Protocol and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.4.5 Encryption and authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.5 Architectural overview diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.6 Operational model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 4. Implementation scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394.1 Scenario 1: Deploy wireless LAN on a client site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.1.1 Installation planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.1.2 Environment check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.1.3 Hardware and software to install and configure . . . . . . . . . . . . . . . . . . . . . . . . . . 41

© Copyright IBM Corp. 2005. All rights reserved. iii

4.1.4 Windows 2003 Server Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414.1.5 Cisco Secure Access Control Server (ACS) V3.3.1 . . . . . . . . . . . . . . . . . . . . . . . 414.1.6 Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444.1.7 Microsoft DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474.1.8 Modify Internet Explorer settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504.1.9 Install Java JRE for Cisco Secure ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504.1.10 Configure LEAP authentication with Cisco ACS and 1131 AP . . . . . . . . . . . . . . 514.1.11 IBM Access Connections V3.53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654.1.12 Configuring MS-PEAP authentication with Cisco ACS and 1131 AP . . . . . . . . . 744.1.13 Configuring wireless clients for MS-PEAP authentication. . . . . . . . . . . . . . . . . . 964.1.14 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074.1.15 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084.1.16 Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

4.2 Scenario 2: Mobile access from home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134.2.1 Installation planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134.2.2 Environment check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134.2.3 Security considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144.2.4 Hardware and software to install and configure . . . . . . . . . . . . . . . . . . . . . . . . . 1144.2.5 Red Hat Enterprise 3.0 Linux installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154.2.6 OpenLDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364.2.7 DB2 8.2 Express installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1394.2.8 WebSphere Everyplace Connection Manager V5.1 installation . . . . . . . . . . . . . 1454.2.9 WECM server software configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464.2.10 Create Connection Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1474.2.11 Add secondary authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634.2.12 Associate the profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1664.2.13 Cisco ACS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1684.2.14 WebSphere Everyplace Connection Manager V5.1 mobility client . . . . . . . . . . 1694.2.15 Access Connections V3.53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

4.3 Scenario 3: Mobile access from hot spots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1764.3.1 Security considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

4.4 Scenario 4: Mobile access via WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Chapter 5. Components, product details, and supporting material . . . . . . . . . . . . . . 1795.1 Cisco components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

5.1.1 Cisco Secure Access Control Server V3.3.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1805.1.2 Cisco Aironet 1130AG Series IEEE 802.11A/B/G Access Point. . . . . . . . . . . . . 1805.1.3 Cisco 2800 Integrated Services Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

5.2 IBM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1825.2.1 IBM ThinkPad models T, X, R. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1835.2.2 IBM Access Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1845.2.3 IBM Embedded Security System (ESS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1855.2.4 Advantages of ThinkVantage Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

5.3 IBM Eserver xSeries 226 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1875.4 IBM Infoprint 1422. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1885.5 IBM WebSphere Everyplace Connection Manager (WECM) . . . . . . . . . . . . . . . . . . . 188

5.5.1 WebSphere Everyplace Connection Manager Starter Edition V5.1 . . . . . . . . . . 189

Appendix A. Deploying Access Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Access Connections deployment features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Installing IBM Access Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Installing the integrated IBM Access Connections package . . . . . . . . . . . . . . . . . . . . . . . 192Installing the standalone IBM Access Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

iv Deploying IBM Secure Wireless Solution for Cisco Systems

Enabling the Administrator Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Using the Administrator Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Preparing for a new-image installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Deploying Access Connections location profiles remotely . . . . . . . . . . . . . . . . . . . . . . . . . 199Unattended deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Attended deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Appendix B. The IBM Embedded Security Subsystem . . . . . . . . . . . . . . . . . . . . . . . . 201Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Client Security Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Typical configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Advanced configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

IBM Password Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203IBM fingerprint software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Abbreviations and acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

IBM Software Group support contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207IBM Eserver and Personal Computing Division contact information . . . . . . . . . . . . . 208IBM Printing Systems Division support contact information . . . . . . . . . . . . . . . . . . . . . 208Cisco support contact information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Contents v

vi Deploying IBM Secure Wireless Solution for Cisco Systems

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.

© Copyright IBM Corp. 2005. All rights reserved. vii

TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:

Chipkill™DB2®e-business on demand™Eserver®Eserver®e-business on demand™Everyplace®ibm.com®IBM®ImageUltra™

Infoprint®Lotus Notes®Lotus®Notes®Perform™Redbooks (logo) ™Redbooks™Rescue and Recovery™SecureWay®

THINK®ThinkCentre™ThinkPad®ThinkVantage™Tivoli®UltraConnect™WebSphere®xSeries®

The following terms are trademarks of other companies:

Aironet, Cisco IOS, and Cisco Systems, are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.

viii Deploying IBM Secure Wireless Solution for Cisco Systems

Preface

Wireless local area networks (LAN) connectivity within a small or medium enterprise intranet is becoming affordable and, in many cases, a necessity for businesses of any size. Additionally, access to enterprise intranet applications from home, hotel, and wireless “hot spots” is a requirement for mobile employees.

However, small and medium businesses (SMBs) span companies of all sizes and industries. Therefore, finding a wireless LAN with a mobile connectivity support solution that fits all the requirements is practically impossible.

This Redpaper discusses planning and architecture considerations for SMBs looking at installing wireless Loans within their enterprise and mobile connectivity from the Internet. In addition, this Redpaper includes a detailed, step-by-step scenario of installing a wireless LAN and support for mobile connectivity in a very basic environment.

The intention is that these simple steps can be expanded on and modified as required to meet the installation requirements for whatever solution is arrived at for a specific customer environment.

The team that wrote this RedpaperThis Redpaper was produced by a team of specialists from around the world working at the International Technical Support Organization, Raleigh Center.

Byron Braswell is a Networking Professional at the International Technical Support Organization, Raleigh Center. He received a B.S. degree in Physics and a M.S. degree in Computer Sciences from Texas A&M University. He writes extensively in the areas of networking and host integration software. Before joining the ITSO four years ago, Byron worked in IBM Learning Services Development in networking education development.

Joe Earhart is a Systems Engineer based in Research Triangle Park (RTP), North Carolina. He has 25 years of experience in the telecommunications field and worked at Cisco Systems for the past four years. His areas of expertise include TCP/IP, routing, switching, wireless and storage area networking.

Scott Friberg (CCIE #9606) is a Systems Engineer, based in RTP, North Carolina. He has been with Cisco Systems for six years.

Jamel Lynch is a Senior Consultant and IT Architect in the IBM Strategic Consulting Group (SCG). Prior to joining the SCG, he served as a Development Engineer in the Personal Computing Division at RTP, North Carolina, responsible for integrating emerging wireless technology into the IBM brand of ThinkPad systems. Mr. Lynch holds a B.S. degree in Electrical Engineering from the Virginia Military Institute, and an M.S. degree in Electrical Engineering from the Virginia Tech College of Engineering.

Justyna Nowak is a Solution IT Architect in IBM Emerging & Competitive Markets, Global SMB. In this role she designs solution architectures for SMB customers based on emerging technologies. She has over 16 years of experience in IT, including application programming, system and network design, UNIX systems administration and management, as well as technical consulting and design of solution architectures. She has held a variety of international technical and technical marketing positions with concentration on applying IT for

© Copyright IBM Corp. 2005. All rights reserved. ix

medical research and the deployment of complex enterprise application systems integrated with e-business solutions. Justyna holds a M.S. degree in Computer Science from the Technical University of Wroclaw, Poland.

Michaelle Walcutt has 14 years experience in the computer technologies industry. She is currently a Technical Project Manager for the IBM Personal Computing Division where she has worked for the past 9 years. Her responsibilities include the overall development and project management of several ThinkVantage Technologies including Software Delivery Assistant, System Information Center, Software Delivery Center, and ImageUltra. Prior to working for IBM, Michaelle helped to plan, manage, and execute large migration projects for Large Enterprise businesses.

Thanks to the following people for their contributions to this project:

Margaret TicknorTamikia BarrowLinda RobinsonKaTrina LoveInternational Technical Support Organization, Raleigh Center

Dennis AndersonRay ChandlerEdward DyllGregory EllerEgbert GraciasThomas GrimesDonald JanewayPeter LeeRatan RayMichael WilesAdam WongIBM RTP

Become a published authorJoin us for a two-to-six week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You will team with IBM technical professionals, Business Partners, and clients.

Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs and increase your productivity and marketability.

Find out more about the residency program, browse the residency index, and apply online at:

ibm.com/redbooks/residencies.html

Comments welcomeYour comments are important to us!

We want our papers to be as helpful as possible. Send us your comments about this Redpaper or other Redbooks in one of the following ways:

� Use the online Contact us review redbook form found at:

x Deploying IBM Secure Wireless Solution for Cisco Systems

http://www.redbooks.ibm.com/residencies.html

http://www.redbooks.ibm.com/residencies.html

ibm.com/redbooks

� Send your comments in an e-mail to:

[email protected]

� Mail your comments to:

IBM Corporation, International Technical Support OrganizationDept. HZ8 Building 662P.O. Box 12195Research Triangle Park, NC 27709-2195

Qualification criteriaPlease note this document is intended to be used by qualified technicians having completed training in the IBM Secure Wireless Networking Solution for Cisco Systems course (TZI31) or having completed both the Implementing IBM Client Security course (TXI20) and the WebSphere Everyplace Connections Manager courses. Course enrollment information can be found at the following Web sites:

https://www.pc.ibm.com/training/pcd-thinkvantage-technology.htmlhttp://www.pc.ibm.com/training/index-bp.html http://knactest.lotus.com:8000/swg/EnableNow.nsf/doc/MMUY-629NPC

Preface xi

https://www.pc.ibm.com/training/pcd-thinkvantage-technology.html

http://www.pc.ibm.com/training/index-bp.html

http://knactest.lotus.com:8000/swg/EnableNow.nsf/doc/MMUY-629NPC



http://www.redbooks.ibm.com/contacts.html

xii Deploying IBM Secure Wireless Solution for Cisco Systems

Chapter 1. Introduction

The need for information does not stop when you move from office to conference room, office to home, or office to airport. Wireless technology gives you the power of information— wherever you are. This chapter discusses the standards, security, and components of wireless technology. It also provides a scope of this Redpaper and discusses the importance of wireless technology to IBM.

1

© Copyright IBM Corp. 2005. All rights reserved. 1

1.1 Wireless technologyWireless communication solutions that provide logical presence through physical roaming, or the ability to stay in touch on one’s own terms, are in great demand. Today, these requirements are requested by mobile professionals and other workers who want to download E-mail, update their calendars, send or receive a fax, check inventory, place an order, record route status, call a client, or talk to a peer—in short a virtual office anywhere, anytime.

1.1.1 The 802.11 standardThe 802.11 standard, specified by the Institute of Electrical and Electronics Engineers (IEEE), defines wireless Ethernet, or wireless LAN (WLAN). Solutions employing 802.11a, b, and g are designed to replace or complement wired LANs with wireless technology, eliminating cable runs and the associated networking hardware.

High-frequency WLANs, commonly called Wi-Fi, are specified in the 802.11a, b, and g standards (new standards and speeds are continually emerging). This technology is popular for business as well as for home networks. Wi-Fi operating in the 2.4 GHz range (802.11b and g) and 5 GHz range (802.11a) offer data speeds up to 54 megabits per second.

The small-business and home-office market are the primary drivers behind Wi-Fi device adoption. Since 802.11 equipment prices dropped below the cost of installing Ethernet cable runs and the associated Ethernet hardware, many business users choose Wi-Fi-based networks.

1.1.2 SecurityWith wireless communication, an intruder does not need physical access to the traditional wired network in order to gain access to data communications. To protect against any potential security issues, 802.11 wireless communications can employ data encryption techniques and authentication algorithms. These provide privacy comparable to that of a traditional wired network.

1.1.3 ComponentsA WLAN consists of two main components:

� An access point that acts as the receiver of the wireless signal and transmits it to the internal cable

� A wireless LAN-enabled client such as a mobile computer

Encryption and authentication are optional, and wireless access points are typically shipped with both turned off. We recommend throughout this document that encryption and authentication be mandatory for any wireless implementation. You will need to check your wireless network security very frequently as employees often add new wireless devices, which may become easy access points for hackers.

1.1.4 Is wireless important?Wireless technology is important to IBM because it makes virtualization and integration of e-business resources much easier to achieve. Virtualization—one of the four pillars of the IBM e-business on demand initiative—gives you computing power when and where you need it, such as with virtualized networks. For example, Grid technologies let you share and

2 Deploying IBM Secure Wireless Solution for Cisco Systems

manage collections of resources as though they were a large, virtualized computer—wireless provides the “anywhere, anytime” access to this powerful system.

Integration, another of the pillars, is the heart of e-business on demand. Horizontal integration lets you connect to data, legacy systems, and custom business applications inside and outside your business, delivering such benefits as real-time transaction processing, data mining, and decision-support systems. Wireless data-translation protocols allow disparate devices to effectively use the information from all sources.

1.1.5 SummaryThe marriage of wireless communications and mobile computing will transform the way we do business. The convergence of hardware, software, communications, and wireless technologies will ensure that information and services are available to computer users at all times, in all places. Many different wireless communication technologies currently support hundreds of services. Cellular and cordless phones, pagers, portable computers, mobile radio units, and vehicle tracking units all use a wide range of protocols and transport options. Personal Digital Assistants (PDAs) combine separate voice and data functions in compact portable packages.

The communications technologies provide a choice of communications methods with several wired and wireless options available in a single device, automatically selected for the most appropriate method according to the kind of information transfer required, the physical location of the device, and the needs of the user.

1.2 Scope of documentIn this document, we focus on implementing secure wireless communications between ThinkPad computers and enterprise applications running on the corporate intranet. We discuss planning and architecture considerations for SMBs who are looking at installing wireless LANs within their enterprise and mobile connectivity from the Internet. In addition, a detailed, step-by-step scenario of installing a wireless LAN and support for mobile connectivity in a very basic environment is covered. The use cases documented are intended to support installations of up to 250 clients. Installations with more than 250 clients will most likely need different switches and will potentially require bridged networks. Bridged networks are beyond the scope of this document.

1.3 Qualification criteriaTo ensure reliability and delivery consistency, Business Partners must meet a set of qualification criteria to be listed by IBM and Cisco as a recommended reseller for this solution. Qualified Partners receive sales leads from IBM and Cisco, and enjoy access to a deployment guide, training courses, and marketing collateral.

To become a qualified Business Partner you must meet the following qualification criteria:

� Be an authorized IBM and Cisco reseller for all solution elements (PCD, SWG, xSeries, PSD, Cisco)

� Be a Cisco Certified Partner. You can find certification requirement information at the following Web address:

http://www.cisco.com/en/US/partners/index.html

Chapter 1. Introduction 3

http://www.cisco.com/en/US/partners/index.html

� Be a Cisco Wireless LAN Design Specialist. You can find certification requirement information at the following Web address:

http://www.cisco.com/en/US/partner/learning/le3/le2/le41/le86/learning_certification_type_home.htm

� Have at least one technical representative complete either of the following courses:

– Implementing and Securing a Wireless LAN, TX121

http://www.pc.ibm.com/training/txi21.html

– Implementing IBM Client Security, TXI20


� Have at least one technical representative complete the WebSphere Everyplace Connection Manager workshop available at the following Web address:

https://www.developer.ibm.com/spc/events/ws_econnection.html

� Have at least one sales representative complete the following course:

– How to Sell the IBM Secure Wireless Solution for Cisco Systems (Course # SSW25) Visit the following Web address for enrollment information

http://www.pc.ibm.com/training/course_catalog_sales.html

To enroll in the program, contact your IBM Channel sales specialist.

Additional information is available at the IBM “Wireless e-business University”. Business Partners can get to it through Partnerworld:

1. Sign in to Partnerworld with your user ID and password.

2. Select training and certifications.

3. Select training resources.

4. Select technical training.

5. Select Wireless e-business university.

http://www.ibmweblectureservices.ihost.com/services/weblectures/dlv/Gate.wss?handler=Login&action=index&customer=ibm&offering=pvcu&sequence=1




http://www.pc.ibm.com/training/sxi40.html

http://www.ibmweblectureservices.ihost.com/services/weblectures/dlv/Gate.wss?handler=Login&action=index&customer=ibm&offering=pvcu&sequence=1

https://www.developer.ibm.com/spc/events/ws_econnection.html

http://www.cisco.com/en/US/partner/learning/le3/le2/le41/le86/learning_certification_type_home.htm

http://www.pc.ibm.com/training/course_catalog_sales.html

Chapter 2. Target client market

This chapter discusses some of the requirements that a small to medium business (SMB) needs for wireless networking and provides proposed solutions.

2


2.1 SMB client requirements for wireless networkingSmall and medium businesses value wireless mobility but are concerned with network security and implementation issues:

� Difficult to design secure wireless network

� Complexity with seemingly endless choices available

� Limited IT resources

� New skill requirements

� Time consuming to implement

� Unneeded business interruption

� Support issues

Customers interested in wireless networking want the following:

� A highly secure wireless infrastructure

� Improved productivity and ease of use

� Cost effectiveness

� Investment protection

� Turnkey implementation services

Further discussion of wireless LAN considerations for SMB customers can be found at:

http://www.ibm.com/businesscenter/smb/us/en/wireless

2.1.1 A recommended solutionIBM and Cisco created the IBM Secure Wireless Networking Solution for Cisco Systems®. They also recommend this solution to small and medium businesses that want a secure wireless LAN with remote access. The solution is part of the IBM Express portfolio and leverages familiar components into a single secure wireless networking solution, tested for end-to-end compatibility.

Delivered with minimal business interruption by qualified Business Partners, the IBM Secure Wireless Networking Solution for Cisco Systems takes the complexity out of the seemingly endless wireless choices and provides enterprise-class security and wireless access at an affordable price.

Users benefit from improved mobility, productivity, and secure wireless access both in and out of the office. The unique integration of IBM ThinkVantage Technologies (Embedded Security Subsystem and Access Connections), Cisco Access Control Software, and IBM WebSphere Everyplace Connection Manager, provide ease of use, provide ease of deployment, help maximize security, and allow for seamless roaming between existing networks.

The IBM Secure Wireless Networking Solution for Cisco Systems provides a secure wireless foundation that allows companies to start simple and grow by adding other wireless applications and pervasive devices.

This solution brings together the following tested hardware and software from IBM and Cisco and IBM business partner implementation and support services:

� IBM ThinkPad Notebooks (Express Models including Integrated Wireless and the Embedded Security Subsystem)


http://www.ibm.com/businesscenter/smb/us/en/wireless

� IBM xSeries Servers (Express Models)

� Cisco Aironet® Access Points

� Cisco Access Control Server software

� IBM WebSphere Everyplace Connection Manager (WECM)

� IBM InfoPrint Wireless Printers

� Business Partner implementation and support services

2.2 Customer checklistThe following sample site survey reviews planning considerations for you to keep in mind when contemplating adding wireless and mobile access to a wired LAN.

2.2.1 Site survey

Wired LANTo adequately design and install the network components that comprise the Secure Wireless Solution, carefully consider and provide for the additional physical network components such as servers, access points, router, switch, firewall, etc. that may be added to the existing environment. Each Wireless Access Point and server requires additional power and Ethernet connections. The key to any successful network design is to not only consider what is currently installed, and what you are about to install for the Secure Wireless Solution, but also consider what you install in the future. Following is a list of items for you to consider when adding Secure Wireless LAN Solution components to your existing environment.

1. Wireless Access Point - The Cisco AP-1130AG requires an Ethernet connection to an Ethernet switch. There are two options to power the Access Point (AP):

– First there is a local power adapter “brick” that converts 110VAC to DC power. Assuming that the AP is placed overhead then you need to provide for an AC outlet near each AP location.

– A more convenient approach is to use the Cisco 2800 series Integrated Services Router (ISR), which has an Ethernet switch supporting 802.1af (Power over Ethernet) or PoE. PoE allows the switch to be centrally located in a closet or secure area and an Ethernet cable delivers DC voltage to power the AP.

This eliminates the need to install AC outlets and affords some flexibility if the AP needs to be moved to new locations.

2. Cisco 2800 series Router/Switch ISR - This device is used to integrate the wired components into the existing network. The ISR is used for not only the physical Ethernet connections but can be configured to implement higher level IP services such as DHCP, Routing, Filtering, and Firewall as required. Carefully consider how many Ethernet connections will be added to the network such as Cisco Access Points, Cisco Secure ACS Server along with the IBM WECM server.

3. Consider how you will connect the new wireless network to the existing wired network. Are there adequate ports available in the current network switches? Typically the distance limitation between the Ethernet switch and end device is 100M. If an AP needs to be positioned beyond this limit an intermediate switch might be required.

4. To support IEEE 802.3af Power over Ethernet, verify that the installed Ethernet cable is at least Cat5 or better. For more info on PoE technology visit the following Web site:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns147/ns412/networking_solutions_white_paper09186a008026641c.shtml

Chapter 2. Target client market 7



5. Determine if you will add the new wireless network to the existing IP network address space. Is the DHCP scope adequate? If you plan to use a new network, you will need a router to translate and interconnect traffic. Do you have access to your local router to add or modify new or existing networks?

6. Find out if a firewall is being utilized currently. Will a DMZ be utilized for WECM connections? Can the Firewall be configured for this function?

Wireless LANTypically radio waves do not travel the same distance in all directions. Physical objects such as walls, doors, furniture, elevator shafts, and people, cause Radio Frequency (RF) patterns and ultimately coverage to be irregular and unpredictable.

The goal of an RF site survey is to gather adequate information to determine the number and placement of access points that will provide adequate coverage throughout the facility. Consider possible “interference” that can come from outside sources as this affects the overall quality of the Wireless LAN (WLAN) operation.

Many factors can effect the requirements and complexity of a site survey. For instance, to cover a two-room office facility in a wood frame building the requirement of a site survey might not even be necessary. Compare this to a 2+ story metal frame structure that houses heavy machinery. These and other large facilities, like hospitals, warehouses or busy RF areas may require detailed surveys to adequately plan a complete RF coverage model. The following are items to consider when conducting a site survey.

Following is a list of general items to consider and steps to follow when deploying a wireless LAN. This list is just a guideline and may not be all inclusive to your individual environment or specific facilities.

� What are the applications and bandwidth requirement per user now and in the future?

� What is the density of WLAN users in any given coverage area? Make sure you consider meeting rooms, public areas, cafeterias and auditoriums.

� What future applications are being considered?

� Aesthetics?

� What are the local regulations?

– Plenum spaces

– HVAC restricted areas

� Are there any issues with regulations governing use of 802.11? Although 802.11 uses unlicensed RF spectrum there may be some special regulations in medical and airport environments.

� Is there any facility construction type (metal, wood) interference with the RF signal?

– Multiple floors

– Numerous rooms

– Sensitive equipment

– Hospital equipment should be built to a standard to avoid RF interference

– Physical Security

• Mounting and low-down

• Place above ceiling and out of site whenever possible

– Is there potential interference? Other nearby 2.4 and 5 GHz systems in place?


� What is the frequency of use? (Plan for Peak Use)

– Meeting/Conference areas

– Public use

– Inventory (monthly/quarterly) peaks

� Antennas and access points should be hidden to avoid damage and theft.

� What is the current capability, performance, and health of the wired network today? What changes and additions are planned that might cause performance concerns?

� The following specialty devices can cause interference:

– Telemetry equipment

– Industrial Equipment

– Microwave Ovens

Consider these general steps when conducting an RF site survey: Figure 2-1 on page 10 and Figure 2-2 on page 10 illustrates some of these suggestions.

1. Use a facility blueprint (floor plan).

A floor plan will show locations of walls, stairwells, elevators, walkways, and any special building considerations. You can then use the blueprint to document placement of the Access Points and any cabling or power configurations.

2. Visually walk the facility.

Be sure to visually inspect the facility before proceeding with any tests. Make note of any potential problem areas that might affect the RF signal that is not shown on the blueprint. Ex: Metal enclosures, racks, equipment, etc.

3. Identify wireless user areas.

Mark the likely areas where mobile users are likely to utilize the facility such as meeting rooms, cafes, and auditoriums. Likewise, analyze where users will not be in order to limit placement of WAPs.

4. Note the approximate location of access points.

Based on your previous assumptions, note the approximate locations of WAPs. You can overlap channels with adjacent WAPs but make sure you document and plan the channel overlay. Note the possible mounting locations for the APs. Be mindful of physical security, power outlets if not using PoE, cable routing, and distance limitations.

5. Verify the actual location of the WAPs.

Use a signal strength meter, data rate, and signal quality tool that allows you to verify the approximate locations, noted in the previous step, that will meet the signal requirements. Validate the design using the same or similar wireless systems and antennas that end- users will implement. Document the readings and re-test. Re-validate this at different times of the day and days of the week. If you test over a weekend you may be surprised to learn that the office next door has machinery that only operates during the week. In the event of unexplained poor signal quality, use a spectrum analyzer to determine if interference is affecting survey tests.


Figure 2-1 Example indoor range comparisons

Figure 2-2 Evaluate possible problem areas

Figure 2-3 on page 11 and Figure 2-4 on page 11 illustrate starting a site survey from the outside edge looking into the building. The following steps tell you how to create the site survey shown in the Figures.

1. Place an Access Point at point A.

11 Mbps 130 Ft5.5 Mbps 180 Ft2 Mbps 250 Ft 1 Mbps 350 Ft

54 Mbps @40–60 Ft Radius

48 Mbps @ 70–90 Ft 36 Mbps @ 90–110 Ft

24 Mbps @ 110–125 Ft 18 Mbps @ 125–135 Ft 12 Mbps @ 135–150 Ft

9 Mbps @150–165 Ft 6 Mbps @ 165–300 Ft

5 GHz/40 mW 2.4 GHz/100 mW

Omni 2.2 dBi 2.4 GHz and Omni 5 dBi 5 GHz AP antennas Omni 0 dBi 2.4 GHz client and Patch 5 dBi 5 GHz client

Distances vary greatly because of building layouts

Break Room-Microwave Ovens

File/Supply Room-

Large Filing or Metal

Cabinets

Stairwells (Reinforced Building area)

Elevator Shafts Test lab


2. Measure the maximum range (inside building) using the mobile computer radio strength monitor.

3. Move the Access Point to the center of that arch (point B).

4. Continue with the other 4 corners.

5. Complete the center areas.

Figure 2-3 Site survey from the outside looking in - 1

Figure 2-4 Site survey from the outside looking in - 2

A

B

CH 1 CH 6 CH 11



Chapter 3. Details of architecture

This chapter describes the client profile to which our wireless solution applies. We step through an example architectural design process to determine software and hardware requirements for the solution. Additionally, we provide a brief review of network protocols and standards, which you can use to help determine the level of wireless security to implement.

3


3.1 Context diagramOur goal is to provide guidance on how to build a secure wireless LAN for a small and medium sized business (SMB) client, and how to later extend access to company network resources for mobile employees.

Keeping in mind that each client’s situation is unique, we nevertheless believe that with our design, we can address the majority of common requirements of medium size SMB customers.

We assumed the following generic profile for an SMB client:

� 100 - 999 employees

� Up to 25% mobile employees

� Ethernet wired LAN exists in some parts of the company with access to the Internet

� Company maintains its own wired LAN (or network out sourced to an ISP)

� Limited IT budget

� Limited IT staff and skills

� IT services typically acquired from a local IT services company

Figure 3-1 illustrates the context for our project.

Figure 3-1 Secure wireless LAN and mobile access context diagram

3.2 Summary of the projectThis project implements secure wireless mobility for an SMB company in a medium sized market (100-999 employees) in two phases:

Existing Ethernet LAN

Inte

rnet

Company Private Networks

and Applications

Home

Hotel/restaurant/airport

LaptopLaptopLaptopOn the road

Mob

ile E

mpl

oyee

s A

cces

s w

ith R

oam

ing

to

Com

pany

’s P

rivat

e N

etw

ork

Company’s IT Resources

(Applications, printers etc.)

New Wi-Fi LAN


Phase I: In-building wireless LAN

Secure access to company's internal network and its resources for employees with wireless client devices within the premise of the company building.1

Phase II: Mobile access to wireless LAN

Secure access to company's internal network and its resources for employees with wireless client ThinkPads from anywhere outside of the company:

– From home

– From public hot spots

– Through the WAN

3.3 Design points and architectural decisions in SMB environmentWe follow a simple methodology to arrive at the suitable solution for the client.

1. Identify client's need and wants by analyzing their business initiatives and existing environments. For more details, see 3.3.1, “Identify client's need and wants” on page 15.

2. Based on client needs and wants and any constrains, describe functional and non-functional requirements for a new solution. For more details, see 3.3.2, “Describe functional and non-functional requirements for a new solution” on page 16.

3. Based on functional requirements, create use cases to eventually design appropriate system architecture. For more details, see 3.3.3, “Create use cases to eventually design appropriate system architecture” on page 18.

4. Based on functional and non-functional requirements, choose appropriate technology and runtime environment of the solution. For more details, see 3.3.4, “Choose appropriate technology and runtime of the solution” on page 20.

5. Perform product mapping. For more details, see 3.3.5, “Perform product mapping” on page 22.

6. Create an operational model as the base for the deployment of the solution. For more details, see 3.3.6, “Create operational model as the base for the deployment of the solution” on page 25.

7. Describe details of the deployment and configurations.

3.3.1 Identify client's need and wants The first step in building a system that addresses customers needs is to understand their business initiatives that need to be supported by the new system as well as their existing IT environment.

We will build our system using as an example analysis of a “sample SMB client”.

Business initiatives of a sample SMB client1. Cost efficiently extend company network to new departments.

2. Enable company employees seamless mobile access to business applications and internal network resources.

1 For wireless LANs between buildings, please refer to the documentation at http://www.cisco.com

Chapter 3. Details of architecture 15

http://www.cisco.com

Analysis of environments of a sample SMB clientThe network environment� Wired Ethernet LAN exists with access to the Internet (most likely via a local ISP service).

� Internal and external networks are separated by security architecture (firewalls).

� There are no wireless networks yet.

The security environment� All applications and resources have basic security services such as Identification and

Authentication, Authorization, Privacy, and Confidentiality.

� Microsoft Active Directory is in use.

� Windows 2000 Server or Windows 2003 Server Enterprise Edition is used for the domain controller.

� Implementing wireless LAN and later on mobile access, must integrate into the existing security policy, and provide the same or strengthened security characteristics.

The mobile environment� Has growing population of mobile employees but no mobile access to company resources

enabled yet.

� Mobile employees are not a homogenous group of users and may need to access different applications.

� Initially the only mobile device they will use is a mobile computer but may need to extend to PDAs or other handheld devices.

The application environmentThis typically describes the application architecture, the programming model, communication protocols, application security, and the target device for each of the applications. As this will vary from client-to-client we assume that access to the existing applications and network resources remains unchanged both from wireless LAN as well as through the extension to the remote mobile access.

3.3.2 Describe functional and non-functional requirements for a new solutionAnalysis of the client business initiatives and other pertinent information—such as discussions about client needs and wants, their budget and current way of doing business, as well as understanding their IT environment—serves as an input to documenting functional and non-functional requirements for the new system.

Functional requirementsThe functional requirements are typically gathered from the client’s wants and needs. They address functionality of the new system and provide direct input for the use case model. They simply describe WHAT the system will do.

In our case we focus on two major functional requirements that limit the scope to wireless network design and mobile access to the network without specifics of accessing any of the back-end applications. Thus, the method of accessing applications will remain unchanged.

Functional requirements for wireless LAN and mobile access:

� Secure and authorize in-building access to the existing company Ethernet LAN resources and applications from wireless client devices for all employees.


� Enable remote access to the company's network resources while assuring “application persistence” (connection to application “does not drop” when physical network not available) from wireless clients anywhere from outside of company premises.

Non-functional requirementsNon-functional requirements address functions that influence the underlying system architecture. They describe the HOW of the system.2

We will build an in-building wireless LAN and later enable remote access to the company's intranet keeping the following non-functional requirements in mind.

Table 3-1 Non-functional requirements

2 Non-functional requirements for mobile access are described in the IBM redbook IBM WebSphere Pervasive Access Patterns, SG24-6315, chapter 15.

Definition of the requirement Client situation

Availability - High Availability minimizes the risk of an outage and increases the availability of network and mobile access systems. Depending on the client situation a system outage can be costly.

No 7 x 24 availability is critical yet, but it is anticipated to become a requirement as the business grows and more employees depend on wireless network and remote connectivity for their jobs.

Performance - Performance influences user experience and can impact usability of the entire system. Some factors to watch for are required data throughputs, number of users, and system loads.

It is expected that the end user will not experience any significant performance degradation while accessing the system through wireless LAN or remotely as compared with the access from the wired LAN. The client does not have the requirement for unusually high data throughput applications.Client understands the impact of wireless communication on system performance (shared bandwidth, remote access communication links limitations etc.)

Extensibility/Flexibility - Extensibility/Flexibility is the ability to extend the mobile access system with new services. New emerging technologies and business requirementsdemand a maximum of flexibility.

Currently only notebook PCs are used as mobile clients; however, the client plans to implement other pervasive devices in the near future.

Maintainability - The ease of use to maintain a critical system, such as a mobile access service, is important. Good maintainability is a key factor for a robust system

Limited IT staff and skills require that the solution is easy to administer and easy to maintain.

Scalability - Since business goals and user needs will change over time,scalability addresses the ability to react in order to reduce cost and effort.

Client’s plans are to grow business in a short time and expand the number of their mobile workforce. The need to expand wireless LAN is likely.

Security - In order to provide secure access to mobile devices, the mobile access system itself must be secure. Secure operating system and secure network access to the mobile access are essential.

The main issue for the client is to prevent unauthorized access to the company’s network and assure secure data transfer over wireless network connections. Because a mobile access service will bridge an outside network to the internal network, security is an essential requirement. The mobile access service itself must run in a secure environment and be able to adopt the company security standard.


Additionally, while designing a wireless LAN, the physical location of the network components is imperative and must be planned based on a detailed survey of the client building. Data collected during the site survey will complement already available client analysis, in particular non-functional requirements and constrains, and will directly impact wireless LAN design. As site survey results will vary from client to client, please refer to 2.2.1, “Site survey” on page 7 for details on performing a site survey.

3.3.3 Create use cases to eventually design appropriate system architectureUse cases describe functional requirements of the system. They are used as inputs for the system design and describe the potential uses of the solution delivered to the client. It is a good practice to use them as the final solution test to see if the system performs as required. Such tests can be used to demonstrate the final solution to the client at the end of the project and be treated as an acceptance case.

Table 3-2, Table 3-3, and Table 3-4 on page 19 contain examples of use cases.

Table 3-2 Use case - example 1


Criteria Actions/Results

Use case name Start using business application via wireless LAN while in the office

Business event User starts his working day. Turns on the computer and starts using the applications.

Actor(s) User

Use case association Authentication use case

Preconditions All network configurations (client and server side), encryption keys and authentication credentials installed and configured prior to login to the application.

Termination outcomes 1. Application access successful– Notebook functional– Wireless LAN available– Authentication successful

2. Application access failed– Problems with notebook– Wireless LAN not available– Authentication was not successful

Use Case description (flow of events)

1. User turns on the notebook.2. Notebook associates with Access Point.3. Authentication credentials are exchanged between user notebook

and the Remote Authentication Dial-In User Service (RADIUS) server.

4. Authentication completed successfully.5. Login page for user application displayed.

Criteria Action/Results

Use case name User resumes working from home wireless LAN

Business Event After arriving at home, user resumes working with the same application as in the office.

Actor(s) User



Use case association Authentication use case

Preconditions � WECM installed and configured to accept IP from outside company firewall

� ACS installed and configured to authenticate ThinkPad and the user

� ThinkPad Access Connection Profile set up to establish connection with the wireless network at home

� Wireless network at home available

Termination outcomes 1. Application access successful– Notebook functional– Internet access available– Authentication successful

2. Application access failed– Problems with notebook– Problems with access from home to the Internet– If accessing enterprise applications fails, then corporate

network could be down


1. User turns on the notebook2. Access Connections connect user to wireless network at home3. VPN connection established (WECM)4. Application log in page is displayed



Use case name User resumes working from a public hot spot

Business Event User leaves home with the notebook and meets with the client in the coffee shop with wireless public Internet access.

Actor(s) User

Use case association User resumes working from home wireless LAN

Preconditions � An active account with public hotspot service provider� WECM installed and configured to accept IP from outside

company firewall � ACS installed and configured to authenticate ThinkPad and the

user � ThinkPad Access Connection Profile set up to establish

connection with the wireless network from hot spot� After working at home notebook suspended but not turned off

Termination outcomes 1. Application access successful– Notebook functional– Sign on and authenticate to the public hotspot service

provider– Internet access available– Access to application resumed without the need to

re-authenticate and log on again2. Application access failed

– Problems with notebook– Problem with authenticating to public hotspot– Problems with access to the Internet– Application server could be down


3.3.4 Choose appropriate technology and runtime of the solutionThe architectural decision provides documentation that describes underlying decisions that give the system architecture its desired characteristics based on both functional and non-functional requirements and constraints. It provides a basis for appropriate system design and technology choices.

Table 3-5 is an example of architectural decision documents for SMB secure wireless LAN.

Table 3-5 Architectural decision - SMB secure wireless LAN

Table 3-6 on page 21 is an example of architectural decision documents for mobile access.


1. User “wakes up” the notebook.2. Access Connections connects user to hot spot. 3. Application becomes alive.


Subject Area Wireless LAN Security

Architectural Decision Security of our Wireless LAN is based on IEEE 802.1x Extensible Authentication Protocol (EAP) Framework recommendations, and will address encryption through WPA TKIP (RC4) (with direction to WPA2 AES when available) and authentication through alternatively CISCO LEAP or MS PEAP protocols.

Enhanced security through on board ESS card on IBM ThinkPads.

Issue or problem Main caveat in implementing a relatively cost-effective wireless network is a complex issue of assuring required level of security. SMB customers require strong security but do not want to deal with complex deployment issues.

Alternatives 1. Wired Equivalency Privacy (WEP)2. CISCO proprietary authentication3. Wi-Fi Alliance authentication protocols4. Protocols that require digital certificates from 3rd-party certificate

authority

Justification Authentication protocols were chosen with SMB customers in mind: robust authentication/security combined with ease of implementation/administration and use.� CISCO LEAP is de facto standard in SMB market and provides easy

transition to CISCO AEP-FAST once fully supported by all components in our network.

� MS PEAP is a Wi-Fi standard. MS implementation rather than CISCO PEAP was chosen for the ease of implementation (no need to acquire 3rd party digital certificate for the RADIUS server) and support for single sign on capability for Windows OS.

� WPA TKIP is the standard Wi-Fi encryption currently in use and supported for interoperability for many wireless devices. WPA2 will be included in the future.

Please see 3.4, “Wireless LAN security considerations” on page 25 for more information.


Table 3-6 Mobile access

To properly design a wireless LAN, in addition to understanding functional and non-functional requirements, perform a detailed client site survey. Data collected during the site survey complements already available client analysis, in particular non-functional requirements and constraints and directly impacts the wireless LAN design. Site survey results will vary from client to client, so refer to 2.2.1, “Site survey” on page 7 for a discussion on performing a site survey.

Reuse of assets: Using Patterns for e-Business3

To help with the design and the deployment of e-Business solutions IBM developed the IBM Patterns for e-business. These Patterns are based on the collective experiences of IBM IT architects. Their purpose is to capture and publish e-business artifacts that were used, tested, and proven. The information the patterns capture is assumed to fit most of the typical situation scenarios.

We will apply Patterns for e-business approach to get to a common architecture baseline for enabling connectivity to the company intranet resources.4

Typically the first step in using Patterns for e-business is to understand required functionality of the system and to find the Application pattern that reflects such a scenario. Each Application pattern has a runtime pattern associated with it, which on an abstract level recommends logical nodes of the architecture and their placement in the overall network structure.

We are concerned with enabling secure connectivity to the intranet. This scenario is in fact about how to provide an infrastructure service that comes into consideration with networking and can be applied to any of the Application Patterns that require pervasive and secure connectivity.

Subject Area Enabling Remote Access for Mobile Employees

Architectural Decision Mobile access service enables mobile and remote workersto access corporate applications and information. Service is provided through WebSphere Everyplace Connection Manager.

Issue or Problem Need to enable secure access to all company network resources including applications and data from any location from outside of the company premises. Want to use ready product to handle required functionality.

Alternatives 1. Point-to-Point Connectivity - This alternative connects the mobile client directly and individually to each necessary enterprise system and data using the protocol best suited for that system.

2. Existing Virtual Private Network (VPN) - This alternative would use an existing VPN used for remote access for PC and mobile devices.

3. Reverse Proxy - A Reverse Proxy can act as a gateway accessible from the Internet using an existing network link to the Internet.

Justification Enabling access to the intranet through mobile access services helps avoid inconsistent and unmanageable connectivity and security issues. WECM was tested to provide seamless roaming capabilities while always maintaining user session for majority of networks. It acts as sw VPN, providing strong encryption and data compression.

3 To learn more on Patterns for e-business, please refer to IBM redpaper Introduction to Patterns for e-business, REDP-3836.4 We consulted the IBM redbook IBM WebSphere Pervasive Access Patterns, SG24-6315 for the connectivity and access part of the pattern architecture. This part of the pattern describes mobile access services which enable mobile devices to connect to the company exiting infrastructure.


In the IBM Redbook IBM WebSphere Pervasive Access Patterns, SG24-6315, chapter 15 describes the connectivity and access part of the pattern architecture. It consists of mobile access services that enable mobile devices to connect to the enterprise infrastructure. The connectivity and access node accommodates different services specific to a mobile environment. This runtime pattern also depicts the location of the Directory and Security Services node. See Figure 3-2.

Figure 3-2 Runtime pattern for the secure wireless LAN configuration

3.3.5 Perform product mappingThe Connectivity and Access for Pervasive Services node is placed in the DMZ zone. Based on the environment data gathered during client analysis we know that they may not have a DMZ zone. If establishing a DMZ will not be an option, we would place Connectivity and Access for Pervasive services (WECM server5) behind the firewall. Details of the implementation are described in chapter 4 of this Redpaper.

ISP Gateway(Pervasiveservices)


User

Outside WorldDemilitarized Zone

(DMZ) Internal Network

Client

Data servicesData servicesWeb

serverredirector

Web server

redirector

Pervasiveclient

services

Pervasiveclient

servicesP

roto

col F

irew

all

Pro

toco

l Fire

wal

l

Dom

ain

Fire

wal

l

Directoryand Security

Services

Company private intranet


ConnectivityAnd Access

For Pervasiveservices



5 WebSphere Everyplace Connection Manager requires access to directory services and the database for configuration purposes and maintaining user session data.


Figure 3-3 Product mapping for the secure wireless LAN configuration

WECM supports various implementation topologies (single server, clusters and distributed environments)6. WECM requires access to directory services and a database for configuration purposes and for maintaining user data. If deployed in a single server configuration in a DMZ, as shown in Figure 3-4, the directory services and database must not contain any sensitive user data profiles, credentials, and so on. The user information required for authentication and authorization is stored in the directory and security services node behind the domain firewall in the internal network.

Figure 3-4 Connectivity runtime environment for a sample SMB client

After you make the major architectural decisions, document how the features and functions of the chosen technology components address the desired characteristics of the new system.

Table 3-7 on page 24 maps the impact of product components to the non-functional requirements listed in Table 3-1 on page 17.

6 Refer to IBM redbook IBM WebSphere Everyplace Connection Manager Version 5 Handbook, SG24-7049-00 for detailed WECM server planning and implementation.



User

Outside World

Client

Data servicesData servicesPervasive

clientservices

Pervasiveclient

services

Prot

ocol

Fire

wal

lPr

otoc

ol F

irew

all

Windows XPAccess Connections V3.53

WECM V5.1 Client SuSE Linux 9.0WECM V5.1•OpenLDAPDB2 UDB Express V8.2

Demilitarized Zone(DMZ) Internal Network

Web server

redirector

Web server

redirector

Dom

ain

Fire

wal

l

Directoryand Security

Services







Windows 2003 Enterprise Server•MS Active Directory•DHCPCisco Secure ACS V3.3.1

Ethernet LANWireless LAN

Directory and Security Services

Connectivity and Access for Pervasive Services

Data ServicesData Services

PervasiveClient Services

Company privateIntranet

Company privateIntranet

Fire

wal

l


Table 3-7 Mapping of non-functional requirements to components of our system

An SMB sample client non-functional requirement

Wireless LAN Mobile Access Service

Availability All hardware components of the Wireless LAN have high RAS features (CISCO Integrated Switch Router, Access Points and RADIUS server deployed on IBM xSeries server). If desired RADIUS server could be configured in HA cluster.

WECM runs on reliable Linux OS on an IBM xSeries server with high RAS features. If desired, it could be configured in HA cluster.

Extensibility/Flexibility Current design of Wireless LAN could be used as a building block for a larger wireless network based on the client’s needs to: � Extend to subsegments � Deploy on different floors of

the building� Bridge to different buildings. Modular architecture of the CISCO Integrated Switch router provides a base to extend current simple switch capabilities to accommodate more Access Points and expand to provide a router functionality. CISCO ACS RADIUS server has rich functionality to provide for authentication for a large number of users and devices.

A comprehensive programming reference and toolkit allows you to extend connection services to practically any wireless mobile device and provides support for seamless roaming through practically any available network.

Maintainability All network components have easy to use administrative interfaces.

WECM administrative user interface Gatekeeper enables you to define and manage wireless resources, register users and devices, and perform other administrative tasks.

Reliability CISCO ACS server is deployed on a reliable IBM eServer xSeries that features high RAS.

WECM is deployed on reliable Linux OS and IBM eServer xSeries that features high RAS.

Scalability Scalability through 1 to 2 processors for CISCO ACS server. Possibility to add more Access Points. Modular architecture of CISCO Integrated Switch Router supports scalability.

WECM is deployed on a an xSeries server model x226 that can scale from 1 to 2 processors. In addition WECM supports scalability through clustering.


3.3.6 Create operational model as the base for the deployment of the solution� An operational model defines the involved computers, networks, and other platforms on

which the application will execute and by which it is managed.

� An operational model links the conceptual design with the deployment phase of the project.

� An operational model serves as a base for the walk through for the client of sample use cases.

3.4 Wireless LAN security considerationsThe information explosion and technology revolution are fueling the growth in wireless computing, resulting in employee mobility as the rule. Existing IT infrastructures can now be extended without adding cables, resulting in unprecedented communication paradigms, ultimately increasing a company’s efficiency and productivity. However, adopting wireless technology has some challenges that are not present in wired environments.

In a mobile environment, following are the key concerns for corporations implementing wireless technology.

� Wireless infrastructure security on the device and the data contained in them

� Encryption key management

� Performance

Unlike a wired LAN network, WLANs intentionally propagate data over an area that often exceeds the boundaries that are physically controlled by an organization. Although no one can guarantee a completely secure wired networking environment that prevents all penetrations at all times, wireless security concerns are heightened because interception of radio signals is trivial to anyone with a Wi-Fi radio, while wired LANs require physical access

Security IEEE 802.1x Extensible Authentication Protocol Framework, WPA encryption, LEAP or PEAP authentication, ESS card on notebooks. Standard enforced client security: hardware password, Windows password, etc.

Government’s highest security certification (FIPS 140-2 certification)Strong encryption Strong authentication

Performance Use of high throughput 802.11 a/g Access Points (with backward compatibility to 802.11 b) with built-in omnidirectional antennas for improved reliable coverage of WLAN space

The following WECM features directly impact performance:� Compress IP data.� Increase the effective data rate. � Eliminate unnecessary protocol

headers.� Optimize the number of messages

sent.� Disconnect-reconnect, dynamically,

to lower connection fees.� Optimize TCP communications to

reduce retransmissions.

An SMB sample client non-functional requirement

Wireless LAN Mobile Access Service


to hack into the network. This means that anyone using a Wi-Fi radio or equipment in proximity of the WLAN can connect to the network, if the network does not employ security mechanisms to prevent them from doing so.

3.4.1 Wireless infrastructure security on device and data contained within802.11’s built in security mechanism, Wired Equivalency Privacy (WEP) protocol, has several serious security flaws. WEP uses a static secret key, shared between an access point and a mobile system, which is at the root of the well documented security vulnerabilities. If the WEP keys are not updated often, an unauthorized person with a sniffing tool, such as AirSnort or WEP crack, can monitor a WLAN for less than a day and decode the encrypted messages. Intruders have ready access to tools that crack WEP keys, thus enabling an attacker to passively monitor and analyze packets of data. They can then use this information to break the WEP key that encrypts the packets. WEP only provides one-way authentication—client to Access Point—that opens up the possibility for man-in-the-middle attacks because the Access Point (AP) is not required to prove who it is. This security vulnerability is addressed in section 3.4.4, “Protocol and Standards” on page 26 where we discuss mutual authentication and dynamic encryption keys in more detail.

3.4.2 Encryption key managementMost wireless devices are mobile and open to physical theft, which could compromise data stored on the client devices or allow network access to an unauthorized user. The security features of the IBM Embedded Security Subsystem (ESS), an exclusive crypto solution, provides hardware protection of credentials for industry-leading security. Network managers can prevent unauthorized access to data stored on a lost or stolen system, decrease risks to the network, and increase WLAN security. ESS requires the user to authenticate to the system and securely stores wireless certificates / credentials. This offers the best available protection against hacker break-in and unauthorized network access. For more information about the ESS chip, please visit the following Web site.

http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-46391

3.4.3 PerformanceAs mobile users adopt wireless technology, they will also expect the same quality of service realized with wired communications. The Institute of Electrical and Electronics Engineers (IEEE) define the 802.11 standard for wireless LAN (WLAN). Two data through put rates are specified on separate frequencies (5GHz & 2.4GHz), which depend on the IT environment, may impact range, ultimately decreasing throughput. Wireless network designers must also consider potential interference in the 2.4 GHz Industry Science and Medicine Spectrum (ISM) with Bluetooth, cordless phones, and microwaves when deploying wireless LAN. These concerns are in discussed in the Site Survey section.

The security and performance of the client device and the wireless infrastructure impacts the entire wired LAN network. The following sections address wireless network security details and best practices to increase the security and performance of a Wireless LAN.

3.4.4 Protocol and StandardsThe IEEE defines the 802.11a (54Mbps) physical layer standard for WLANs in the 5 GHz radio band and 802.11b (11Mbps) / 802.11g (54Mbps/ backward compatible with b) both operating in the 2.4 GHz spectrum. The first wireless LAN standard introduced to the market by the IEEE, was the 802.11b standard that incorporates Wired Equivalency Privacy (WEP) security protocol. However, as mentioned in section 3.4.1, “Wireless infrastructure security on


http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-46391

device and data contained within” on page 26, several serious security flaws were discovered in the WEP protocol. In addition to the shared static key vulnerability, key management is an issue because WEP keys must be pre-shared, which requires that every Access Point in the network gets updated whenever a key is changed. The security vulnerabilities and lack of encryption key management presented numerous challenges and increased interest in secure enterprise deployment of wireless LAN technology.

3.4.5 Encryption and authenticationWireless security consists of two components; encryption and authentication. Encryption makes intercepted network traffic unintelligible. Authentication is the process by which the proper credentials and the identity of a device are verified prior to completing a network connection. To address the confidentiality issue with wireless LAN for the enterprise deployment, the IEEE 802.11 standards committee created an open industry standard that would replace the inefficiency of WEP encryption.

Wi-Fi Protected AccessThe Wi-Fi Protected Access (WPA) is a proactive response by the industry to offer an immediate and strong security solution, which provides a strong mechanism for authentication and centralized key management required to address the vulnerabilities of WEP. WPA is a subset of the state of the art802.11i security standard, which will support the most advanced encryption available, Advanced Encryption Standard (AES).

WPA encryption is significantly strengthened because of a fast re-keying algorithm called Temporal Key Integrity Protocol (TKIP). Unlike the WEP static key, TKIP implements per packet dynamic keys that are updated every 10,000 packets to further enhance the security. TKIP is designed for software upgradeability of existing hardware. The IEEE 802.11i future security standard will provide the most robust encryption for new deployments with the support of Counter Mode with CDC-MAC Protocol (CCMP). CCMP is based on the Advanced Encryption Standard (AES) and offers the highest level of data protection.

WPA also supports IEEE 802.1x, a standard for port-based access control that provides the framework for mutual authentication between a client and a Remote Authentication Dial-In User Service (RADIUS) server (either LDAP or Active Directory based) as well as encryption key distribution on wired and wireless networks. 802.1X also ties a protocol called EAP (Extensible Authentication Protocol) to wireless LAN media and supports multiple authentication methods, such as token cards, one-time passwords, certificates, and public key authentication. EAP communicates authentication information and encryption keys between a client (supplicant) and an access control server. The credentials used for authentication, such as logon passwords, are never transmitted without encryption, over the wireless medium.

Several different EAP authentication protocols are used in practice; EAP-TLS, Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP), and Extensible Authentication Protocol-tunnelled transport layer security (EAP-TTLS) that operate on top of 802.1x, as shown in Figure 3-5 on page 28. Cisco was the first company that came out with pre-standard 802.1x EAP solution to address the issues identified in WEP. Cisco developed a proprietary security solution that provides full support for WPA and its building blocks of 802.1X and TKIP. In addition to full WPA support, Cisco's proprietary wireless-network security standard implements LEAP. We discuss LEAP in detail in the following section; however, to obtain specific information about the other aforementioned EAP authentication protocols listed, see PEAP, EAP-FAST, Cisco LEAP and EAP-TLS Comparison Chart or a Cisco white paper titled Cisco SAFE Wireless LAN Security in Depth. It can be found at the following Web site.

http://www.cisco.com/go/safe



Figure 3-5 Security protocol layers

Cisco LEAPCisco LEAP is the widely deployed EAP type in use today in WLANs. LEAP supports all three of the 802.1X and EAP elements: mutual authentication, dynamic encryption keys, and centralized policy control. With LEAP, mutual authentication relies on a shared secret, the user’s logon password, which is known by the client and the network. As shown in Figure 3-6 on page 29, the RADIUS server sends an authentication challenge to the client. The client uses a one-way hash of the user-supplied password to fashion a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, enabling the client to authenticate the RADIUS server. When this is complete, an EAP-Success message is sent to the client and both the client and the RADIUS server derive the dynamic WEP key.

For more details see the Cisco white paper, Cisco SAFE Wireless LAN Security in Depth.


CCMP TKIP

802.1X

Upper LayerAuthentication Protocols



Figure 3-6 LEAP authentication process

In Figure 3-6:

1. Client associates with Access Point

2. Access point blocks all user requests to access the LAN

3. User provides login authentication credentials

4. RADIUS server authenticates user

5. User authenticates RADIUS server

6. RADIUS server and client derive unicast WEP key

7. RADIUS server delivers unicast WEP to Access Point

8. Access Point delivers broadcast WEP key encrypted with unicast WEP key to client

9. Client and Access Point activate WEP and use unicast and broadcast WEB keys for transmission

PEAPPEAP is an Internet Engineering Task Force (IETF) draft request for comment (RFC) authored by Cisco Systems, Microsoft, and RSA Security. PEAP uses a digital certificate for server authentication. For user authentication, PEAP supports various EAP-encapsulated methods within a protected transport layer security (TLS) tunnel. PEAP supports the three main elements of 802.1X/EAP: mutual authentication, dynamic encryption keys, and centralized policy control.

RADIUS Server

CampusNetwork

Access SwitchAccess Point withCisco LEAP

SupportWireless computer

with CiscoLEAP Supplicant

1 2

3

4

56

7

RADIUS Server withLEAP authentication support

and dynamic WEP key generation

CampusNetwork




9 8

UserDatabase

UserDatabase


As shown in Figure 3-7, phase I of the authentication sequence is the same as that for EAP-TLS (server-side TLS). At the end of phase 1, an encrypted TLS tunnel is created between the user and the RADIUS server for transporting EAP authentication messages.

In phase II, shown in Figure 3-7, the RADIUS server authenticates the client through the encrypted TLS tunnel via another EAP type. As an example, a user can be authenticated using an OTP using the EAP-GTC subtype (as defined by the PEAP DRAFT). In this case, the RADIUS server relays the OTP credentials (user ID and OTP) to an OTP server to validate the user login. When this is complete, an EAP-Success message is sent to the client and both the client and the RADIUS server derive the dynamic WEP key.

For more information about PEAP, refer to the IETF Web site for the latest draft. Cisco white paper titled Cisco SAFE Wireless LAN Security in Depth.

Figure 3-7 PEAP authentication process

Following is the PEAP authentication process shown in Figure 3-7.

1. Client associates with Access Point

2. Access Point blocks all user requests to access the LAN

3. Client verifies RADIUS server’s digital certificate

4. RADIUS server authenticates user

5. RADIUS server and client derive unicast WEP key

6. RADIUS server delivers unicast WEP key to Access Point

7. Access Point delivers broadcast WEP key encrypted with unicast WEP key to client

UserDatabase

RADIUS Server

CampusNetwork

Access SwitchAccess Point withPEAP supportWireless computer

with PEAP supplicant

1 2

34

5

6

RADIUS Server withPEAP authentication support

and dynamic WEP key generation

CampusNetwork




8 7

UserDatabase

Phase I

Phase II


8. Client and Access Point activate WEP and use unicast and broadcast WEP keys for transmission

To address some security and deployment issues with EAP, Microsoft and Cisco developed proprietary PEAP protocols.

� Cisco PEAP is EAP-GTC (Generic Token Card)� MS PEAP is EAP- MS CHAP v2 (Microsoft Challenge Handshake Authentication Protocol

version 2)

They both expand on the available EAP-based authentication schemes. Unlike EAP-TLS, which has the requirement to deploy and manage digital certificates for each access client, PEAP does not require access client certificates. This eases the administrative difficulty of user certificate management.

If you intend to use digital certificates such as PKI to authenticate the client, we recommend implementing CISCO PEAP or EAP-TLS. Single sign on using MS password, password expiration, and Internet Authentication Service (IAS) (MS RADIUS services) are supported by the PEAP-MS-CHAP v2. In our wireless network configuration, we use the Cisco ACS, however MS PEAP customers may implement the MS RADIUS server.

For additional details on implementing MS IAS, visit the following Web site:

http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx

For more details on MS PEAP visit the following Web site:

http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx

For more details on Cisco PEAP visit the following Web site:

http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa0900aecd801764fa.html

Table 3-8 PEAP, EAP-FAST, Cisco LEAP and EAP-TLS Comparison Chart

Cisco LEAP PEAP with Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2

PEAP with Generic Token Card (GTC)

EAP-TLS EAP-FAST

User authentication database and server

Windows NT Domains, Active Directory

Windows NT Domains, Active Directory

One-time password (OTP), Lightweight Directory Access Protocol (LDAP), Novell NDS, Windows NT Domains, Active Directory

OTP, LDAP, Novell NDS, Windows NT Domains, Active Directory

Windows NT Domains, Active Directory, LDAP (limited)

Requires server certificates

No Yes Yes Yes No

Requires client certificates

No No No Yes No


http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx

http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa0900aecd801764fa.html

http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx

3.5 Architectural overview diagramFigure 3-8 on page 33 is an architecture overview diagram. Use it as a tool for discussions with the client to convey the major points of the solution. It is a high-level diagram that the client architects and the decision makers can easily understand. It summarizes the proposed approach to provide a solution that addresses client functional and non-functional requirements. Additional details appear in other architectural work products, particularly in the operational model that serves as a base for actual solution deployment.

Operating System support

Driver: Windows 98, Windows 2000, Windows NT, Windows Me, Windows XP, Mac OS, Linux, Windows CE, DOS

Driver: Windows XP, Windows 2000, Windows CE With third-party utility: Other OS3

Driver: Windows XP, Windows 2000, Windows CE1 With third-party utility: Other OS2

Driver: Windows XP, Windows 2000, Windows CE With third-party utility: Other OS

Driver: Windows XP, Windows 2000, Windows CE4 With third-party utility: Other OS5

ASD support Yes No No No Yes

Credentials Used

Windows password

Windows password

Client: Windows, NDS, LDAP password; OTP or token Server: Digital certificate

Digital certificate Windows password, LDAP user ID/ password (manual provisioning required for Pac provisioning)

Single sign-on using Windows login

Yes Yes No No Yes

Password expiration and change

No Yes No -------- Yes

Works with Fast Secure Roaming

Yes No No No Yes

Works with WPA Yes Yes Yes Yes Yes

Cisco LEAP PEAP with Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2

PEAP with Generic Token Card (GTC)

EAP-TLS EAP-FAST


Figure 3-8 Architectural overview of SMB secure wireless LAN with remote access

Description of system components:

� Wireless clients

The purpose of the client node is to provide access to the e-business application through a network. This could be through a standard web browser or through launching an application specific graphical user interface (GUI). In our case clients are limited to portable computers.

� Firewall

The firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks.

� Connectivity and access server (WECM server)

The connectivity and access node accommodates different services specific to enabling remote access to the company intranet.

� Access Points

Access Point acts as a communication hub for users of a wireless device to connect to a wired network.

� Switch

The Switch joins multiple network devices together at a low-level network protocol layer.

� Authentication services (RADIUS Server)

Remote Authentication Dial-In User Service (RADIUS) provides services for remote authentication of users and devices.

3.6 Operational model� The operational model defines the involved computers, networks, and other platforms on

which the application will execute and by which it is managed.

� The operational model links the conceptual design with the deployment phase of the project.

C O L -A C T -

S T A -

1 2 3 4 5 6 7 8 9 1 01 11 2

H S 1 H S 2 O K 1 O K 2 P SC O N S O L EC O L -

A C T -

S T A -

1 2 3 4 5 6 7 8 9 1 01 11 2

H S 1 H S 2 O K 1 O K 2 P SC O N S O L E

Wireless Access PointsWireless Access Points

Switch

RADIUS Server

Wireless Printer

Wireless Clients

WECM ServerWireless Clients

Firewall

Internet Intranet


� The operational model could also serve as a base for the walk through for the client of sample use cases. It could be drawn on the logical or a physical level.

Figure 3-9, is a operation model on a physical diagram for a secure wireless in-building LAN.

Figure 3-9 Secure wireless in-building LAN

Figure 3-10 on page 35 is an operation model on a physical diagram for mobile access.

IBM eServer

xSeries 226 Express

CiSCO Integrated Switch/Router 2811

Authentication and

Authorization Services

Access Point 1131802.11a,b,g. AP , Int Radios, Ants, North America Cnfg

IBM ThinkPad T42,X40, R 51 or later

wirelss card 802. 11 a/b/g

Existing Wired

LAN

Unless customer does not have a router only switch modules required. Configuration depends on the number of users (Access Points) to support

Windows XP

IBM Access Connections V3.53

WebSphere Everyplace Connection Manager Client V5.1

Windows 2003 Server EnterpriseSecure Access Control Server

V3.3.1 for WindowsMicrosoft Active Directory

� Microsoft DHCP Server� Microsoft Certificate Authority� Java JRE V1.4.2_06

�


Figure 3-10 Mobile access

IBM eServer

xSeries 226 Express

Authentication and

Authorization Services

Access Point 1131, 802.11a, .11g AP, Int Radios, Ants, North America Cnfg

IBM ThinkPad T42,X40, R51 or later

wirelss card 802.11 a/b/g

Existing Wired

LAN

Unless customer does not have a router only switch modules required. Configuration depends on the number of users (Access Points) to support (summary table below)

Windows XP

IBM Access Connections v.3.53

WebSphere Everyplace Connection

Manager Client v.5.1

Windows 2003 Server EnterpriseSecure Access Control Server v3.3 for Windows 2003Microsoft Active Directory�Microsoft DHCP Server�Microsoft Certificate Authority�Java JRE V1.4.2.06

Internet

IBM eServer

xSeries 226 Express

2x Ethernet adapter

Connection

and Access Services

SuSe Linux 9.0OpenLDAPDB2 UDB Express v.8.2Websphere Everyplace Connection Manager v.5.1

Any PC computer

Windows XP

IBM WECM Gatekeeper

(admin interface to WECM)

External IP address

Inte

rna

lIP

ad

dre

ss

CiSCO Integrated

Switch/Router 2811


Table 3-9 Recommended components/parts for up to 80 wireless users

Node Node description

Hardware platform Software Communication protocol (transport layer)

Directory and Security Services

Authenticates and authorizes users

IBM eServer xSeries 226 Express (1 way, 2.8 GHz, 1GB RAM, 2x 36.4 GB HDD)

Windows 2003 Server EnterpriseActive DirectoryDHCP ServerCertificate AuthoritySecure Access Control Server v3.3 for Windows 2003a

Java JRE V1.4.2.06

a. On sizing for CISCO ACS please refer to:http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/index.htm (requires cisco partnet user id and pc)

TCP/IPb

b. TCP/IP will support most of the application protocols (HTTP, TELNET, SMTP, FTP etc.)

Wireless communication

Provides bi-directional communication with wireless clients

CISCO Access Point 1131, 802.11a, .11g AP, Int Radios, Ants, North America Cnfg

TCP/IP (over 802.11 a/b/g)

Connection to wired LAN

Up to 80 wireless clients (assuming 1 Access Point for 80 users) c

c. For configurations for a larger number of users, please refer to Figure 3-11.

Joins wireless LAN with an existing wired LAN

� Access Point 1131, 802.11a, .11g AP, Int Radios, Ants, North America Cnfg

� Integrated Switch Router 2801 with inline power,2FE,4slots,IP BASE,64F/128D– 4-Port Ethernet Switch

HWIC with Power Over Ethernet

– Cisco 2801 IOS IP BASE– Power Cord,110V– 64 MB CF default for

Cisco 2800 Series– Cisco 2801 AC/IP power

supply– Device manager for

routers IP

IP

Connectivity for Access and pervasive services (required if enabling remote access)

Secures, seamless access to the intranet from anywhere

IBM eServer xSeries 226 Express (1 way, 2.8 GHz, 1 GB RAM, 2x 36.4 GB HDD), 2x Ethernet adapter

� Red Hat Enterprise 3.0 Linux

� OpenLDAP� DB2 UDB Express

v.8.2� WebSphere

Everyplace Connection Manager v.5.1 Starter Editiond

d. Sizing for WECM, see Redbook SG24-7049-00

TCP/IP

Printing services (optional)

� InfoPrint Printer 4523-XN1� 802.11G Wireless Ethernet

Adapter

TCP/IP (over 802.11g)


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/index.htm

Figure 3-11 contains the recommended components and parts numbers for 80 to 320 wireless users.

Figure 3-11 Recommended components/parts numbers for 80-320 wireless users

Small-Medium Deployment 81-160 Wireless Clients (8 PoE ports)Product DescriptionCISCO2801-AC-IP 2801 Router with inline power,2FE,4slots,IP BASE,64F/128DHWIC-D-9ESW-POE 9-Port Ethernet Switch HWIC with Power Over EthernetS280IPB-12311T Cisco 2801 IOS IP BASECAB-AC Power Cord,110VMEM2800-64CF-INC 64MB CF default for Cisco 2800 SeriesPWR-2801-AC-IP Cisco 2801 AC/IP power supplyROUTER-SDM Device manager for routersTotal LeadTime: 13 - 16 Days Total Price: USD 3,450.00

Medium Deployment 161-240 Wireless Clients (12 PoE ports)Product DescriptionCISCO2811-AC-IP 2811 w/ AC+POE,2FE,4HWICs,2PVDMs,1NME,2AIMS,IP BASS28NIPB-12311T Cisco 2800 IOS IP BASEHWIC-4ESW-POE 4-Port Ethernet Switch HWIC with Power Over EthernetHWIC-D-9ESW-POE 9-Port Ethernet Switch HWIC with Power Over EthernetCAB-AC Power Cord,110VPWR-2811-AC-IP Cisco 2811 AC/IP power supplyROUTER-SDM Device manager for routersMEM2800-256D-INC 256MB DDR DRAM Memory factory default for the Cisco 2800MEM2800-64CF-INC 64MB CF default for Cisco 2800 SeriesTotal LeadTime: 15 - 18 Days Total Price: USD 4,550.00

Medium-Large Deployment 241-320 Wireless Clients (16 PoE ports)Product DescriptionCISCO2811-AC-IP 2811 w/ AC+POE,2FE,4HWICs,2PVDMs,1NME,2AIMS,IP BASS28NIPB-12311T Cisco 2800 IOS IP BASEHWIC-D-9ESW-POE 9-Port Ethernet Switch HWIC with Power Over EthernetCAB-AC Power Cord,110VPWR-2811-AC-IP Cisco 2811 AC/IP power supplyROUTER-SDM Device manager for routersMEM2800-256D-INC 256MB DDR DRAM Memory factory default for the Cisco 2800MEM2800-64CF-INC 64MB CF default for Cisco 2800 SeriesTotal LeadTime: 15 - 18 Days Total Price: USD 5,055.00



Chapter 4. Implementation scenarios

In this chapter, we document hardware and software requirements and detailed step-by-step installation and customization procedures for four basic use cases:

� 4.1, “Scenario 1: Deploy wireless LAN on a client site” on page 40

� 4.2, “Scenario 2: Mobile access from home” on page 113

� 4.3, “Scenario 3: Mobile access from hot spots” on page 176

� 4.4, “Scenario 4: Mobile access via WAN” on page 177

Even though the scenarios described in this chapter cover both LEAP and PEAP authentication, we recommend that you implement PEAP authentication.

The use cases documented in this chapter are intended to support installations of up to 250 clients. Installations with more than 250 clients most likely need different switches, and potentially require bridged networks. Bridged networks are beyond the scope of this document.

4


4.1 Scenario 1: Deploy wireless LAN on a client siteIn this scenario, we add secure wireless LAN support to a currently existing wired intranet network. We configure support for both LEAP and MS PEAP authentication.

Figure 4-1 Network configuration for wireless implementation

Windows 2003 Server is configured with Active Directory support, Certificate Authority, DNS, and DHCP server support. Additionally, Cisco Secure ACS is installed on the same hardware to provide wireless configuration services and RADIUS server function. Typically, all of these functions are not installed on a single server.

IBM Access Connections is installed on wireless ThinkPad clients to support wireless connections and wireless network access management.

4.1.1 Installation planningThe current client network may already be running Windows 2000 Server or Windows 2003 Server Enterprise Edition for the domain controller. The steps documented here assume that no currently installed hardware or software is used.

IBM Access Connections supports a specific set of wireless adapters from IBM, Cisco, and Intel. For more information about Access Connections wireless adapter support, visit the following IBM Access Connections Web site:

http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-4ZLNJB

4.1.2 Environment checkRefer to 2.2.1, “Site survey” on page 7 for wireless Access Point planning and placement information. This scenario documents the installation and configuration of Windows 2003 Enterprise Edition with features such as Certificate Authority, DHCP, and Active Directory. Many client environments already have this software installed and operational. In those situations, it is only necessary to install and configure the remaining software (Cisco Secure ACS, Java JRE, IBM Access Connections) to work in your current environment.

Windows 2003 Server

AP1 AP2

WirelessClient

Active DirectoryCertificate AuthorityDNSDHCPCisco Secure ACSRADIUS server

192.168.1.1 192.168.1.5 192.168.1.6

SSID = leap1a

Wiredintranet

SSID = leap2

Internet

192.168.1.254

Firewall / router


4.1.3 Hardware and software to install and configureThe following software and hardware is installed and configured for this scenario.

Hardware� One IBM Eserver xSeries 226 with one network interface card

This server hosts the Cisco ACS server software and RADIUS server. In our environment, this server also hosted the Microsoft domain controller, Active Directory, Certificate Authority, and DHCP server. A more secure solution is to have this server host only the Cisco ACS server while other domain functions (domain controller, DHCP server, Certificate Authority, Active Directory) are installed and managed on a separate server. For more information, see 5.3, “IBM Eserver xSeries 226” on page 187.

� Two Cisco AIR-AP1131AG wireless access points

In our environment, both access points supported 802.11a, b and g wireless networks. For more information, see 5.1.2, “Cisco Aironet 1130AG Series IEEE 802.11A/B/G Access Point” on page 180.

� Wireless adapters on client computers

We configured an IBM a/b/g Wireless Cardbus adapter, Intel PRO/Wireless 2200BG Network Connection, and Intel PRO/Wireless LAN 2100 3B Mini PCI Adapter.

Software� Windows 2003 Server Enterprise Edition

� Cisco Secure Access Control Server (ACS) V3.3.1

� Microsoft Active Directory

� Microsoft DHCP Server

� Microsoft Certificate Authority

� Java JRE V1.4.2.06

� IBM Access Connections V3.53

4.1.4 Windows 2003 Server Enterprise EditionWe installed Windows 2003 Server Enterprise Edition on an IBM xSeries 226 with no additional server functions (file server, DHCP server, active directory, and so on). We added these additional functions as required in later steps.

In a currently established environment, these normal server functions would probably already be operational on other server machines in the intranet.

4.1.5 Cisco Secure Access Control Server (ACS) V3.3.1The Cisco Installation Guide for Cisco Secure Access Control Server for Windows Server is located at the following Web site:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/install/inst02.htm

The ACS installation guide provides all the information needed to install, reinstall, and upgrade the Cisco Secure Access Control Server (ACS) for Windows Server. In addition, see 5.1.1, “Cisco Secure Access Control Server V3.3.1” on page 180.

For this scenario, we completed the following steps.

Chapter 4. Implementation scenarios 41

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/install/inst02.htm

1. Insert the ACS V3.3 product CD into the CD drive.

2. Unzip the sevt-fcs-acs-v331-w2k-K9.zip file to a folder on the desktop.

3. Open the folder, and click setup.exe as shown in Figure 4-2.

Figure 4-2 ACS setup.exe

4. On the Before You Begin screen, check all of the boxes, as shown in Figure 4-3.

Figure 4-3 ACS check ups

5. Disconnect your wireless access points (APs) if they are connected to the network (switch).


6. Disconnect any other devices that will appear to the Cisco ACS server as AAA clients (this includes WECM Servers configured as AAA clients).

7. On the Authentication Database Configuration window, click Also check the Windows User Database, as shown in Figure 4-4.

Figure 4-4 ACS authentication database selection

8. On the Advanced Options window, do not select any of the options at this time. You can select them later from within ACS.

9. Accept the default settings on the Active Service Monitoring window.

10.On the Cisco Secure ACS Service Initiation window, check Yes, I want to start the CiscoSecure ACS Service now, as shown in Figure 4-5 on page 44. Do not check the remaining boxes.

Important: It is very important that you disconnect any wireless access points from the network before installing ACS. If we did not disconnect the APs, the ACS administration utility would not start after installation.

Important: You must install Java before logging on to the ACS Server (see “Install Java JRE for Cisco Secure ACS” on page 50).


Figure 4-5 ACS service

This completes the installation Cisco Secure Access Control Server for Windows Server. We customize the ACS server in later steps.

4.1.6 Microsoft Active DirectoryWe used Microsoft Active Directory to manage userids and passwords. If a Microsoft domain and Active Directory are already configured in your environment, skip to section 4.1.7, “Microsoft DHCP Server” on page 47.

We defined a new domain and installed Active Directory on the same machine as our ACS server. We recommend that you put the ACS server on a separate machine in a production environment.

The Active Directory installation requires that you configure TCP/IP before the installation.


Install Microsoft Active Directory1. Select Start → Run and type in “dcpromo”. The window shown in Figure 4-6 is displayed.

Figure 4-6 Active directory installation wizard

2. Select Domain controller for a new domain on the Domain Controller Type window, as shown in Figure 4-7.

Figure 4-7 Domain controller for a new domain


3. Select Domain in a new forest, as shown in Figure 4-8.

Figure 4-8 Domain in a new forest

4. Select No, just install and configure DNS on this computer on the Install or Configure DNS window shown in Figure 4-9.

Figure 4-9 Install and configure DNS


5. Configure a domain name. We configured (domain name).local, for example - IBMWECMLAB.local. See Figure 4-9 on page 46.

Figure 4-10 DNS domain name

6. Choose the defaults for the remaining settings, and allow the install to complete.

Add users to Microsoft Active DirectoryThe procedure that adds users to Microsoft Active Directory is different from the procedure to add users in a Windows environment where Active Directory is not used. Use the following procedure to add users to Microsoft Active Directory.

1. Select Start → Programs → Administrative tools → Active Directory Users and Computers.

2. Select your Domain in the left panel and right-click to display a selection menu.

3. Select New → User.

4. Add information for the new user.

Passwords must be safe-strong passwords.

To give a user administrator privileges, use the following steps:

1. Users are listed under Users in the right panel. Right-click the user and select Properties.

2. Select the Member of tab at the top.

3. Select Add... in the Member of window.

4. In the Select Groups window, type administrators.

5. Click OK.

4.1.7 Microsoft DHCP ServerWe installed a DHCP server on our ACS server machine. Normally, there is a DHCP server already running in an enterprise environment, thus the following steps are not performed. If you have a DHCP server already configured in your environment, skip to 4.1.8, “Modify Internet Explorer settings” on page 50.


DHCP installationFollow these steps to install the Windows DHCP server.

1. Access the Windows Control Panel, and select Add or Remove Programs.

2. In the Add or Remove Programs window, select Add/Remove Windows Components on the left panel.

3. Select Network services, and click Details. See figure Figure 4-11.

Figure 4-11 Windows Networking Services components

4. Check Dynamic Host Configuration Protocol, as shown in Figure 4-12, and click OK.

5. Click Next.

Figure 4-12 Install DHCP networking component

This completes the installation of DHCP server on Windows 2003 Server.


DHCP configuration1. After you install the DHCP service, go to the Windows Control Panel → Administrative

Tools → DHCP.

2. Highlight the name of the server, select Action → New Scope, as shown in Figure 4-13.

Figure 4-13 Add a new DHCP scope

3. Type the name of this scope, and set the IP address range that this DHCP server manages. See Figure 4-14.

Figure 4-14 DHCP IP address range

4. Include options that are sent to the clients. This includes Router, DNS server (in our configuration, the ACS machine with Active Directory on it), and Domain name.


5. After you configure the DHCP server, authorize the server with Active Directory. From the DHCP window, select Action → Authorize, as shown in Figure 4-15.

Figure 4-15 Authorize the DHCP server to Active Directory

The DHCP server configuration is complete.

4.1.8 Modify Internet Explorer settingsModifying Internet Explorer settings is required for the Cisco Secure ACS software.

1. Open Internet Explorer.

2. Select Tools → Internet Options.

3. Click the Security tab.

4. Change the security level from High to Medium.

4.1.9 Install Java JRE for Cisco Secure ACSCisco Secure Access Control Server V3.3.1 requires a Java upgrade.

1. Access the following Web site:

http://java.sun.com/j2se/1.4.2/download.html

2. Select the Download J2SE JRE link.

3. Accept the licence, and click Windows Offline Installation, Multi-language.

4. Download and install the J2SE JRE file. At the time we downloaded the file, the file name was j2re-1_4_2_06-windows-i586-p.exe.


http://java.sun.com/j2se/1.4.2/download.html

4.1.10 Configure LEAP authentication with Cisco ACS and 1131 APIn this section, we configure the Cisco Access Points and Cisco Secure ACS software to support LEAP authentication. Get detailed information about this process, along with a discussion of EAP configuration options, at the following Cisco Web site:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Also, see 5.1, “Cisco components” on page 180 of this Redpaper.

Configuring the Access Point to support LEAP authentication enables Access Point to support PEAP authentication. We configured two Cisco AIR-AP1131AG Access Points. Both Access Points have two radios and support 802.11 a/b/g communications.

The following sections document the steps we used to configure Access Point 1 (AP1) to support LEAP and PEAP authentication on the 802.11a radio. Configuration of Access Point 2 (AP2) is the same except for the items listed in the following table.

Table 4-1 Access Point configuration differences

Access Point initial configurationInitial configuration of the Access Point is via a console cable attached to the Access Point. To access the Web interface on the Access Point, attach a console cable to the Access Point and connect through hyperterminal. You must configure an IP address on each AP.

1. Go to enable mode by typing “enable” at the command prompt. The default enable password is “Cisco”.

2. When you are in enable mode, do the following:

a. Type the command:

config t

b. Type the command:

int bvi 1

c. Define the IP address and subnet mask in the following form:

ip address <address you want> subnet mask

d. For AP1, we typed in:

ip address 192.168.1.5 255.255.255.0

e. For AP2, we typed in:

ip address 192.168.1.6 255.255.255.0

3. Hold the CTRL button, and press z.

4. To save the configuration, type:

wr mem

Access Point host name (refer to “Configure AP host name” on page 52)

SSID (refer to “Configure AP SSID and security settings” on page 53

IP address (refer to step 2 on page 51)

Access Point 1 AP1 leap1a 192.168.1.5

Access Point 2 AP2 leap2 192.168.1.6


http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

5. To leave enable mode, type:

exit

After performing these steps, you can access the APs Web interface by using a PC with an IP address on the same network.

� The Web address for the Access Point Web interface is its IP address - http://192.168.1.5 for AP1.

� The default username is “Cisco”.

� The password is “Cisco”.

The window shown in Figure 4-16 will display.

Figure 4-16 Access Point home page

When you reach the Access Point home page, you can further configure the Access Point.

Configure AP host name1. Select EXPRESS SET-UP on the left panel, and enter the values you want for host name.

You can also modify the IP address that was selected during the initial Access Point configuration (“Access Point initial configuration” on page 51). See Figure 4-17 on page 53.


Figure 4-17 Access Point express setup

2. Press Apply at the bottom of the page (not shown in Figure 4-17) to apply the changes.

Configure AP SSID and security settings1. Select SECURITY on the left panel, and click SSID Manager. See Figure 4-18 on

page 54.

2. Enter the SSID for the Access Point. We defined an SSID of “leap1a” for the 802.11a radio in AP1, and “leap2” for AP2. The SSID value is required when configuring IBM Access Connections - see Figure 4-34 on page 71.


Figure 4-18 Configure Access Point SSID, LEAP and PEAP

When configuring LEAP or PEAP support, make the following changes under Authentication Settings as shown in Figure 4-18.

1. Under Authentication Methods Accepted configure the following:

– Check Open Authentication

– Select with EAP

– Check Network EAP

– Leave the choice in the drop-down as No Addition.

2. Press Apply-Radio1 at the bottom of the page (not shown in Figure 4-18) to apply the changes.

3. The warning window shown in Figure 4-19 may display. Press Okay to continue.


Figure 4-19 Encryption warning message

Configure WEP encryption on the Access PointWe recommend PEAP authentication for wireless security. However, for both LEAP and PEAP authentication, you must configure WEP encryption in the Access Point. Use the following steps for guidance.

1. Select SECURITY on the left panel, and click Encryption Manager.

2. Make sure that you select the correct radio tab at the top of the page. Since we are configuring the “A” radio, we selected radio 1. See Figure 4-20 on page 56.

3. For Encryption modes, check WEP Encryption, and select Mandatory from the drop-down list.

4. Under Encryption Keys, note that no encryption key is entered. LEAP and PEAP use dynamic encryption keys. However, you can enter an encryption key for those devices in your wireless network that may not support LEAP or PEAP authentication (see 4.1.16, “Printers” on page 109).

5. Select Apply-Radio1 at the bottom of the panel.


Figure 4-20 Configure WEP encryption support in the Access Point

Define ACS authentication server to the Access PointThe next step in configuring for EAP (LEAP or PEAP) is to define the Cisco Secure ACS authentication server to the Access Point, and establish a relationship with it.

1. Select SECURITY → Server Manager from the left panel, as shown in Figure 4-21 on page 57.


Figure 4-21 Define the authentication server to the Access Point

2. Type the IP address of the authentication server in the Server field. In our configuration, the Cisco ACS server IP address is 192.168.1.1.

3. Specify the Shared Secret and the Ports. We used “cisco” as the shared secret. We recommend a more secure shared secret in a production environment. This shared secret value must match the key value used when defining this Access Point to ACS as a AAA client. See Figure 4-23 on page 60.

4. Click Apply to create the definition and populate the drop-down lists.

5. Under Default Server Priorities, set the EAP Authentication type Priority 1 field to the server IP address.

6. Click Apply.


Define the Access Point to the ACS authentication serverThe next step in configuring for EAP (LEAP or PEAP) is to configure the Access Point in the Cisco Secure ACS authentication server as a AAA client. There are two ways to access the ACS server GUI interface:

1. Access the Cisco Secure ACS HTML interface using a browser on the ACS server machine with the following Web address:

http://127.0.0:2002

2. Double-click the ACS Admin icon on the desktop.

Note: As an alternative to using the browser interface to the Access Point, you can issue the following CLI commands to configure the default authentication server information. See Example 4-1.

Example 4-1 Command configuration of authentication server information in the Access Point

AP# configure terminalEnter configuration commands, one per line. End with CNTL/Z.AP(config)# aaa group server radius rad_eapAP(config-sg-radius)# server 192.168.1.1 auth-port 1645 acct-port 1646AP(config-sg-radius)# exitAP(config)# aaa new-modelAP(config)# aaa authentication login eap_methods group rad_eapAP(config)# radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key labap1200ip102AP(config)# endAP# write memory


3. Select Network Configuration on the left panel to go to the Network Configuration page shown in Figure 4-22.

Figure 4-22 ACS Network Configuration page

4. Click Add Entry under the AAA Clients heading to add an Access Point AAA client. The page shown in Figure 4-23 on page 60 is displayed.


5. On this page, type the access point's host name, IP address, key, and authentication method (RADIUS Cisco Aironet). The value for Key must match what you configured for the shared secret on the Access Point in Figure 4-21 on page 57.

Perform this step for both Access Points, AP1 and AP2.

Figure 4-23 Add an AAA client to define the Access Point to the authentication server

6. Click Submit to complete the changes.


7. The page shown in Figure 4-24 is displayed to indicate that you must restart the ACS server to activate the changes.

Figure 4-24 Restart ACS to activate changes

8. This completes the definition of the Access Point as an AAA client to Cisco ACS Server.

You must also configure the Cisco ACS authentication server to perform the desired EAP authentication method. We configured LEAP and PEAP support. We recommend PEAP authentication for a more secure wireless connection.

Configure CISCO Secure ACS to support LEAP or PEAPUse the following instructions to configure LEAP/PEAP authentication on the System Configuration - Global Authentication Setup page for Cisco Secure ACS to support LEAP or PEAP.

1. Click System Configuration → Global Authentication Setup. See Figure 4-25 on page 62. The Global Authentication Setup page opens, as shown in Figure 4-26 on page 63.


Figure 4-25 Select Global Authentication Setup


2. On the Global Authentication Setup page, as shown in Figure 4-26, select the authentication protocols you require for your wireless network. At this time, we only include LEAP, and EAP-MD5. We will add PEAP authentication in a later step (see Figure 4-58 on page 91).

Figure 4-26 Configure ACS global authentication

Define users to the Cisco ACS Radius serverDefine each client machine that uses LEAP authentication as a user in the Cisco ACS Secure server. Use the following steps to define users.

1. Click User Setup on the left panel (Figure 4-26) to go to the User Setup page shown in Figure 4-27 on page 64.


Figure 4-27 Cisco ACS user setup

2. Type the new user name in the User: field, and click Add/Edit to add the new user.

3. Add user information as shown in Figure 4-28 on page 65. Include any supplementary user information as required along with the password required to authorize to the ACS Radius server.


Figure 4-28 User information

4. Click Submit.

5. Repeat this process to add all users and passwords to the ACS Radius server for LEAP authentication.

4.1.11 IBM Access Connections V3.53IBM Access Connections is used on the client computer to seamlessly manage the physical network connection. If multiple physical network interfaces are available (wired ethernet, wireless 802.11x ethernet), Access Connections selects the active network interface that has the fastest connection speed to be the active IP interface.

For more information about IBM Access Connections, see 5.2.2, “IBM Access Connections” on page 184.

For more detailed information about installing Access Connections and creating and managing client profiles, see Appendix A, “Deploying Access Connections” on page 191.


Install Access Connections1. Download the latest version of IBM Access Connections from the following Web site:

http://www.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-4ZLNJB

2. Download required drivers for your wireless card from the same Web site.

3. Expand the wireless adapter card driver download file, and install the driver as instructed by the download site.

4. Expand the Access Connections download file, and install Access Connections as instructed by the download site.

Configure Access Connections V3.53 for LEAP authenticationIn this section, we create an Access Connections profile to support LEAP authentication and automatically connect to the Access Point we defined previously.

1. Open IBM Access connections using one of the following methods:

a. Select Start → All Programs → Access IBM → IBM Access Connections.

b. Click the IBM Access Connections icon in the task bar. See Figure 4-29.

Figure 4-29 Access Connections icon

The Connections Status window, shown in Figure 4-30 on page 67, opens.

Attention: The Access Connections screen captures appearing in this Redpaper are based on the version V3.53, which was current at the time we wrote this Redpaper. The screens in future versions of Access Connections may not be similar in appearance; however, they are similar in functionality.

Attention: IBM Access Connections supports specific wireless cards from IBM, Cisco, and Intel. The supported wireless cards are listed on the download site.

Note: Install the wireless adapter card driver before you install IBM Access Connections.

Note: You can use the IBM ThinkPad Software Installer program to install both IBM Access Connections and the driver code for the wireless hardware.


http://www.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-4ZLNJB

Figure 4-30 Access Connections status window

2. As shown in Figure 4-30, click Manage Location Profiles → New. The Choose Your Connection Type window, shown in Figure 4-31 on page 68, opens.


Figure 4-31 Profile name

3. Add a name for the location profile, as shown in Figure 4-31, and then click Next. The Choose Your Switching Rule and Network Adapters window, shown in Figure 4-32 on page 69, displays.


Figure 4-32 Network adapter selection

4. Accept the defaults shown in Figure 4-32. This allows Access Connections to select the fastest connection speed when multiple adapters are active and connected to the network.

5. Click Next. The Edit Your TCP/IP Settings window, shown in Figure 4-33 on page 70, is displayed.


Figure 4-33 TCP/IP settings

6. Accept the defaults shown in Figure 4-33. This allows the client to get an IP address from the DHCP server in the network.

7. Click Next. The Edit Your Advanced DNS Settings window is displayed.

8. Click Next to accept the defaults. The Edit Your Wireless Network Settings window appears. It is shown in Figure 4-34 on page 71.


Figure 4-34 Edit Your Wireless Network Settings window - 1

9. Make the following changes on the Edit Your Wireless Network Settings window, shown in Figure 4-34:

a. Add the wireless network name (SSID) that you configured on the Access Point (refer to Figure 4-18 on page 54).

b. Select Enabled - use 802.1x - EAP - Cisco (LEAP).

c. Click Next.


Figure 4-35 Edit Your Wireless Network Settings window - 2

10.On the second Edit Your Wireless Network Settings window, shown in Figure 4-35 make the following changes:

a. Select WEP for Data Encryption.

b. Select Temporary User name and Password for user name and password settings.

c. Select Manually Prompt for LEAP User Name and Password. This forces the user to key in their LEAP user name and password when connecting over the wireless LAN.

11.To use the Windows logon user name and password as your LEAP user name and password use steps a and b to first enable the option from the Access Connections main menu.

a. Select Options → Global Settings.

b. Select Allow wireless authentication using Windows log on user name and password (requires system restart). See Figure 4-75 on page 104.


12.For user name and password settings, select Temporary User name and Password, and then select Use Windows Name and Password as shown in Figure 4-36. This forces the same user name and password to be used as the Windows logon user name and password when connecting over the wireless LAN.

Figure 4-36 Use Windows user name and password


13.Alternatively, for user name and password settings, select Use Saved User Name and Password, as shown in Figure 4-37. This forces the system to always use the saved user name and password when connecting over the wireless LAN without any prompt.

Figure 4-37 Use saved user name and password

14.The remaining Access Connections configuration windows allow you to define additional settings such as default browser home page, printer, autostart applications, and so on. Click Next to accept defaults or make changes as required.

This completes the configuration of Cisco ACS Server, Cisco Access Point, and IBM Access Connections to support Cisco LEAP authentication and encryption.

4.1.12 Configuring MS-PEAP authentication with Cisco ACS and 1131 APThe process of enabling LEAP authentication support in the Access Point also enables support for MS-PEAP authentication. There is no difference in the configuration on the Access Point itself. See Figure 4-18 on page 54.

For an overview of PEAP, visit the following Web site:

http://www.ietf.org/proceedings/02mar/slides/eap-3/sld002.htm

Attention: To increase the overall client security, while at the same time simplifying the sign-on process, see Appendix B, “The IBM Embedded Security Subsystem” on page 201. We recommend that you use the IBM Embedded Security System hardware and software to securely store certificates, userids, and passwords. Additionally, the integrated fingerprint reader on select ThinkPad models simplifies and further secures the logon process.


http://www.ietf.org/proceedings/02mar/slides/eap-3/sld002.htm

Creating a Certificate Authority using Windows 2003 ServerInformation in this section is excerpted from the following Web sites:

http://www.microsoft.com/technet/security/guidance/peap_4.mspx

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#acs-2

For the purposes of this step-by-step guide, you must be logged on as an enterprise administrator.

To install the Microsoft Certificate Authority on the ACS server perform the following steps:

1. Access the Windows Control Panel, and select Add or Remove Programs.

2. In the Add or Remove Programs window, select Add/Remove Windows Components on the left panel.

3. Select Certificate Services, as shown in Figure 4-38, and click Next.

Figure 4-38 Install Microsoft Certificate Services

For this scenario, we set up an Enterprise Root CA.

The next few steps include supplemental information concerning installation of the Microsoft Certificate Authority. After you choose to make the CA an Enterprise Root, you can accept the defaults.

4. If you intend to use the Web components of the Certificate Services, ensure that the IIS check box is selected. We recommend that you use the Web components of the Certificate Services. This simplifies certificate management and download.

Note: Install the CA after IIS to ensure that the Web pages are installed. If you install the CA first, it still functions, but you may not be able to access the Web pages. You can enable the Web pages by running the following command:

certutil -vroot


http://www.microsoft.com/technet/security/guidance/peap_4.mspx

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#acs-2

5. The wizard prompts you to specify the type of Certification Authority (CA) you want to install. Setup attempts to guess which option is selected in order to make installation simpler. See Figure 4-39.

– If no Active Directory is detected, the two enterprise options are disabled. – If an Active Directory is detected, the Enterprise root CA option is selected when there

are no CAs already registered in the Active Directory. This describes our environment.– If there are CAs registered in the Active Directory, the Enterprise subordinate CA

option is selected.

Figure 4-39 Selecting the certificate authority type

If you plan to issue certificates to entities in your organization, or if you need seamless integration with the Active Directory, or if you need to enable smart card logon, select an enterprise CA from one of the following:

– Enterprise root CA - Choose this option if you do not have any CAs in your directory, or if you need a second enterprise root CA. The root CA is registered in the directory, and all computers in your enterprise using that directory automatically trust the root CA. It is a good security practice to limit the root CA to issuing certificates to subordinate CAs only, or to issuing only a few special purpose certificates. This means you want to install an enterprise subordinate after you finish installing the root. However, you can choose only the root CA.

We selected this option for this scenario.– Enterprise subordinate CA - Choose this option if you already installed an enterprise

root CA. Typically, you have multiple enterprise-subordinate CAs. Each of these CAs either serves different communities of users or provides different types of certificates. If there is more than one subordinate, it is possible to revoke the subordinate's certificate in case of disaster, and not have to reissue all certificates in the organization.

If you plan to issue certificates to entities outside your enterprise and do not want to use Active Directory or other Windows 2000 public key infrastructure (PKI) features, then select a stand-alone CA from one of the following:

– Stand-alone CA - Choose this option if you do not already have a stand-alone CA, or if you need a second root for a purpose different than the first.


– Stand-alone subordinate CA - Choose this option if you plan to make this CA a member of an existing CA hierarchy. The parent CA in the hierarchy can be a stand-alone CA, an enterprise CA, or an external commercial CA.

6. The wizard prompts you to supply identifying information appropriate for your site and organization. See Figure 4-40.

Figure 4-40 Certificate authority identifying information

The Certificate Authority name (or common name) is critical because it identifies the CA object created in the Directory. The Valid for time can only be set for a root CA. Set the root CA Valid for time to a reasonable value—the actual duration is a trade-off between security and administrative overhead. Keep in mind that each time a root certificate expires, an administrator has to update all trust relationships, and administrate the steps that need to be taken to move the CA to a new certificate. A time period of two or more years is usually sufficient. When you are finished entering the information, click Next.


7. A dialog box defines the locations of the certificate database, configuration information, and the location where the Certificate Revocation List (CRL) is stored. The Enterprise CA always stores its information, including the CRL, in the directory. Select the Shared folder check box. This option specifies the location of a folder where configuration information for the CA is stored. Make this folder a UNC path, and point all your CAs to the same folder. Then the administration tools can use this folder for determining CA configuration if the Active Directory is not available. If you have an Active Directory, this folder is optional. If you do not have an Active Directory, this folder is required. See Figure 4-41.

If you are installing a CA in the same location as a previously installed CA, the Preserve existing certificate database option is enabled. Check this option if you wish your new CA to use this database; otherwise, the system deletes the database.

After you specify the storage locations for your information, click Next.

Figure 4-41 CA database settings

8. If IIS is running, a message prompts you to stop the service. Click OK to stop IIS. You must stop IIS to install the Web components. If you do not have IIS installed, you will not see this message.

9. Click OK to complete the installation.

10.Click Finish to close the wizard.

Create a new Certificate Template when using Windows 2003 When using Windows 2003 Enterprise Edition, you must create a certificate template that works for this implementation. Perform the following steps:

1. Select Start → Run, and type certtmpl.msc.

Note: Install the CA after IIS to ensure that the Web pages are installed. If the CA is installed first, it still functions, but you may not be able to access the Web pages. You can enable the Web pages by running the following command:

certutil -vroot


2. Right-click the Web Server template, and select Duplicate Template. See Figure 4-42.

Figure 4-42 Create a duplicate Web Server template

3. On the Properties of New Template window, click the General Tab.

4. In the Template Display Name field, type an easily identifiable name since this template is referenced later. We selected WECMlabtemplate. See Figure 4-43.

Figure 4-43 Template display name


5. Click the Request Handling tab, and check Allow private key to be exported, as shown in Figure 4-44.

Figure 4-44 Export private key

6. Click the CSPs button at the bottom of the window shown in Figure 4-44. The CSP Selection window appears.

7. Select Microsoft Base Cryptographic Provider v1.0. You can leave the other options at the default. See Figure 4-45.

Figure 4-45 Select cryptographic service provider

8. Click OK.

9. Click Apply, and then click OK.

10.Select Administrative Tools → Certificate Authority to open the Certificate Authority.


11.Expand the CA (in our example, it is IBMWECMLAB), and right-click Certificate Templates.

12.Select New → Certificate Template to Issue, as shown in Figure 4-46.

Figure 4-46 Issue new certificate template

13.Select the template you previously created, and press OK. See Figure 4-47.

Figure 4-47 Select the new certificate template to issue

14.Restart the CA service from the services window.

15.Select Administrative Tools → Services. You may have to reboot to get the template to appear in the list.

Create a Server CertificateMS-PEAP requires the use of a server certificate for client authentication of the server. Information in this section is taken primarily from the following Web site:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#config-wc


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#config-wc

1. Open Internet Explorer and go to the following Web site:

http://IP_of_CA_server/certsrv

In our configuration, the URL is http://192.168.1.1/certsrv.

2. Select Request a certificate, as shown in Figure 4-48.

Figure 4-48 Request a certificate

3. On the next page, select Advanced certificate request.

4. On the Advanced Certificate Request page, select Create and submit a request to this CA.


5. Select the template that created previously from the Certificate Template drop-down list. In this scenario, the template name is WECMlabtemplate (refer to Figure 4-47 on page 81).

Figure 4-49 Advanced Certificate Request

6. Type a name for the certificate. We chose ibmcert. We recommend a distinctive name, since this name is referred to later. Leave everything else blank. See Figure 4-49.

7. In the Key Options section complete the fields using the following information:

– CSP = Microsoft Base Cryptographic Provider v1.0

– Key Size = 1024

– Check Mark keys as Exportable

– Check Store certificate in the local computer certificate store

– Leave everything else as default.

8. Click Submit.

9. Click Install this certificate. See Figure 4-50 on page 84.


Figure 4-50 Install the certificate

A page displays that says “Your new certificate has been successfully installed”. See Figure 4-51.

Figure 4-51 Certificate successfully installed

The following three steps may not be required with Windows 2003. We performed the previous steps to install the certificate on the ACS server with Windows 2003 Enterprise. These steps are primarily required with Windows 2000 Server.

1. Approve the Certificate from the CA.

a. Select Start → Programs → Administrative Tools → Certificate Authority to open the CA.

b. On the left, expand the certificate.

c. Click Pending Requests.

d. Right-click the certificate, select all tasks, and then select Issue.

2. Download the Server Certificate to the Cisco ACS Server.

a. Open the Web browser and go to the following Web address: http://IP_of_CA_server/certsrv/

b. Select Check on a Pending Certificate, and click Next.

c. Select the certificate, and click Next.

d. Click Install.


3. This step is not required if the Cisco ACS Server and the CA are installed on the same server. Install the CA Certificate on the ACS Server.

a. Open the Web browser, and go to the following Web address: http://IP_of_CA_server/certsrv/

b. Select Retrieve the CA certificate or certificate revocation list, and click Next.

c. Select Base 64 encoded.

d. Click Download CA certificate.

e. Click Open, and then click Install certificate.

f. Click Next.

g. Select Place all certificates in the following store, and click Browse.

h. Check Show physical stores.

i. Expand Trusted root certification authorities, select Local Computer, and then click OK.

j. Click Next → Finish → OK.

Configure Cisco ACS to use a certificate from storageFollow these steps to configure ACS to use the certificate in storage.

1. Open a web browser.

2. Type the following Web address in the address bar to get to the ACS server:

http://ACS-ip-address:2002/

3. Click System Configuration in the left panel.

4. Click ACS Certificate Setup, as shown in Figure 4-52.

Figure 4-52 ACS certificate setup

5. On the next page, click Install ACS Certificate. Figure 4-53 on page 86 is displayed.


http://ACS-ip-address:2002/

6. Select Use certificate from storage, as shown in Figure 4-53.

7. In the Certificate CN field, type the name of the certificate that you assigned in step 6 on page 83. We used ibmcert.

8. Click Submit.

Figure 4-53 Install ACS Certificate

Note: This entry must match the name that you typed in the Name field during the advanced certificate request. It is the CN name in the subject field of the server certificate. You can edit the server certificate to check for this name. Do not enter CN as the name of issuer.


9. After the configuration is complete, a confirmation message appears indicating that the configuration of the ACS server changed. See Figure 4-54.

Figure 4-54 Certificate added

10.Click System Configuration in the left panel.

11.Click Edit Certificate Trust List. See Figure 4-55 on page 88.

Note: You do not need to restart the ACS at this time.


Figure 4-55 Edit the ACS certificate trust list

12.Check all the CAs that the ACS can trust.

13.Deselect all the CAs that the ACS cannot trust. We configured a CA on the ACS server; therefore, we checked the name of that server.

14.Click Submit. See Figure 4-56 on page 89.


Figure 4-56 Certificates to trust

Restart the service, and configure PEAP settings on the ACSUse the following steps to restart the service and configure PEAP settings.

1. Click System Configuration, and then click Service Control.

2. Click Restart.

3. To configure PEAP settings, click System Configuration → Global Authentication Setup. See Figure 4-57 on page 90.


Figure 4-57 Global authentication setup

4. On the pages shown in Figure 4-58 on page 91 and Figure 4-59 on page 92, check the following two settings shown below.

– Allow EAP-MSCHAPv2

– Allow MS-CHAP Version 2 Authentication

Leave all other settings at the default. You can specify additional settings, such as Enable Fast Reconnect.

5. Click Submit.


Figure 4-58 Configure Cisco ACS PEAP settings - part 1


Figure 4-59 Configure Cisco ACS PEAP settings - part 2

Configure the external user databasesFollow these steps to configure the external user databases. We recommend using the Microsoft Windows Active Directory for the external database.

1. Select External User Databases on the left panel. Click Database Configuration → Windows Database. See Figure 4-60 on page 93.

Note: Only ACS 3.2 or later supports PEAP-MS-CHAPv2 with machine authentication to a Windows database.


Figure 4-60 ACS external data base

2. Click Configure. Under Configure Domain List, move the IBMWECMLAB domain from Available Domains to Domain List. See Figure 4-61 on page 94.


Figure 4-61 Select domain

3. To enable machine authentication, under Windows EAP Settings, select Enable PEAP machine authentication. Do not change the machine authentication name prefix. Microsoft currently uses “/host” (the default value) to distinguish between user and machine authentication. You can also select Enable password change inside PEAP, but it is not mandatory.

4. Click Submit. See Figure 4-62 on page 95.


Figure 4-62 Enable PEAP machine authentication


Figure 4-63 Select Windows external database

5. As shown in Figure 4-63, make the following changes:

– Click External User Databases in the left panel.

– Click Unknown User Policy.

– Select Check the following external user databases, then use the right arrow button ( -> ) to move Windows Database from External Databases to Selected Databases.

6. Click Submit.

Restart the ServiceAfter you configure the ACS, follow these steps to restart the service.

1. Click System Configuration → Service Control.

2. Click Restart.

4.1.13 Configuring wireless clients for MS-PEAP authenticationFollowing is the process for configuring MS-PEAP authentication support in the client machines.

1. Join the domain.

2. Manually install the root certificate on the Windows client.

3. Configure IBM Access Connections for MS-PEAP authentication.


Join the DomainUse the following steps to add the wireless client to the domain.

1. Log in to Windows XP as the local administrator.

2. Access the Control Panel → Performance and Maintenance → System.

3. Select the Computer Name tab, and then click Change.

4. Type the host name in the field for computer name. Select Domain, and then type the name of the domain (IBMWECMLAB in this scenario). See Figure 4-64.

Figure 4-64 Join the domain

5. Click OK.

6. When a login dialog is displayed, join the domain by logging in with an account that has permission to join the domain (see “Add users to Microsoft Active Directory” on page 47).

7. After the computer successfully joins the domain, restart the computer. The machine will be a member of the domain. Since Active Directory is set up by default for machine autoenrollment, the machine has a certificate for the CA installed as well as a certificate for machine authentication.

Manually install the Root Certificate on the Windows clientThis step is only necessary if the client does not automatically pull the certificate down to the client PC through autoenrollment. Active Directory is set up by default to push the trusted root certificate down to the client.

Use the following steps to see if the certificate is installed on the client machine.

1. Select Start → Run, and type mmc.

2. Click File → Add/Remove Snap-in.

3. Click Add. See Figure 4-65 on page 98.

Note: To complete these steps, the wireless client must have connectivity to the CA, either through a wired connection or through the wireless connection with 802.1x security disabled.


Figure 4-65 Add a snap-in - 1

4. Select Certificates, and click Add. See Figure 4-66.

Figure 4-66 Add a snap-in - 2

5. Click Close to close the Add Standalone Snapin window.

6. Click OK on the Add/Remove Snap in window.

7. Expand Certificates - Current User.

8. Expand Trusted Root Certification Authorities, and click Certificates.

9. Scroll down the window to find the CA that you installed on the ACS server. See Figure 4-67 on page 99.


Figure 4-67 Find installed certificate

10.If your certificate is not in the list, proceed with the next sections to install your certificate; Otherwise, go to “Configure IBM Access Connections V3.53 for MS-PEAP authentication” on page 104.

Windows 2003 Enterprise Certificate AuthorityIf you are using Windows 2003 Enterprise server as the CA, use the following instructions to install the root certificate on the client machine.

1. Access the CA server by typing the following Web address into a browser: http://root-CA-ip-address/certsrv

You must log on with the Administrator user name and password of the CA server itself.

2. Click Download a CA certificate, certificate chain, or CRL, as shown in Figure 4-68 on page 100.


http://root-CA-ip-address/certsrv

Figure 4-68 Install certificate - Windows 2003 - 1

3. In the encoding method section, click Base 64, and select Download CA certificate. See Figure 4-69 on page 101.



4. When the File download page opens, click Open → Install Certificate. See Figure 4-70.



5. Click Next.

6. When the certificate Import Wizard screen opens, select Automatically select the certificate store based on the type of certificate.

7. Click Next.

8. Click Finish.

Windows 2000 Server Certificate AuthorityUse the following steps to install the root certificate on the client machine if you are using Windows 2000 server CA. If you followed the steps in “Windows 2003 Enterprise Certificate Authority” on page 99 for Windows 2003 Enterprise server, you do not need to perform these steps.

1. On the Windows client machine, open a Web browser.

2. Type the following Web address into the browser address field


In this example, the CA's IP address is 10.66.79.241, as shown in Figure 4-71.


3. Log into the CA site.

4. Select Retrieve the CA certificate or certification revocation list, and click Next. See Figure 4-72.


5. Click Download CA certificate to save the certificate on the local machine. See Figure 4-73 on page 103.




6. Open the certificate, and click Install Certificate. See Figure 4-74.


7. Install the certificate in Current User/ Trusted Root Certificate Authorities.

– Click Next.

– Select Automatically select the certificate store based on the type of the certificate, and click Next.

Note: In the following example, the icon at the top left indicates that the certificate is not yet trusted (installed).


– Click Finish to place the root certificate automatically under Current User/ Trusted Root Certificate Authorities.

Configure IBM Access Connections V3.53 for MS-PEAP authenticationUse the following steps to configure a PEAP profile with IBM Access Connections.

1. See “Install Access Connections” on page 66 for information about installing IBM Access Connections if it is not already installed on the client computer.

2. Configure Access Connections to support wireless logon using Windows user ID and password (single sign-on).

3. Start Access Connections, and select Options from the task bar.

4. Select Global Settings.... The window shown in Figure 4-75 is displayed.

Figure 4-75 Configure wireless authentication using Windows log on and password

5. Select Allow wireless authentication using Windows log on user name and password. This requires a system restart.

6. Click OK.

7. After you restart the system, create a profile for PEAP support. Refer to “Configure Access Connections V3.53 for LEAP authentication” on page 66 for information about how to create an Access Connections profile.

Attention: To increase the overall client security, while simultaneously simplifying the sign-on process, see Appendix B, “The IBM Embedded Security Subsystem” on page 201. We recommend that you use the IBM Embedded Security System hardware and software to securely store certificates, userids, and passwords. Additionally, the integrated fingerprint reader on select ThinkPad models simplifies and further secures the logon process.


8. Open Access Connections, click Manage Location Profiles, and click New.

9. Enter a name for the Location Profile, and click Next.

10.On the Choose Your Switching Rule and Network Adapters page, accept the defaults. This allows Access Connections to select the fastest connection speed when multiple adapters are active and connected to the network. Click Next.

11.On the Edit your TCP/IP Settings page, click Next to obtain an address from DHCP.

12.On the Edit Your Advanced DNS Settings page, click Next to use the defaults.

13.Add the SSID for the Access Point. In this scenario, the SSID for PEAP testing is leap2, For the Wireless Security Type, select Enabled - Use IEEE 802.1x Authentication. This allows you to use PEAP. See Figure 4-76.

Figure 4-76 SSID and security type

14.Click Next.


Figure 4-77 Configure Access Connections PEAP settings

15.On the Edit Your Wireless Network Settings page, shown in Figure 4-77, make the following changes and selections:

– Select Use Access Connections to configure wireless authentication settings.

– In the EAP type drop-down list, select PEAP.

– Select Validate Server Certificate.

– In the Certificate Issuer drop-down list, select the server certificate you imported in step 7 on page 97. We named our server certificate IBMWECMLAB.

– In the Authentication Protocol drop-down list, select MS-CHAP-V2

– Click Enter user credentials.... See Figure 4-78.

Figure 4-78 Enter user credentials


– Select Use Windows log on user name and password. This enables single sign-on support.

– Click OK.

– Click Next on the Edit Your Wireless Network Settings page to continue configuring Access Connections

16.Click Next three consecutive times.

17.Save the profile.

Cisco ACS Server, Cisco Access Point, and IBM Access Connections are now configured to support MS-PEAP authentication and encryption.

4.1.14 VerifyThis section provides information you can use to confirm that your configuration is working properly.

To verify that the wireless client authenticate:

1. On the wireless client go to Control Panel → Network and Internet Connections → Network Connections.

2. On the menu bar, go to View →Tiles. The wireless connection should display the message “Authentication succeeded.”

To verify that wireless clients authenticate:

� On the ACS web interface go to Reports and Activity → Passed Authentications → Passed Authentications active.csv.

Table 4-2 Client and Access Point security settings

Security feature Client setting Access Point setting

Static WEP with open authentication

Create a WEP key and enable Use Static WEP Keys and Open Authentication

Set up and enable WEP and enable Open Authentication for the SSID

Static WEP with shared authentication

Create a WEP key and enable Use Static WEP keys and Shared Key authentication

Set up and enable WEP and enable Shared Key for the SSID

LEAP Authentication Enable LEAP Set up and enable WEP and enable Network-EAP for the SSID

802.1x authentication and CCKM

Enable LEAP Select a cipher suite, and enable Net-work-EAP and CCKM for the SSID. NOTE: To allow both 802.1x clients and non-802.1x clients to use the SSID, enable optional CCKM.

802.1x authentication and WPA

Enable any 802.1x authentication method

Select a cipher suite, and enable Open authentication and WPA for the SSID. You can also enable Net-work-EAP authentication in addition to or instead of Open authentication. NOTE: To allow both WPA clients and non-WPA clients to use the SSID, enable optional WPA.


4.1.15 Troubleshooting� If you are having a problem with the CSadmin.exe service starting, unplug the APs from

the switch when you install ACS.

� If you are having a problem viewing the ACS admin screen, namely if nothing is showing, then make sure that the Security level is set to Medium.

� If you try to configure ACS from the admin page, and you receive “Error on page” errors at the bottom of the screen, make sure that the Java upgrade completed.

� Make sure that the server certificate is using the correct format.

– On the ACS server, go to Start → Run → mmc.

– Click File → Add/Remove Snap-in.

– Click Add, and choose Certificates from the Add Standalone Snap-in screen.

– Click Add, and choose Computer account, and click Next.

– Choose Local computer, and click Finish.

– Click Close, and click OK on the Add/Remove snap-in page.

802.1x authentication and WPA-PSK

Enable any 802.1x authentication method

Select a cipher suite, and enable Open authentication and WPA for the SSID. You can also enable Net-work-EAP authentication in addition to or instead of Open authentication. Enter a WPA pre-shared key. NOTE: To allow both WPA clients and non-WPA clients to use the SSID, enable optional WPA.

PEAP authentication

If using Access Connections to configure card

Enable Host Based EAP, and use Dynamic WEP Keys in ACU. Select Enable network access control using IEE 802.1x and PEAP as the EAP type in Windows 2000 (with Service Pack 3) or Windows XP.

Setup and enable WEP. Enable EAP. Open authentication for the SSID.

If using Windows XP to configure card

Select Enable network access control using IEE 802.1x and PEAP as the EAP Type


EAP-TLS authentication

If using Access Connections to configure card

Enable Host Based EAP, and use Dynamic WEP Keys in ACU. Select Enable network access control using IEE 802.1x and PEAP as the EAP type in Windows 2000 (with Service Pack 3) or Windows XP.


If using Windows XP to configure card

Select Enable network access control using IEE 802.1x and Smart Card or other Certificate as the EAP Type


Security feature Client setting Access Point setting


– Expand Certificates, and expand ACSCertStore.

– Click Certificates, and then select the certificate that shows up. This should be the one that you installed on ACS.

– Double-click the certificate, and choose the Details tab. There should be an Enhanced Key Usage field.

4.1.16 PrintersFor wireless printer support, we configured an OTC Wireless, Inc, ACR-201-G 802.11g Wireless Print Adapter for use with an IBM Infoprint 1422 network attached printer. Addition of the Wireless Print Adapter to the Infoprint 1422 configuration enables wireless printer communications and allows more flexible placement of the printer in the work environment. For more information about the IBM Infoprint 1422 printer, see Figure 5-6 on page 188.

The Wireless Print Adapter is preconfigured to work with a wireless network that broadcasts the SSID. WEP is not enabled. The Wireless Print Adapter does not support LEAP or PEAP authentication.

We performed the following customization to configure the Wireless Print Adapter for our environment.

1. Use the supplied white straight-through Cat5 cable to temporarily connect the Wireless Print Adapter to your computer's network port.

2. Open a Web browser and type the following Web address in the location field:

http://169.254.98.200

When prompted, type admin as the user name and public as the password.

The page shown in Figure 4-79 on page 110 appears. This is the Administration page. No changes are required on this page.

Note: The computer must have its network card configured for the same subnet as the Wireless Print Adapter to access the device web page.


http://169.254.98.200

Figure 4-79 Administration page

3. Select the Wireless tab. The page shown in Figure 4-80 on page 111 appears. This page allows you to set the basic wireless information.


Figure 4-80 Wireless page

4. In the Wireless network name (SSID) field, type the SSID name for your wireless LAN. Click Save, then click the Security tab.


Figure 4-81 Security page

5. The page shown in Figure 4-81 allows you to configure the WEP key used for encryption. The Wireless Print Adapter does not support PEAP authentication. Select the WEP key length, and type the required WEP key. Click Save.

6. You may have to reboot the Wireless Print Adapter. This completes the software configuration.

7. Detach the Wireless Print Adapter from your computer and attach it to the printer using an Ethernet cable.

This completes the configuration of the IBM InfoPrint 1422 printer with the Wireless Print Adapter.


4.2 Scenario 2: Mobile access from homeThis scenario expands on the environment configured in scenario 1. It adds the ability to log on to the enterprise intranet from home using a secure virtual private network (VPN) tunnel through the Internet. The primary facilitator for this capability is the addition of WebSphere Everyplace Connection Manager (WECM) software in the intranet to create and manage the VPN tunnels, as illustrated in Figure 4-82.

Figure 4-82 Network configuration for wireless implementation with WECM

4.2.1 Installation planningThis scenario requires the installation of additional software to create the VPN tunnel through the Internet from the home user’s computer to the enterprise intranet.

Install the WebSphere Everyplace Connection Manager (WECM) server software on a server machine within the private intranet or demilitarized zone (DMZ). You must install the WECM client code on all the client machines that access the private intranet from the Internet.

WECM requires LDAP and database software. We installed Open LDAP software that is provided with Red Hat Enterprise Linux, and DB2 Express for database support. We installed this software on the same machine running the WECM server software. If you already have LDAP and database software configured in your environment, then you may be able to configure WECM to use them.

4.2.2 Environment checkAn additional server machine is required to run the WECM server software. It is possible that you can install the WECM server software on a currently existing server machine in the

Windows 2003 Server

AP1 AP2

WirelessClientHOME


192.168.1.1 192.168.1.5 192.168.1.6

SSID = leap1a

Wiredintranet

SSID = leap2

Internet

192.168.1.254

Firewall / router

Red Hat Enterprise Linux

WECMOpenLDAP

192.168.1.4

9.9.9.9 9.9.9.1

VPN = 10.10.10.0


private intranet. However, the WECM server is responsible for setting up the VPN tunnels between client computers on the Internet and the WECM server machine. It must be connected to the Internet via a router or firewall to receive client requests to set up a VPN tunnel. So, for security purposes, install the WECM server software on a separate machine to isolate it from the rest of the enterprise intranet.

In addition, the WECM server machine is typically placed in a demilitarized zone (DMZ) to further isolate it from the Internet and corporate intranet. If the LDAP and database server that WECM uses are located in the intranet, ports must be opened in the firewall between the intranet and the DMZ to support WECM LDAP and database traffic.

The WECM server machine must have two network interface cards (NIC):

� One card to connect to the internal network

� One card to connect to the external network (Internet) via a firewall or router

This scenario assumes that the home user already has Internet access from their home location. It does not matter if the home Internet access is via cable or DSL, or if the user implemented a wired or wireless network in their home.

4.2.3 Security considerationsIn this and the following scenarios, we are setting up an environment where an employee can access an enterprise network from a non-secure environment: their home, a wireless hotspot at an airport, a train, and so on. Once they establish a connection to an enterprise intranet, all the corporate applications and tools that employee is authorized for are available from that client. Theft of the client ThinkPad, especially while it is connected to the enterprise network, is a major concern.

We recommend that you implement every password and inactivity time out option provided by Windows, WebSphere Everyplace Connection Manager, and other software. This includes:

� Power on password

� Hard drive password

� Screen saver password with minimal idle time trigger

� Minimal application inactivity time out values

� WECM session time out values

4.2.4 Hardware and software to install and configureThe software and hardware configuration we installed in scenario 1 is also required in this scenario. See 4.1.3, “Hardware and software to install and configure” on page 41.

In addition to the software and hardware we configured and installed during scenario 1, we also install and configure the following additional software and hardware configured.

HardwareOne IBM Eserver xSeries 226 with two network interface cards. This server hosts the WebSphere Everyplace Connection Manager server software. For more information, see 5.3, “IBM Eserver xSeries 226” on page 187.

Software� Red Hat Enterprise 3.0 Linux


� DB2 V8.2 Express

� WebSphere Everyplace Connection Manager V5.1

4.2.5 Red Hat Enterprise 3.0 Linux installationWECM server code runs in the Linux environment. We used Red Hat Enterprise 3.0 Linux. Red Hat Enterprise Linux is distributed on 4 CD’s for installation. Insert CD1 and boot the machine from the CD. When installing Red Hat Enterprise 3.0 Linux, make sure that you include and install the following features:

� Install OpenLDAP (see Figure 4-100 and Figure 4-101 on page 124))

� Install glibc libraries (see Figure 4-102 and Figure 4-103 on page 125)

� Install kernel source (see Figure 4-104 and Figure 4-105 on page 126)

The following series of figures details the installation of Red Hat Enterprise 3.0 Linux on an IBM Eserver xSeries 226 server.

Figure 4-83 Begin installation

Press Enter to install Red Hat Enterprise 3.0 Linux on your system.


Figure 4-84 Test the CD media

Often, the CD media can become damaged or scratched. Red Hat provides an option to test the integrity of the CD media. If you choose to perform this task, it can take several minutes. We chose to skip this test. See Figure 4-84.

Figure 4-85 Anaconda installer

The Red Hat Enterprise Linux anaconda installer begins the installation wizard.


Figure 4-86 Red Hat welcome page

After a while, the welcome page for the Red Hat Enterprise Linux installation wizard will be displayed.

Figure 4-87 Language selection

Select the installation language in the window shown in Figure 4-87.


Figure 4-88 Keyboard selection

Select the keyboard layout for this installation.

Figure 4-89 Mouse selection

Select the mouse configuration for this installation.


Figure 4-90 Disk partitioning setup

For simplicity, we chose to automatically partition the system. For more advanced users, you may customize your system to match your specific requirements. However, be sure to read the system requirements for RECM prior to custom partitioning of your system.

Figure 4-91 Remove partitions

We selected to remove all partitions on the system in order to get a clean installation of Red


Hat Enterprise Linux. See Figure 4-91.

Figure 4-92 Warning dialog

The WARNING dialog shown in Figure 4-92 will be displayed confirming the deletion of all existing partitions.

Figure 4-93 Partition information

Information on the newly created partition is displayed in Figure 4-93.


Figure 4-94 Boot loader configuration

The default boot loader configuration is sufficient for this installation. More advanced users can perform additional configuration as required.

Figure 4-95 Firewall configuration

For this installation, we disable the firewall until later. See Figure 4-95. After WECM is installed, there will be an additional virtual NIC (Network Interface Card). This is a software


implementation of an actual NIC. If you are not a firewall expert, the easiest configuration is to turn off the firewall until WECM is installed and working. At that point, you can configure the firewall accordingly, otherwise the firewall WILL cause problems and prevent WECM from working correctly.

Figure 4-96 Additional language support

For this installation, we do not require any additional languages. See Figure 4-96.

Figure 4-97 Time zone selection


Select your time zone as required as shown in Figure 4-97.

Figure 4-98 Root password

Set the root ID password for your Red Hat Enterprise Linux installation.

Figure 4-99 Reading package information

The system will begin reading software package information. We will not take the default package selections. We must select additional software packages required by WECM.


Figure 4-100 Select Network Servers

Be default, the Network Servers package group is not selected. This group must be selected, then click Details. See Figure 4-100.

Figure 4-101 Select OpenLDAP

OpenLDAP is not selected by default. However, OpenLDAP is required by WECM. Select openldap-servers under Optional Packages and click OK.


Figure 4-102 Development Tools selection

Development Tools are not selected by default during installation. However, WECM requires them. Select Details to see more information. See Figure 4-102.

Figure 4-103 glibc libraries

glibc libraries are required to compile a component of WECM installation. Click OK.


Figure 4-104 Kernel Development

Kernel Development is not selected in a default Red Hat Enterprise installation. It is required during WECM installation. Click Details to see what will be installed. See Figure 4-104.

Figure 4-105 Base Packages

kernel-source is required to compile one of the WECM components. Click OK to return.


Figure 4-106 Begin installation

Click Next to begin the installation of Red Hat Enterprise Linux and associated software packages.

Figure 4-107 Format file system

The file system must be formatted.


Figure 4-108 CD 2, CD 3, CD 4

Insert product CD 2, 3 and 4 when requested.

Figure 4-109 CD 1

Insert product CD 1 when requested. This will complete the installation.


Figure 4-110 Graphical Interface Configuration

The installation wizard will attempt to detect and configure the video card installed on the system.

Figure 4-111 Monitor Configuration

The installation wizard will attempt to install and configure the monitor attached to the system.


Figure 4-112 Customize Graphics Configuration

Be careful when changing the graphics configuration if you are not an advanced Linux user. Changing these values can cause problems being able to see the graphical login screen if the resolution is set too high.

Figure 4-113 Installation complete

Remove all media and click Enter to reboot the machine.


Figure 4-114 First time setup

The Setup Agent starts after the first system reboot.

Figure 4-115 License Agreement

Select Yes to the License Agreement and click Next.


Figure 4-116 Date and Time

Set the date and time for your system.

Figure 4-117 User Account

It is recommended that you create another system account other than the default account of root. We created a system user account named wecmadmin. See Figure 4-117.


Figure 4-118 System registration

If connected to a network, registering your system with Red Hat is the best way to keep the system current with any software package updates. We chose to skip the registration at this point. Advances users can register their system after installation of WECM.

Figure 4-119 Additional CDs

We did not require any additional CDs for this installation.


Figure 4-120 Finish Setup

This screen confirms completion of the setup wizard.

Figure 4-121 Kernel selection

Select the Red Hat Enterprise Linux kernel during system boot.


Figure 4-122 Log in

Log in using the user account created previously.

Figure 4-123 wecmadmin

This completes the installation of Red Hat Enterprise 3.0 Linux on an IBM Eserver xSeries 226 server.


4.2.6 OpenLDAP configurationAfter you install Red Hat Enterprise 3.0 Linux, make the following modifications to the OpenLDAP installation. For further documentation on OpenLDAP, visit the following Web address:

http://www.openldap.org

Make the following modifications.

Figure 4-124 Edit the slapd.conf file

The slapd.conf file is the OpenLDAP configuration file. Edit the slapd.conf file as shown in Figure 4-124. We used the VI editor.

cd /etc/openldapvi slapd.conf

The VI editor opens as shown in Figure 4-125.


http://www.openldap.org

Figure 4-125 slapd.conf file

Make the following changes to the slapd.conf file:

Suffix “dc=wecmsmb”Rootdn “cn=Manager,dc=wecmsmb”Rootpw secret

Save and close the slapd.conf file.

In Red Hat Enterprise Linux, OpenLDAP is not configured to automatically start when the machine reboots. We modified this as shown in Figure 4-126.


Figure 4-126 Configure OpenLDAP to start at machine reboot

Use the chkconfig command to automatically start OpenLDAP when the machine reboots:

chkconfig -list (to view the existing service settings)chkconfig -level 345 ldap on (to change the service setting for OpenLDAP)

We can now start the OpenLDAP service. See Figure 4-127.


Figure 4-127 Start the OpenLDAP service

Use the following command to start the OpenLDAP service:

service start ldap

This completes the configuration of OpenLDAP.

4.2.7 DB2 8.2 Express installationDB2 is required to store data from Open LDAP. The procedure to install DB2 8.2 on Linux is documented in the IBM Redbook Up and Running with DB2 for Linux, SG24-6899. The following figures illustrate a few of the installation steps.


Figure 4-128 D2 Express setup window

Mount the product CD and run the following command:

db2setup

The window shown in Figure 4-128 will be displayed. Select Install Products. You are then asked to select which product to install (DB2 UDB Express). The DB2 Setup wizard begins, followed by a license agreement window. Finally, the window shown in Figure 4-129 is displayed.


Figure 4-129 Installation type selection

A typical setup is sufficient for WECM. Select Typical and click Next.

The window shown in Figure 4-130 is displayed.


Figure 4-130 DAS password

Select a password for the DB2 Administration Server user. You may want to consider selecting a different, less well known, user ID for security purposes.

Click Next to proceed to the window shown in Figure 4-131.


Figure 4-131 DB2 instance

The window shown in Figure 4-131 creates a default DB2 instance. It is not used by WECM, however it is a good test to make sure the installation is successful. You can remove this instance later if you wish. Press Next.


Figure 4-132 DB2 instance owner information

Only a password is required to complete this step.

In a similar manner, the next step of the installation requests a password for the DB2 Fenced user. Fenced user defined functions (UDFs) are stored procedures and execute under the Fenced user and group.

A window showing a summary of what is going to be installed is displayed, followed by an installation progress bar.

The window shown in Figure 4-133 is displayed when DB2 Setup is complete.


Figure 4-133 Post-install steps

The steps on the Post-Install tab are not required for WECM. The Status Report tab identifies if there were any error during setup.

Click Finish to complete the DB2 V8.2 Express installation.

4.2.8 WebSphere Everyplace Connection Manager V5.1 installationSee 5.5, “IBM WebSphere Everyplace Connection Manager (WECM)” on page 188 for an overview of WebSphere Everyplace Connection Manager.

You can find additional information about WebSphere Everyplace Connection Manger installation and customization in the IBM Redbook IBM WebSphere Everyplace Connection Manager Version 5 Handbook, SG24-7049.

When installing WECM server on Red Hat Enterprise Linux, include the following packages:

� Connection Manager IP LAN Support

� Connection Manager Mobile Access

� IBM Gatekeeper

WECM server network informationThe following data is required to configure the WECM server. The values shown are the values used in our configuration.

� Internal (intranet) WECM static IP address: 192.168.1.4

� External (Internet or DMZ) static IP address: 9.9.9.9


� Hostname: wecm

� Domain: cetd01

4.2.9 WECM server software configurationThe WECM Gatekeeper application configures and manages the WECM server.

1. Configure the WECM server by first installing the WECM Gatekeeper software on a Windows XP client.

2. Create a login profile in the Gatekeeper to connect to the WECM server for configuration purposes.

Gatekeeper profile configurationAfter you install the WECM Gatekeeper software on a machine, perform the following steps to define a login profile to connect to the WECM server.

1. When the Gatekeeper is started, the window shown in Figure 4-134 is displayed.

The first time Gatekeeper is started, there are no login profiles defined.

Figure 4-134 Gatekeeper profile selection

2. Click Add Profile..., in Figure 4-134, to add a new login profile for the WECM server.

Figure 4-135 Add a login profile

3. As shown in Figure 4-135, we named our login profile WECMTEST and specified the IP address of the WECM server. The default port number is 9555. Do not change it. Click OK. The window shown in Figure 4-136 is displayed.

4. Select the logon profile, and click OK.


Figure 4-136 Select a profile

5. In the window shown in Figure 4-137, type in the Administrator ID and password to connect to the WECM server and click Log In.

Figure 4-137 Login to the WECM server from the Gatekeeper

4.2.10 Create Connection ManagerFor each installed WebSphere Everyplace Connection Manger server, you must create a Connection Manager resource. Configuration of the Connection Manager prepares it for the addition of resources later in the configuration steps.

1. The window shown in Figure 4-138 is displayed when the Gatekeeper application successfully connects with the WECM server. Select WECM → Add Resource → Connection Manager to add a connection manager.


Figure 4-138 Create a connection manager

2. If DB2 UDB or a DB2 client is installed, a window is displayed informing you that the connection manager detected DB2 installed on the connection manager machine and that it will use DB2 for persistent storage. In this scenario, DB2 Express is already installed on the WECM server machine. Click Next to continue.


3. The window shown in Figure 4-139 allows you do specify a unique identifier for the WECM server, along with appropriate descriptive information. Click Next to continue.

We chose to identify our WECM server with its intranet IP address.

Figure 4-139 Connection Manager identifier


4. On the following window, you select a database instance name and home directory. See Figure 4-140. We accepted the default DB2 instance name wgdb. Click Next when complete.

In the case where a remote DB2 database is to be used, ensure the following is completed prior to continuing:

– Install DB2 on the intended DB2 host.

– Install a DB2 client on the Connection Manager host.

– Create an instance for the Connection Manager database. When Connection Manager creates this instance, the default instance name is wgdb, as shown in Figure 4-140. Either use the one Connection Manager creates, or create your own. Connection Manager requires that the instance already exist prior to creating the database for a remote connection.

Figure 4-140 DB2 instance ID


5. Select a database name, and specify whether you plan to use a remote or local database for persistent session data for Connection Manager. We used a local DB2 database as shown in Figure 4-141.

Figure 4-141 DB2 database name

6. Click Next to continue.


7. The Connection Manager can store accounting and billing records either in a file or in a DB2 database. We chose to not write any accounting or billing records, as shown in Figure 4-142.

Figure 4-142 WECM accounting and billing records

8. Click Next.


9. Verify the primary Organizational Unit (OU) in which this Connection Manager is being created. See Figure 4-143. We accepted the default OU.

Figure 4-143 Select the primary organizational unit for this Connection Manager

10.Click Next to continue. The wizard uses the configuration information to create a database for persistent session information for the Connection Manager.

After completing the previous steps, the wizard asks if you want to create any Mobile Access services. Mobile Access service provides an encrypted tunnel securing a connection between the Connection Manager and the Mobility Client.

11.If you want to add Mobile Access services to the Connection Manager, click Yes. We selected Yes, as shown in Figure 4-144. If you choose not to define it now, you can add it later.

Figure 4-144 Configure Mobile Access services

Note: The process to create a database and to update the LDAP server takes a little while.


12.Figure 4-144 on page 153 shows the option to start Connection Manager. Click Yes to start the Connection Manager.

Figure 4-145 Start the Connection Manager

Create Mobile Network Interface (MNI)A Mobile Network Interface is a resource assigned to a Mobile Access Service. It defines an IP subnet, which is a contiguous range of IP addresses or groups of IP addresses, to support the number of Mobility Clients and mobile devices that can concurrently connect to the Mobile Access Services.

WebSphere Everyplace Connection Manager implements Mobile Network Interfaces through which the operating system IP layer on the WECM machine communicates with all supported wireless dial or wireline networks. The platform controls one or more IP subnets of users whose traffic is routed through the appropriate MNI.

During initial WECM configuration using the Gatekeeper, the message shown in Figure 4-146 appears after you configure and start the Connection Manager.

1. The message asks if you want to continue the WECM configuration by adding a Mobile Network Interface (MNI) to this Mobile Access Service. Click Yes. A window reviewing the MNI functions and definition requirements is displayed.

Figure 4-146 Add an MNI to Mobile Access Service

2. Click Next.


3. Define the VPN IP subnet you plan to use to communicate with Mobility Clients. We defined private IP subnetwork 10.10.10.0 for our VPN subnet address.

In the Network interface adapter to bind field, shown in Figure 4-147, select the IP address on the WECM server that is connected to the corporate intranet. In our configuration, the IP address on the corporate intranet is 192.168.1.4.

Figure 4-147 MNI VPN subnet

4. Click Next.

5. DNS and WINS negotiation are defined in the next window. We disabled both of these negotiations. Click Next to continue.


6. Add a routing table entry to each Mobility Client to define how the client can reach resources in your corporate network. As shown in Figure 4-148, check Enable routing table entry negotiation. Type the IP address of your corporate network in the IP address box field, and click Add.

Figure 4-148 Define network routes for Mobility Clients

7. Click Next to finish the MNI definition.

Mobile Network Connection (MNC)After adding the Mobile Network Interface, add a Mobile Network Connection to provide the interface between the Connection Manager and the wireless network. The MNC becomes a means for communication between the Connection Manager and the network provider of Mobility Clients and mobile devices.

A Mobile Network Connection is a resource assigned to the Connection Manager. It defines a specific type of network connection. The MNC consists of a line driver, a network protocol interpreter, and one or more physical ports. You configure one MNC for each network provider that you plan to use. In this scenario, where we connect to our clients via an IP-based network, we require only one MNC.

During initial WECM configuration using the Gatekeeper, the window shown in Figure 4-149 on page 157 is displayed after you configure the MNI.


1. The message in Figure 4-149 asks if you want to continue the WECM configuration by adding a Mobile Network Connection (MNC) to this Mobile Access Service. Click Yes.

Figure 4-149 Add am MNC to Mobile Access Service

2. In our configuration, we connect to our Mobility Clients using an IP LAN-based network. As shown in Figure 4-150, select ip-lan, and click OK.

Figure 4-150 IP LAN MNC type


3. The window shown in Figure 4-151 allows you to add a description for this MNC. The UDP port that the MNC listens on is defined. The default port number is 8889. Accept this port number. Click Next to continue.

Figure 4-151 MNC UDP port number

4. Select available to set the current state of the MNC.

5. Click Finish.

Network Address Translator (NAT)A WECM Network Address Translator (NAT) is a resource assigned to an MNI. You use the NAT to redirect traffic through a specified subnetwork represented by an MNI. NAT lets the Connection Manager act as an agent between a public network and a private corporate network. In a corporate network that handles only origin or destination traffic from inside the network, there are very few IP addresses that need globally unique IP addresses. This aspect means that only a single, unique IP address within the corporate network is required to represent an entire group of Mobility Clients.

The NAT defines a range of unique IP source addresses, then randomly assigns a packet originating from a Mobility Client to a port number (1024 through 65535). The NAT maintains the mapping of the packet to the port number in a translation table for the duration of a TCP session, or until a time out occurs for a TCP session or UDP connection.

Note: If there is a firewall between the WECM server and your IP network service provider, ensure that port specified here is open on the firewall.


Use the following instructions to configure a NAT:

1. While in the Gatekeeper, Select WECM → Add Resource → Network address translator to add a NAT, as shown in Figure 4-152.

Figure 4-152 Add a NAT

2. Select Enable proxy-arp for NAT addresses. In the Configuration mode section, select the Static IP address button, as shown in Figure 4-153 on page 160.

In this scenario, we use a single IP address for all Mobility Client sessions. Select the Single button, and add the IP address in the IP address field. We added an IP address of 192.169.1.3.

Note: This address must be a valid IP address on your corporate intranet.


Figure 4-153 Specify NAT IP address

3. Click Next to continue.


4. Specify an IP address or range of IP addresses within the MNI VPN subnet to which the NAT applies. In this scenario, the NAT applies to all IP addresses in our MNI, so we left all fields blank, as shown in Figure 4-154.

Figure 4-154 NAT MNI IP address range

5. Click Next.

6. A NAT can grouped into packet mapping groups for manageability. A window is displayed that allows you to specify a packet mapping group for this NAT. We did not add the NAT to any group. Click Next to continue.


7. Verify the primary Organizational Unit (OU) in which this Network Address Translator is being created. See Figure 4-155. We accepted the default OU.

Figure 4-155 Select the primary organizational unit for this Network Address Translator

8. Click Finish to continue.

9. After creating the NAT resources, you must update the MNI to associate the NAT definitions with the MNI as illustrated in Figure 4-156 on page 163. This process binds our static NAT address of 192.168.1.3 to the MNI IP address of 192.168.1.4 (refer to Figure 4-147 on page 155).

– Select the MNI created in previous steps (mn0 in Figure 4-156 on page 163).

– Select the Security tab in the MNI display window, as shown in Figure 4-156 on page 163.

– Check the Network address translator in the Packet mapping selection area.


Figure 4-156 Bind NAT to MNI

4.2.11 Add secondary authenticationRemote users accessing the corporate intranet must be authenticated through the RADIUS server similar to the way local intranet wireless users are authenticated.

Create a RADIUS authentication profile within WECM to define the WECM server to the Cisco ACS RADIUS server using the following instructions.


1. While in the Gatekeeper, select WECM → Add Resource → Authentication profile → RADIUS authentication to define a RADIUS server. See Figure 4-157.

Figure 4-157 WECM RADIUS authentication - 1


2. In this scenario, we challenge the Mobility Client users for a user ID and password. Select Challenge user for user ID and password as shown in Figure 4-158. You can also enter a name to use to reference the RADIUS server in the Common name field.


3. Click Next.


4. As shown in Figure 4-159, type the IP address of the RADIUS server (192.168.1.1 in this scenario). Do not change the RADIUS port number of 1645. This is the default port number. Type the RADIUS shared secret (cisco in this scenario).


5. Click Next.

6. Do not enable LTPA when given the option on follow-on windows. Click Next until completed.

4.2.12 Associate the profilesWe must now associate the secondary authentication profile created in the previous steps with the Mobile Network Connection (MNC) profile created in Figure 4-151 on page 158.

Note: The shared secret value must match the key value used when defining this WECM server to ACS as a AAA client. See Figure 4-162 on page 169.


1. While in the Gatekeeper, select WECM → Default Resource → Connection profile to display the connection profiles. See Figure 4-160.

Figure 4-160 Connection profiles

2. As shown in Figure 4-160, select the IP profile defined previously (see Figure 4-151 on page 158) and click Properties.

3. The Connection profile - IP profile window is displayed. Select the Security tab as shown in Figure 4-161.


Figure 4-161

4. In the Secondary authentication profile field, select CiscoACS from the pulldown list. CiscoASC is the common name we chose for the secondary authentication profile. See Figure 4-158 on page 165.

5. Select Apply to complete the association.

4.2.13 Cisco ACS serverAdd the WECM server to the ACS network configuration as an AAA client. This allows the ACS RADIUS server to perform authentication for users logging on to the intranet from the Internet using WECM.

1. Log on to the ACS server utility.

2. Select Network Configuration, and add an AAA client definition for the WECM server. See Figure 4-162.


Figure 4-162 Add AAA client to ACS for WECM server

1. Make sure the AAA Client Hostname matches the host name of the WECM server.

2. Type the internal (intranet) IP address of the WECM server as the value for the AAA Client IP Address.

3. Make sure the value of Key matches the value set when creating the RADIUS Authentication Profile in the WECM server.

4. Select RADIUS (IETF) for the Authenticate Using drop-down value.

5. Click Submit to save this AAA client.

4.2.14 WebSphere Everyplace Connection Manager V5.1 mobility clientInstall and configure the WECM mobility client code to communicate with the WECM server on each client computer. The Mobility Client software runs locally on your mobile device, and provides a full-function interface to communicate with Connection Manager. After authenticating to the Connection Manager, a VPN is established and the device securely joins the enterprise intranet. The Connection Manager supports standard IP routing even over non-IP wireless bearer networks to ensure unbroken, end-to-end TCP sessions between mobile devices and application servers.


WECM mobility client software installationThe WECM mobility client is included with the WECM server distribution media and is located in f:\client\Win32\ on the product CD. The file name is WC_Win32.exe. Use the following instructions to install the WECM mobility client software.

1. To begin the WECM mobility client installation, execute the WC_Win32.exe shown in Figure 4-163.

Figure 4-163 WECM mobility client installation executable

A series of windows are displayed that indicate install status, and request a destination folder to install the product.

2. After a while, the window shown in Figure 4-164 is displayed. Select Typical to install all the components.

Figure 4-164 WECM setup type


3. The installation process installs the IBM Mobility Client Interface device driver. When prompted to install the device driver, click Yes or Continue Anyway, as shown in Figure 4-165.

Figure 4-165 Windows Logo testing message

4. When the window shown in Figure 4-166 is displayed, the WECM mobility client installation is complete. You can launch the mobility client now to create a mobile connection, or you can create a mobile connection at a later time.

Figure 4-166 Install of WECM Mobility Client completed

WECM mobility client configurationConfigure a mobility client connection for each WECM server to which the client computer connects.

You can configure a mobility client connection during the WECM Mobility Client installation process. You can also configure a mobility client connection using the following steps.

Important: Locate the IP address of the WECM server before you configure the mobility client.


1. Select Start → All Programs IBM Mobility Client → Connections. The window shown in Figure 4-167 is displayed.

Figure 4-167 Create a mobility connection

The Mobility Connections window, shown in Figure 4-167, lists all the mobility connections that defined on that client computer.

2. Select Create Connection to create a new connection. The window shown in Figure 4-168 is displayed.

Figure 4-168 Create Connection window

3. Type the name of the connection you are about to define. In our example, we chose WECMTEST.

4. Press Next to continue. The Select a Network window shown in Figure 4-169 is displayed.


Figure 4-169 Select a Network window

5. Select the network type (or types) that this connection intends to use to connect to the WECM server. Make sure that the physical network adapters are installed for each network type selected. For a wireless broadband connection using IP, select IP, WiFi, GPRS, 1xRTT, Broadband.

6. Press Next to continue. The IP Based window shown in Figure 4-170 is displayed if you selected IP, WiFi, GPRS, 1xRTT, Broadband in Figure 4-169.

Figure 4-170 WECM server IP address

7. Type the IP address used to access the WECM connection manager machine into the address field, as shown in Figure 4-170. This may be an address on the connection manager machine. However, it is more likely an IP address on the enterprise firewall or router that is forwarded to the WECM connection manager machine. Obtain this IP address from your network administrator.

8. Click Advanced to continue. The window shown in Figure 4-171 appears, where you can select the network interface the Connection Manager can use.


9. We use IBM Access Connections to manage our IP interface; therefore, select Default Local IP Interface. This allows the WECM mobility client to use whatever IP interface IBM Access Connections sets up.

Figure 4-171 Network interface selection

10.Press Next to continue. A window to complete the configuration is displayed.

11.Press Next to continue. The final window of the configuration process appears. See Figure 4-172.

12.Click Yes to start the Mobility Client using the connection just defined.

Figure 4-172 Start the mobile connection

4.2.15 Access Connections V3.53IBM Access Connections is used on the client computer to seamlessly manage the physical network connection. If multiple physical network interfaces are available (wired ethernet, wireless 802.11x ethernet), Access Connections selects the active network interface with the fastest connection speed to be the active IP interface.

� Refer to 4.1.11, “IBM Access Connections V3.53” on page 65 for detailed installation instructions.

� See 5.2.2, “IBM Access Connections” on page 184 for an overview of Access Connections

� Review Appendix A, “Deploying Access Connections” on page 191 for more information about Access Connection profile management.

Important: When you start the WECM mobility client, it initiates a session with the WECM server. If you are running firewall software on your client, you may receive a message stating that an application is attempting to initiate an outbound connection. Permit this connection to start.


Change the Access Connections profile created for PEAP support (see “Configure IBM Access Connections V3.53 for MS-PEAP authentication” on page 104). This change allows Access Connections to automatically start the WebSphere Everyplace Connection Manager mobility client when this profile is selected.

1. Open Access Connections, and click Manage Location Profiles.

2. Select your PEAP profile, and click Edit....

3. Select VPN from the list of tabs across the top. The window shown in Figure 4-173 is displayed.

Figure 4-173 Use VPN connection for Access Connections profile

4. Select Use VPN connection with this location profile.

5. Select I use IBM Mobility Client provided by my company.

6. Click Select Mobility Client profile... to select the WECM mobility client profile created in the previous section.

7. Click OK, and then save the updated Access Connections profile.

Important: When the WECM mobility client is started, it initiates a session with the WECM server. If you are running firewall software on your client, you may receive a message stating that an application is attempting to initiate an outbound connection. Permit this connection to start.


4.3 Scenario 3: Mobile access from hot spotsThis scenario uses the same hardware and software infrastructure created in4.2, “Scenario 2: Mobile access from home” on page 113. The only difference is that mobile access is from a wireless hot spot such as an airport or local establishment that provides wireless access on their premises, as illustrated in Figure 4-174.

Figure 4-174 Intranet access from a wireless hot spot

4.3.1 Security considerationsIn this scenario, we set up an environment where an employee can access an enterprise network from a non-secure environment: their home, a wireless hotspot at an airport, a train, and so on. Once they establish a connection to an enterprise intranet, all the corporate applications and tools that employee is authorized for are available from that client. Theft of the client ThinkPad, especially while it is connected to the enterprise network, is a major concern.

Implement every password and inactivity time out option provided by Windows, WebSphere Everyplace Connection Manager, and other software. This includes:

� Power on password

� Hard drive password

� Screen saver password with minimal idle time trigger

� Minimal application inactivity time out values

� WECM session time out values

Windows 2003 Server

AP1 AP2

WirelessClient

HOT SPOT


192.168.1.1 192.168.1.5 192.168.1.6

SSID = leap1a

Wiredintranet

SSID = leap2

Internet

192.168.1.254

Firewall / router

192.168.1.4

9.9.9.9 9.9.9.1

VPN = 10.10.10.0


WECMOpenLDAP


4.4 Scenario 4: Mobile access via WANThis scenario uses the same hardware and software infrastructure created in 4.2, “Scenario 2: Mobile access from home” on page 113. The only difference is that the client computer uses a wireless WAN card to access the Internet via a wireless WAN connection, as illustrated in Figure 4-175.

Figure 4-175 Intranet access from a wireless WAN card

Windows 2003 Server

AP1 AP2

WirelessClient

WWAN


192.168.1.1 192.168.1.5 192.168.1.6

SSID = leap1a

Wiredintranet

SSID = leap2

Internet

192.168.1.254

Firewall / router

192.168.1.4

9.9.9.9 9.9.9.1

VPN = 10.10.10.0

WECMOpenLDAP




Chapter 5. Components, product details, and supporting material

This chapter provides additional product detail on hardware and software components discussed in the previous chapters. Additionally, we included Web address for many of the product descriptions where you can get even more product details.

5


5.1 Cisco componentsThe following sections provide details and Web sites for additional information about the Cisco hardware and software presented in this Redpaper

5.1.1 Cisco Secure Access Control Server V3.3.1 Cisco Secure Access Control Server (ACS) for Windows provides a centralized identity networking solution and a simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing network administrators to control the following things:

� Who can log into the network

� The privileges each user has in the network

� Recorded security audit or account billing information

� Access and command controls that are enabled for each configuration's administrator

With Cisco Secure ACS, you can manage and administer user access for Cisco IOS® routers, virtual private networks (VPNs), firewalls, dial-up and DSL connections, cable access solutions, storage, content, voice over IP (VoIP), Cisco wireless solutions, and Cisco Catalyst® switches using IEEE 802.1x access control.

For more information, visit the following Web sites:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_data_sheet09186a00800887d5.html http://www.cisco.com/en/US/products/ps5917/index.html

The Recommended Resources for the Cisco Secure ACS User document presents links to a variety of documents that help users of Cisco Secure Access Control Server. You can see this document at the following Web site:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_technical_reference09186a00801c7424.html

5.1.2 Cisco Aironet 1130AG Series IEEE 802.11A/B/G Access PointCisco® Aironet® 1130AG Series IEEE 802.11a/b/g access points provide high-capacity, high-security, enterprise-class features in an unobtrusive, office-class design, delivering WLAN access with the lowest total cost of ownership. With high-performing dual IEEE 802.11a and 802.11g radios, the Cisco Aironet 1130AG Series provides a combined capacity of up to 108 Mbps to meet the needs of growing WLANs. Hardware-assisted Advanced Encryption Standard (AES) or temporal key integrity protocol (TKIP) encryption provides uncompromised support for interoperable IEEE 802.11i, Wi-Fi Protected Access 2 (WPA2) or WPA security. Supporting Cisco IOS Software, the Cisco Aironet 1130AG Series is a component of the Cisco Structured Wireless-Aware Network (SWAN) framework, which is a comprehensive framework that delivers an integrated, end-to-end wired and wireless network. Using the radio and network management features of the Cisco SWAN framework for simplified deployment, along with built-in omnidirectional antennas that provide robust and predictable WLAN coverage for offices and similar RF environments, the competitively priced Cisco Aironet 1130AG Series is ready to install and easy to manage, reducing the cost of deployment and ongoing maintenance.

The hardware-accelerated AES encryption of Cisco Aironet 1130AG Series access points supports enterprise-class, government-grade secure encryption over the WLAN without compromising performance. IEEE 802.1X authentication helps to ensure that only authorized


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_data_sheet09186a00800887d5.html

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_data_sheet09186a00800887d5.html



http://www.cisco.com/en/US/products/ps5917/index.html

users are allowed in the network. Backward compatibility for WPA client devices running TKIP, which is the RC4 encryption algorithm, is also supported by the Cisco Aironet 1130AG access point.

For more information, visit the following Web site:

http://www.cisco.com/en/US/products/ps6087/products_data_sheet0900aecd801b9058.html

The Quick Start Guide Cisco Aironet 1130AG Access Point is available at the following Web site:

http://www.cisco.com/en/US/products/ps6087/products_quick_start09186a00803388d1.html

The Cisco Aironet 1130AG Series Ordering Guide is available at the following Web site:

http://www.cisco.com/en/US/products/ps6087/products_data_sheet0900aecd801b901c.html

5.1.3 Cisco 2800 Integrated Services RouterCisco Systems, Inc. is redefining best-in-class enterprise and small-to-midsize business routing with a new line of integrated services routers that are optimized for the secure, wire-speed delivery of concurrent data, voice, and video services. The Cisco® 2800 Series of integrated services routers, as shown in Figure 5-1, intelligently embeds data, security, and voice services into a single, resilient system for fast, scalable delivery of mission-critical business applications. The unique integrated systems architecture of the Cisco 2800 Series delivers maximum business agility and investment protection.

Figure 5-1 Cisco 2800 Series

The Cisco 2800 Series comprises four new platforms: the Cisco 2801, the Cisco 2811, the Cisco 2821, and the Cisco 2851. The Cisco 2800 Series provides significant additional value compared to prior generations of Cisco routers at similar price points by offering up to a five-fold performance improvement, up to a tenfold increase in security and voice performance, new embedded service options, and dramatically increased slot performance and density. It also maintains support for most of the more than 90 existing modules that are available today for the Cisco 1700, Cisco 2600, and Cisco 3700 Series.

The Cisco 2800 Series features the ability to deliver multiple high-quality simultaneous services at wire speed up to multiple T1/E1/xDSL connections. The routers offer the following items:

� Embedded encryption acceleration and on the motherboard voice digital-signal-processor (DSP) slots

Chapter 5. Components, product details, and supporting material 181

http://www.cisco.com/en/US/products/ps6087/products_data_sheet0900aecd801b9058.html

http://www.cisco.com/en/US/products/ps6087/products_quick_start09186a00803388d1.html

http://www.cisco.com/en/US/products/ps6087/products_data_sheet0900aecd801b901c.html

� Intrusion prevention system (IPS) and firewall functions

� Optional integrated call processing and voice mail support

� High-density interfaces for a wide range of connectivity requirements

� Sufficient performance and slot density for future network expansion requirements and advanced applications

Cisco 2800 securitySecurity has become a fundamental building block of any network. Routers play an important role in any network defense strategy because security needs to be embedded throughout the network. The Cisco 2800 Series features advanced, integrated, end-to-end security for the delivery of converged services and applications.

With the Cisco IOS® Software Advanced Security feature set, the Cisco 2800 provides a robust array of common security features such as a Cisco IOS Software Firewall, intrusion prevention, IPsec VPN, Secure Shell (SSH) Protocol Version 2.0, and Simple Network Management Protocol (SNMPv3) in one secure solution set. Additionally, by integrating security functions directly onto the router itself, Cisco can provide unique intelligent security solutions other security devices cannot, such as network admissions control (NAC) for antivirus defense, Voice and Video Enabled VPN (V3PN) for quality-of-service (QoS) enforcement when combining voice, video, and VPN, and Dynamic Multipoint VPN (DMVPN) and Easy VPN for enabling more scalable and manageable VPN networks.

Cisco also offers a range of security acceleration hardware such as the intrusion-prevention network modules and advanced integration modules (AIM) for encryption, which makes the Cisco 2800 Series the industry's most robust and adaptable security solution available for branch offices. Using a Cisco 2800 Series uniquely enables customers to deliver concurrent, mission-critical data, voice, and video applications with integrated, end-to-end security at wire-speed performance.

For more information, visit the following Web sites:

� Cisco 2800 Series Integrated Services Routers data sheet

http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016fa68.html

� Cisco 2800 Series Integrated Services Routers Q&A

http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd80169bd6.shtml

� Cisco EtherSwitch 4- and 9-Port High-Speed WAN Interface Cards

http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016bf0b.html

� Cisco EtherSwitch 4- and 9-Port High-Speed WAN Interface Cards Q&A

http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd8016c026.shtml

� Wireless Services on the Cisco 2800 and 3800 Series Integrated Services Routers

http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016ef57.html

5.2 IBM componentsThe following sections provide details and Web sites for additional information about the IBM hardware and software presented in this Redpaper.


http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016fa68.html

http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd80169bd6.shtml

http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016bf0b.html

http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016ef57.html

http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd8016c026.shtml

5.2.1 IBM ThinkPad models T, X, RIBM offers a wide range of ThinkPad notebook computers, from ultra-portables to desktop alternatives. Known for their classic design and award-winning quality, ThinkPad notebooks offer outstanding performance and flexibility to meet your mobile computing needs. Select models offer the strongest security available as a standard feature, the easiest connectivity and outstanding wireless performance with Intel Centrino Mobile Technology.

X Series ThinkPadsX Series ThinkPads are ultra-light and ultra-thin for powerful computing to fit even the smallest carry-on. Intel CentrinoTM Mobile Technology (select models), full expansion capabilities, and a full-size keyboard provide an ideal all-day computing solution for business movers and shakers.

� Xtreme portability

� Starting at 2.7 lbs/1.23kg

� Available with 12" LCD

� Ultimate mobility in a versatile ultra portable

Figure 5-2 X Series ThinkPad

T Series ThinkPadsWhen employees work in the office, on the road and everywhere in between, they need security and power. Select T42 and T43 notebooks offer an integrated fingerprint reader. This series also features modular bay, UltraConnectTM Wireless Antennas and Intel Centrino Mobile Technology (select models).

� Thin and light for travel


� Available with 14” & 15” LCD

� Perfect balance of performance and portability

Figure 5-3 T Series ThinkPad


R Series ThinkPadsThe R Series ThinkPad is powerful computing that the accountants will love. This series suits frequently mobile users who want ready-to-run computing. It is designed to deliver the essential features they need for versatility, power and portability, including Intel CentrinoTM Mobile Technology (select models).

� Essential mobility


� Available with 14" & 15” LCD

� Mainstream performance and features

Figure 5-4 R Series ThinkPad

5.2.2 IBM Access ConnectionsIBM Access Connections is a ThinkVantage Technology that makes finding, connecting to and switching between wired and wireless networks easy, so you can easily manage connectivity wherever work takes you—without wasting time on the phone with your help desk.

Access Connections gives you a one-stop interface so you can manage your connectivity and wireless security settings in one program—there is no need to run another utility. For example, if your ThinkPad notebook is equipped with the new IBM 11a/b/g Wi-Fi wireless adapter, you can choose between no security, Wired Equivalent Privacy (WEP) encryption, 802.1x (EAP-TLS) authentication, Wi-Fi Protected Access (WPA), or Cisco LEAP.

After you save the basic settings for your various profiles, following are some of the ways IBM Access Connections can help you get — and stay — connected:

� Automatically manages your basic network connections, even if you use static and dynamic IP addresses in different locations

� Manages your printing by automatically reassigning the Microsoft Windows default printer to match your location, so you can quickly get your printout on your preferred printer

� Automatically adjusts your network configuration to match the IT needs of each location For example:

– At what locations do you need to use a Virtual Private Network, or any other application?

– When do you need File and Printer Sharing, Internet Sharing and Internet Connection Firewall enabled or disabled?

– Do you need a proxy server for browsing, or do you need to change your Internet Explorer home page?

– What about other connection choices such as wireless WAN (cellular), modem, or Bluetooth® wireless technology?


Once your profiles are created, getting connected is simply a matter of selecting a profile and letting Access Connections do the rest. Even when you move between a WLAN and a wired LAN, Access Connections is smart enough to make the appropriate connection. Access Connections takes the hassle out of “getting connected” whether you are an individual PC user or a network administrator.

IBM Access Connections is also designed for easy administration. A network administrator can build unique “Connectivity Profiles” for any location (home, office, travel), for any network adapter (WLAN, WAN, Ethernet, and Bluetooth wireless), and in any combination. These profiles can then be remotely deployed, greatly simplifying the task.

IBM Access Connections works with Microsoft Windows XP and 2000 and is installed on all new IBM ThinkPad notebooks.

For more information about IBM Access Connections, go to the following Web site:

http://www.pc.ibm.com/us/think/thinkvantagetech/accessconnections.html

5.2.3 IBM Embedded Security System (ESS)The IBM Embedded Security Subsystem is a ThinkVantage Technology that is available on select ThinkPad and ThinkCentre systems. The subsystem consists of an integrated security chip and downloadable IBM Client Security Software. Together, they provide a higher level of security with hardware and software-based technology that lets you “lock” your data.

This hardware and software-based technology protects your company information, including vital security information like passwords, encryption keys, and electronic credentials, while guarding against unauthorized user access. This level of security is critical for both desktop and notebook systems. In fact, you cannot get a higher level of security as a standard feature on a PC from any other manufacturer.

IBM provides enhanced security for both wired and wireless networks. In both cases, the Embedded Security Subsystem ensures secure data and communications by providing a hardware and software-based architecture that provides better protection for sensitive keys, identity information, and confidential data. Further, for wireless networks, the Embedded Security Subsystem hardware provides enhanced authentication and session confidentiality by concealing authentication credentials for industry-standard 802.1x protocols and Cisco LEAP.

You can use the new IBM Integrated Fingerprint Reader, available on select ThinkPad models, with the Embedded Security System for wireless authentication.

To learn more about IBM Embedded Security System, go to the following URL:

http://www.pc.ibm.com/us/think/thinkvantagetech/security.html

5.2.4 Advantages of ThinkVantage TechnologiesThinkVantage Technologies help customers become more competitive and on demand by delivering industry-leading capabilities that improve productivity and reduce cost. These tools help make IBM personal computers less dependent on IT staff or user intervention for basic tasks like deployment, backup, security (select models), and more. This frees users and IT staff to focus on business success.

� Access IBM guides you to a host of information and tools to help you set up, understand, maintain, and enhance your IBM ThinkPad® notebook or ThinkCentre™ desktop.


http://www.pc.ibm.com/us/think/thinkvantagetech/accessconnections.html

http://www.pc.ibm.com/us/think/thinkvantagetech/security.html

� IBM Access Connections allows you to easily shift between wireless and wired networks— a single interface to assist with connectivity in your home, office, or on the road.

� IBM Rescue and Recovery is a one-button recovery and restore solution that includes a set of self recovery tools to help users diagnose, get help, and recover from system crashes quickly, even if the primary operating system will not boot.

� IBM Embedded Security Subsystem and IBM Client Security Software is a unique hardware-software combination that helps protect your company information, including vital security information like passwords, encryption keys, and electronic credentials, while guarding against unauthorized user access to data.

� IBM Active Protection System is available on many ThinkPad X, T, and R Series models. It features an integrated motion sensor that continuously monitors movement of the ThinkPad notebook. Like an airbag's sensor, it can detect sudden changes in motion and temporarily stop the hard drive to help protect your valuable data from some crashes that could occur due to everyday notebook accidents. This ThinkVantage Technology provides up to four times greater impact protection than systems without this feature, thereby helping to decrease employee down-time and reduce support cost.

� IBM Secure Data Disposal makes erasing confidential information off a disk drive fast and simple and the data irretrievable.

� IBM System Migration Assistant helps get your end-users up and running by quickly and accurately migrating their individual data and settings to their new IBM systems—which are then familiar and ready to go. It is ideal for a large corporation that moves hundreds of users' data over an enterprise network, or a small business with just a few systems in a peer-to-peer environment.

� IBM ImageUltra Builder helps simplify image creation, deployment, and management. It allows you to build and deploy even just a single image across your enterprise. By combining multiple languages, applications, and operating systems into a single hard drive image, you help eliminate or reduce the need for manual application installation, hardware testing, and support.

� IBM System Information Center automates the collection, assessment, and reporting of your PC inventory—whether users are logged on or not. It is quick and easy to implement in a PC environment, and maintenance is minimal. System Information Center provides features over and above standard inventory solutions:

– Assists with measuring client security compliance

– Reports ThinkVantage Technology software usage

– Allows tracking of on-PC assets

– Mines and organizes collected asset and support information into predefined or customized reports

� IBM Software Delivery Center provides push and pull capabilities that allow users to download applications on demand, and enables administrators to push software updates without end-user involvement. Implementing this tool helps users have the software and updates you want them to have. Having the latest software updates and the latest versions of the ThinkVantage Technologies deployed helps decrease the number of support calls and help desk assistance required for system, application, and operating system problems. Software Distribution Center provides a flexible distribution solution, with low network bandwidth usage and little or no need for infrastructure changes. It also supports both industry-standard and custom software applications.

Visit the following Web site for more information about all of the ThinkVantage Technologies:

http://www.pc.ibm.com/us/think/thinkvantagetech.html


http://www.pc.ibm.com/us/think/thinkvantagetech.html

5.3 IBM Eserver xSeries 226The IBM Eserver xSeries 226 provides superb availability at a price that small and midsize businesses can afford. New support for 64-bit extensions through Intel EM64T as well as up to 16GB1 DDR2 memory provides outstanding performance and helps protect investments for future growth.

Figure 5-5 IBM Eserver xSeries 226

Following are the key features of the IBM Eserver xSeries 226:

� Intel EM64T Technology- Runs 32-bit applications and operating systems faster than ever, and can migrate to 64-bit when you are ready.

� The x226 supports up to 16 GB2 of latest PC2-3200 DDR technology for optimal system performance.

� Optional Online Spare memory3 can provide clients with an extra layer of memory protection beyond Chipkill.

� IBM offers SATA technology for those clients looking for a cost effective alternative to SCSI, with simple swap for easy serviceability.

� The x226 is a rack mountable server, via an optional rack mount kit in industry standard racks that takes up a modest 4U of space.

� RAID 1 standard helps some clients save money and an I/O slot, while also providing cost effective data protection (plus RAID 10 standard support on SCSI models).

� The x226 has flexibility to use a range of adapters, from the powerful PCI-Express slot to legacy PCI slots.

PCI-Express provides high-speed I/O enhancements to support 64-bit applications you can implement now or in the future.

� The x226 contains the IBM Director - advanced systems management.

� The x226 has an Alert Standard Format 2.0 (ASF 2.0) that can help decrease downtime by allowing you to proactively monitor system conditions, alert you to potential problems, and, when used with IBM Director, power on or off remote systems, even when the operating system isn't responding.

For more information about the IBM Eserver xSeries 226, visit the following Web site:

http://www.ibm.com/servers/eserver/xseries/x226.html

1 when 4GB DIMMS become available2 when 4GB DIMMS are available3 Planned future support


http://www.ibm.com/servers/eserver/xseries/x226.html

5.4 IBM Infoprint 1422IBM offers monochrome and color laser printers that are versatile, reliable, and affordable for small businesses and workgroups of all sizes.

Within the Infoprint 1000 family, choose from print speeds of up to 8 through 45 pages per minute (ppm) and many user-friendly features and paper-handling options. Many of these printers also allow you to add an IBM MFP Option that provides scan/copy/fax capabilities, so you can consolidate devices and supplies while expanding functionality. Also available is a new all-in-one MFP that allows you to print, copy, scan and fax from a single machine. A range of connectivity options, including wireless, helps simplify network printing and enable mobile communication.

Figure 5-6 IBM Infoprint 1422

The IBM Infoprint 1422 gives your workgroup or small business the speed and reliability it needs, at a low cost of acquisition and ownership. The low-profile 1422 occupies little space, so it fits nearly anywhere. High-yield toner cartridges reduce supply interventions.

� Print up to 32 ppm, with a first-page-out-time of eight seconds.

� Simplify use with the LCD operator panel.

� Improve productivity with 366 MHz processor.

� Set up the 1422 quickly with easy-to-follow instructions.

� Enjoy low total cost of ownership.

5.5 IBM WebSphere Everyplace Connection Manager (WECM)The WebSphere Everyplace Connection Manager is a distributed, scalable, multipurpose UNIX® communications platform that supports optimized, secure data access by both Wireless Application Protocol (WAP) and non-WAP clients over a wide range of international wireless network technologies, as well as local area (LAN), and wide area (WAN) wireline networks.

It integrates the WAP Version 1.2.1 standard support, as defined by the WAP Forum, together with award-winning IBM SecureWay wireless technology for supporting standard Internet Protocols (IP) efficiently and securely over both IP and non-IP wireless bearer networks.

WebSphere Everyplace Connection Manager can help boost the productivity of mobile workers by giving them highly-secure, uninterrupted access to the data they need. Offering a distributed, scalable, multipurpose communications platform, WebSphere Everyplace Connection Manager can help enterprises optimize bandwidth, reduce costs, and ensure


security by efficiently extending their existing applications to workers in the field over many different wireless and wireline networks.

WebSphere Everyplace Connection Manager provides several key capabilities for a mobile deployment:

� Data encryption over vulnerable wireless LAN and wireless WAN connections

� Seamless cross-network roaming, making it possible to dynamically switch network connections without interrupting applications

� Compression and other network optimizations that increase user response time and lower network costs

� Support for various types of devices - Palm, Symbian, PocketPC, Win32

WebSphere Everyplace Connection Manager is FIPS 140-2 certified, which is one of the government's highest security ratings.

For more information about WebSphere Everyplace Connection Manger, visit the following Web site:

http://www.ibm.com/software/pervasive/ws_everyplace_connection_manager/

5.5.1 WebSphere Everyplace Connection Manager Starter Edition V5.1WECM Starter Edition is designed for customers who want to start with a small initial investment and then expand at a later time. It provides the same functionality as WECM (with WAP) but licensing is limited to a maximum of 50 users. Upgrade from WECM Starter Edition to a full license of WECM is available for a 25% discount.


http://www.ibm.com/software/pervasive/ws_everyplace_connection_manager/


Appendix A. Deploying Access Connections

IBM added features to make deployment and management of Access Connections in an Enterprise environment much easier. After creating the location profiles required for client users, you can manage and deploy new, updated, or revised location profiles to client computers.

� The Access Connections Administrator Profile Deployment Feature is an additional feature that allows an administrator to distribute location profiles to Access Connections clients.

� Administrators can create location profiles and distribute them as part of a preload image, or install them after the client systems are deployed.

For additional information, visit the following Web sites:

� Access Connections Administrator Profile Deployment feature overview

http://www.ibm.com/pc/support/site.wss/document.do?lndocid=ACON-DEPLOY

� Access Connections Administrator Profile Deployment guide

http://www.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-52881

A



http://www.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-52881

Access Connections deployment featuresFollowing is a list of features to help IT administrators deploy and manage Access Connections:

� The IBM Access Connections Enabler for Administrator Profile Deployment feature is required to deploy location profiles that you create for client users. The Enabler is available to IT professionals only at following Web site:


� Administrators can create location profiles and distribute them as part of a preloaded image or install them after the client systems are deployed.

� Set control policies for each profile.

� Create distribution control lists to limit who can import various deployment packages.

� Set a client configuration policy to configure the operation of Access Connections on the client computer.

� Deployment packages are encrypted and password protected to be sure that only authorized individuals can import the location profiles that may contain wireless security information such as WEP or static password, for example.

Installing IBM Access ConnectionsYou can install IBM Access Connections using either a bundled package that includes IBM Access Connections software and all the necessary drivers, or using the IBM Access Connections software alone, where you install the necessary drivers separately.

Installing the integrated IBM Access Connections packageTo install IBM Access Connections 3.0 or later without user interaction, complete the following steps:

1. Start Windows 2000 or Windows XP, and then log on with administrative privileges.

2. Extract the Access Connections drivers to the hard disk drive.

3. Click Start → Run.

4. Type the following command:

SETUP.EXE /S

To download the software package along with the installation instructions:

1. Visit the following Web site:

http://www.pc.ibm.com/us/think/thinkvantagetech/downloads_support.html

2. Click Software download and User's Guide to download the software package.

Installing the standalone IBM Access ConnectionsTo install IBM Access Connections 3.0 or later without user interaction, complete the following steps:

1. Start Windows 2000 or Windows XP, and then log on with administrative privileges.




2. Extract the Access Connections drivers to the hard disk drive.

3. Click Start → Run.

4. Type one of the following commands:

– For computers that do not automatically restart, type the following command:

SETUP.EXE -S -SMS

– To install from a CD, type the following command:

SILENT.BAT

To download the software package along with the installation instructions:

1. Visit the following Web site:


2. Click Software download and User's Guide to download the software package.

Enabling the Administrator FeatureTo enable the Administrator Feature of Access Connections, you must first have Access Connections 3.53 or later installed on a donor computer. When deploying location profiles that provide a wireless network connection, the donor and recipient computers must contain wireless adapters that support the capabilities defined in the location profile. For instance, if the location profile being deployed is configured for LEAP authentication, the adapters on the recipient systems must support LEAP authentication.

To enable the Administrator Feature, complete the following steps:

1. Obtain the Administrator Feature Enabler, and save it on the computer on which you will develop location profiles.

2. Click Start →Run.

3. Click Browse.

4. Select the self-extracting executable file that you saved in step 1.

5. Click OK. This extracts the Enabler application to the following directory: C:\ProgramFiles\Thinkpad\ConnectUtilities

6. Close the main window of Access Connections if it is open.

7. Click Start → Run, and type: C:\ProgramFiles\Thinkpad\ConnectUtilities\AdmEnblr.exe

Figure A-1 Enabler for Administrator Profile Deployment Feature window

Appendix A. Deploying Access Connections 193


8. Select Enable Administrator Feature.

9. Select Exit to close the Enabler.

10.Start Access Connections.

If you have not previously created profiles on the computer, the initial window for the profile creation wizard is displayed. After you create at least one profile, you can view the main window of Access Connections. A menu bar item labeled “Profile Distribution” is displayed.

Using the Administrator FeatureTo use the Administrator Feature, complete the following steps:

1. Create all the location profiles that users require. Consider the following, and other needs, as you create the profiles:

– Office, building connections

– Home connections

– Branch-office connections

– Connections while traveling

– Hot-spot connections

2. After you create the location profiles, click Profile Distribution →Create Distribution Package.

Figure A-2 Profile Distribution

3. Select the location profiles that you want to deploy.

4. For each location profile selected, choose the appropriate user-access policy. If a profile that is selected contains a wireless profile with encryption enabled, the administrator is prompted to re-enter the wireless settings data again to ensure sensitive data is not exposed.


Figure A-3 Create Distribution Package window

The access control policy defines the restrictions that are in place for a particular profile. You can define access control policies per profile with the following values:

– Deny all changes / Deny Deletion: Users cannot perform operations such as modify, copy, or delete on the profile.

– Deny network setting changes / Deny deletion: In this case, users cannot modify, delete, or copy the network settings in the profile. The parameters that users cannot modify are TCP/IP settings, Advanced TCP/IP settings, and wireless settings. The profile cannot be deleted.

– Deny all changes /Allow deletion: Users cannot modify or copy the profile; however, users can delete the profile.

– Allow all changes / Allow deletion: Users can modify, copy, and delete the profile.

– Limitation: The above control policies are applied to local users with Administrator level privileges. If the local users are configured as Limited Users, stricter restrictions are imparted by the operating system. Limited Users can only create dial-up, connection-type profiles and cannot modify, copy, or delete profiles that the administrator created. A global setting in Access Connections enables Limited Users to switch between profiles that the administrator created.

5. When the Allow silent import of this package even after installation of client check box is marked, the IT administrator can silently export to any client computer *.LOA files, regardless of the privileges of the user who is actually logged on to the client computer. You can copy later packages (consisting of *.LOA and *.SIG files) to the installation folder for Access Connections. The next time Access Connections runs, it will detect and import the package silently.


6. Optional: The administrator can define a Distribution Control List based on computer serial numbers. This method of distribution enables the administrator to type individual serial numbers or to create different groups of serial numbers that represent different organizations of users who need different location profiles. This optional step is designed primarily for securing the distribution of the profile location file (*.LOA), when it is being sent to remote users for manual importing. Distribution control lists ensure that individuals install appropriate network connection profiles only. They can help reduce unauthorized network access.

Figure A-4 Define Distribution Control List

When creating groups of serial numbers, you can import flat text files that contain the group of serial numbers. The file must be formatted such that each line contains a single serial number. Create these text files by exporting a list that was created with the Administrator Feature or by an asset management system, if it has such capabilities. This simplifies the process of controlling distribution to a large number of computers based on their serial number.


Figure A-5 Create Group

Optional: You can define the Client Configuration Policy, which controls the capabilities that are available to the user after the *.LOA file is imported.

The Client Configuration Policy panel also enables the administrator to set the Global Settings for Access Connections. If the end-user logs onto a computer with a Limited User account, then the administrator must enable the “Allow all users of this system to switch to any existing location profile” setting under Global Setting. Otherwise, the users cannot switch between the pre-configured location profiles that the administrator provided.

Note: Check the Do not allow clients to become an administrator check box to prevent users from enabling the Administrator Feature on their installation of Access Connections. This setting is useful in large enterprise environments, where IT administrators want to prevent others from creating and distributing network access profiles.


Figure A-6 Define Client Configuration Policy

7. After you specify all the necessary settings in the Define Client Configuration Policy window, click Create. A passphrase prompt is displayed. The passphrase encrypts the *.LOA file so that the file can be imported only if the Access Connections application was installed as described in Section 4.4 or if you provide the passphrase to the user.

8. Give the *.LOA file a name and location.

Preparing for a new-image installationTo deploy the Access Connections software, complete the following steps:

1. Install Access Connections on a sample system from the group of systems being deployed.

2. Start the Administrator Feature Enabler, as described in, “Enabling the Administrator Feature” on page 193.

Attention: For image deployment, *.LOA file must reside in the Access Connections install directory - (C:\PROGRAM FILES\THINKPAD\CONNECTUTILITIES).


3. Create the location profiles, as described in section, “Using the Administrator Feature” on page 194.

4. Create the deployment package, as described in section, “Using the Administrator Feature” on page 194.

5. While creating the location deployment package, check the Do not allow clients to become administrator check box in the Client Configuration Policy window.

6. Save the *.loa and the *.sig files to another computer, removable media, or network drive to generate a collection of deployment packages.

7. Install Access Connections on the image building system according to your process.

– If the computer that you are using to create the build image is the same as the computer on which you created the location profiles, complete the following:

• Uninstall Access Connections from the build-image computer so that the Administrator Feature is removed.

• Add Access Connections to the image in an uninstalled state. • Create a directory that contains the setup files plus the loa and *.sig files, which

were saved in step 6.

– Add a new DWORD value under the following path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce in the registry

– Name the value ACinstall and set it to the following path:<Path where Access Connection setup files exist>\setup.exe -s

8. Upon the first boot of the client computers, Access Connections silently installs and automatically launches. Access Connections imports the *.loa file silently. The *.loa and *.sig files are deleted.

Deploying Access Connections location profiles remotelyThere are two ways to remotely deploy Access Connections:

� Unattended deployment

� Attended deployment.

The following sections describe each remote deployment method.

Unattended deploymentAfter computers are deployed in the manner discussed in , “Using the Administrator Feature” on page 194, an administrator can use systems management applications (such as SMS, Tivoli®, etc.) to push updated *.loa files to the client and have Access Connections silently import them if the following conditions are met:

1. The *.loa files must be created using the exact password used originally in the build that was deployed on the client computer.

Note: The *.sig file contains the signature data generated from the password used in generating the deployment package. This file is located in the install directory of Access Connections, typically C:\PROGRAMFILES\THINKPAD\CONNECTUTILITIES.


2. The *.loa files must be placed in the Access Connections installation directory. Access Connections must be restarted, either by restarting the computer or by closing the System Tray icon (QCTRAY.EXE), and then launching Access Connections again.

Attended deploymentTo deploy Access Connections location profiles to remote users or to computers that are already deployed, complete the following steps:

1. Using the Administrator Feature, create the *.loa file that contains the profiles that remote users need.

2. During the export process, specify the serial numbers of the remote users' computers and set a password to use in encrypting the *.loa file.

3. In separate e-mail messages (one for the password and one for the *.loa file), send to the users, over a secure medium, the password and *.loa file.

4. Prepare the following instructions for the users:

a. Detach the *.loa files to your hard disk.

b. Open Access Connections. Depending on the way you set up the Start menu, you might need to provide navigation instructions to the Access Connections entry.

c. Click Manage Location Profiles.

d. Click Options → Import/Export.

e. Click Import Location Profiles.

f. Using the drop-down selection for Files of type, select Profile Distribution files (*.loa).

g. Browse to the location where you saved the *.loa file that you detached in step 4a.

h. Select the saved *.loa file, and then click Open.

i. Access Connections checks the serial number of your computer to make sure that the *.loa file matches your computer. If a message is displayed that the serial number in the *.loa file and your computer serial do not match, contact the administrator who sent you the *.loa file. You will need a revised *.loa file that contains the correct serial number for your computer.

j. If the serial numbers match, you are prompted to type the passphrase your administrator provided in a separate e-mail. Type the password carefully and precisely, using upper and lower-case characters, where applicable.

k. Press Enter.

5. When the user correctly types the passphrase and presses Enter, Access Connections decrypts the *.loa file, and imports the location profiles as well as global settings and access controls you set. The *.loa file is then automatically deleted.


Appendix B. The IBM Embedded Security Subsystem

Select IBM computers are equipped with built-in cryptographic hardware that works together with software technologies to provide a powerful level of security in a client PC platform. Collectively, this hardware and software is called the IBM Embedded Security Subsystem (ESS).

This appendix provides an overview of the IBM Embedded Security System and IBM Client Security Software.

B


Trusted Platform ModuleThe hardware component of the IBM Embedded Security Subsystem meets all Trusted Computing Group (TCG) TPM Specification Version 1.1b requirements. This hardware component, known as a Trusted Platform Module (TPM), is sometimes referred to as the IBM Embedded Security Chip. This security chip works with IBM Client Security Software (CSS) to enhance the security of your system and data.

Client Security SoftwareIBM Client Security Software is a suite of security tools that utilizes the IBM Embedded Security Subsystem to help protect access to your computer, your data, and your personal settings. Client Security Software activates the IBM Embedded Security Subsystem and creates the security keys necessary to protect your identity and data. Using a secure key pair that is encrypted within the secure confines of IBM hardware, Client Security Software is comprised of the following local applications:

� IBM Password Manager

IBM Password Manager enables you to manage your sensitive and easy-to-forget logon information, such as user IDs, passwords, and other personal information, encrypting all information through the IBM Security Chip. IBM Password Manager works with Microsoft Internet Explorer to securely store and recall data entered into Web pages.

� Hardware-based secure Windows logon

Client Security Software transfers authentication operations to the IBM Embedded Security Subsystem. Utilizing the security of this powerful hardware chip, multiple authentication methods can be configured, including:

– Passphrase authentication - Passphrase authentication enables users to expand upon often limited password options. Client Security Software allows passphrases of up to 256 characters.

– Fingerprint authentication - Client Security Software integrates with IBM fingerprint software to provide fingerprint authentication through the IBM Embedded Security Subsystem.

IBM Client Security Software has two configuration options: typical and advanced. Selecting the appropriate configuration option for your needs is very important. Because of the complexity of security concepts, most users should select the typical configuration option. This option, which uses default settings, makes the configuration process easy, but some advanced features of Client Security Software are unavailable under the typical configuration.

Selecting the appropriate configuration option is very important. Review the following information carefully before selecting a configuration option. Novice security users should select the typical configuration option.

Typical configurationThe typical configuration of IBM Client Security Software installs and configures the following Client Security features:

� IBM Password Manager

� Right-click file encryption

� Passphrase and fingerprint authentication support

� Digital signature support


Advanced configurationAs the name implies, the advanced configuration of IBM Client Security Software is designed for advanced security users. You should not select this configuration option unless you have an advanced knowledge of security concepts. The advanced configuration of IBM Client Security Software installs and configures the following additional Client Security Software features in addition to those available under the typical configuration:

� Secure logon protection

� Key storage location selection

� Application support, such as Lotus Notes and Entrust

Some CSS features are not available when a typical configuration is selected. To enable these functions, simply convert your typical configuration to an advanced configuration.

For more information about IBM Client Security Software, visit the following Web site:


IBM Password ManagerThe IBM Client Security Password Manager program enables you to manage your sensitive and easy-to-forget login information, such as user IDs, passwords, and other personal information, using the IBM Embedded Security Subsystem. The IBM Client Security Password Manager program stores all information through the IBM Security Chip so that your user-authentication policy controls access to your secure applications and Web sites.

This means that rather than having to remember and provide a plethora of individual passwords—all subject to different rules and expiration dates—you only remember one passphrase, or provide your fingerprint, to gain access to any application or Web site entered into the Password Manager program.

The IBM Password Manager enables you to perform the following functions:

� Encrypt all stored information through the IBM Embedded Security Subsystem.

The IBM Client Security Password Manager automatically encrypts all information through the IBM Embedded Security Subsystem. This ensures that all your sensitive password information is secured by the IBM Client Security encryption keys.

� Transfer user IDs and passwords quickly and easily utilizing a simple type-and-transfer interface.

Use the IBM Client Security Password Manager type and transfer interface to place information directly into the logon dialog of your browser or application. This helps minimize typing errors and enables you to save all of your information securely through the IBM Embedded Security Subsystem.

� Securely provide Wireless, Web site, and application credentials using the IBM fingerprint software program and the IBM Embedded Security Subsystem.

The IBM Client Security Password Manager can utilize the IBM fingerprint software program and the IBM Embedded Security Subsystem to securely automate your login process. The IBM Client Security Password Manager can provide your login information automatically to any registered wireless network, application, or Web site upon a successful fingerprint authentication. By utilizing these technologies together, users gain an increase in security and an increase in convenience.

Appendix B. The IBM Embedded Security Subsystem 203


� Generate random passwords.

The IBM Client Security Password Manager enables you to generate random passwords for each application or Web site. This enables you to increase the security of your data because each application has much more rigorous password protection enabled. Random passwords are far more secure than user-defined passwords because experience indicates that most users use easy-to-remember personal information for passwords that are often relatively easy to crack.

� Export login information.

The IBM Client Security Password Manager enables you to export your sensitive login information so that you can securely carry it from computer to computer. When you export your login information from the IBM Password Manager, a password-protected export file is created that you can store on removable media. Use this file to access your user information and passwords anywhere you go.

For more information about the IBM Client Security Password Manager, visit the following Web site:


IBM fingerprint softwareThe IBM fingerprint software enhances the vulnerable software-based Windows user security with hardware encryption protection. The IBM fingerprint software program simultaneously increases both the security and convenience of authentication by replacing cumbersome password authentication with convenient biometric fingerprint authentication, and by utilizing the increased protection of the IBM Embedded Security Subsystem.

The IBM fingerprint software Logon Protector secures access to the Windows operating system using registered fingerprints to replace Windows logon credentials. When a user swipes a registered finger over the fingerprint reader, access to the operating system is granted following a successful fingerprint authentication.

You can set up secure IBM biometric fingerprint protection to provide the following:

� User power-on credentials

� Windows user logon credentials

� Windows user password-protected screen saver credentials

� User application and Web site credentials (when the fingerprint reader is used with the IBM Client Security Password Manager)

� User wireless credentials (when the fingerprint reader is used with the IBM Client Security Password Manager)

The IBM fingerprint software program uses the fingerprint reader to generate a passport to authenticate each user. Each passport contains specific authentication information to represent a user identity.

Each passport can contain up to ten fingerprints, but no two local passports can contain the same fingerprint. A passport contains Windows user account information and various types of data, such as data objects, keys, and certificates.

The integrated fingerprint reader is available on select ThinkPad T42 and T43 models. It will also be available on future ThinkPad models.



ronyms

AAA authentication, authorization, and accounting

ACS Access Control Server

AES Advanced Encryption Standard

AP access point

ASF Alert Standard Format

CA certificate authority

CCMP Counter Mode with CDC-MAC Protocol

CHAP Challenge Handshake Authentication Protocol

CLI command line interface

CRL Certificate Revocation List

CSS Client Security Software

DDR double data rate

DHCP dynamic host configuration protocol

DMZ demilitarized zone

DN distinguished name

DSL Digital Subscriber Line

EAP Extensible Authentication Protocol

ESS Embedded Security Subsystem

GPRS General Packet Radio Service

GTC Generic Token Card

HVAC High Voltage Alternating Current

IAS Internet Authentication Service

IBM International Business Machines Corporation

IETF Internet Engineering Task Force

IIS Internet Information Server

ISM Industry Science and Medicine

ISP Internet Service Provider

ISR Integrated Services Router

ITSO International Technical Support Organization

JRE Java Runtime Environment

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

LEAP Lightweight Extensible Application Protocol

LTPA Lightweight Third Party Authentication

MAC media access control

MNC Mobile Network Connection

MNI Mobile Network Interface

Abbreviations and ac

© Copyright IBM Corp. 2005. All rights reserved.

NAT Network Address Translation

NIC network interface card

OTP One-Time Password authentication

OU Organizational Unit

PCI peripheral component interconnect

PEAP Protected Extensible Authentication Protocol

QoS Quality of Service

RADIUS Remote Authentication Dial-In User Service

RAID Redundant Array of Inexpensive Disks

RFC request for comment

RSA Rivest, Shamir, & Adleman

SATA serial ATA

SCSI small computer system interface

SMB Small, Medium Business

SSID service set identification

SSL secure sockets layer

SWAN Structured Wireless-Aware Network

TACACS Terminal Access Controller Access Control System

TCG Trusted Computing Group

TKIP Temporal Key Integrity Protocol

TLS transport layer security

TPM Trusted Platform Module

TTLS tunnelled TLS

UPD user datagram protocol

URL Universal Resource Locator

VoIP Voice over IP

VPN virtual private network

WAN wide area network

WAP Wireless Application Protocol

WECM WebSphere Everyplace Connection Manager

WEP Wired Equivalency Protocol

Wi-Fi Wireless Fidelity

WINS Windows Internet Naming Service

WLAN wireless LAN

WPA Wireless (Wi-FI) Protected Access

205


Related publications

The publications listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this Redpaper.

IBM RedbooksFor information about ordering these publications, see “How to get IBM Redbooks” on page 207. Note that some of the documents referenced here may be available in softcopy only.

� Up and Running with DB2 for Linux, SG24-6899

� IBM WebSphere Everyplace Connection Manager Version 5 Handbook, SG24-7049

Other publicationsThese publications are also relevant as further information sources:

� IBM Access Connections Deployment Guide Version 3.3.0, provided with the product

� Cisco SAFE Wireless LAN Security in Depth, Cisco White paper

How to get IBM RedbooksYou can search for, view, or download Redbooks, Redpapers, Hints and Tips, draft publications and Additional materials, as well as order hardcopy Redbooks or CD-ROMs, at this Web site:

ibm.com/redbooks

Help from IBMIBM Support and downloads

ibm.com/support

IBM Global Services

ibm.com/services

IBM Software Group support contact informationIBM Software Group Web support

http://www.ibm.com/software/support/

IBM Software Group voice based support

1 800-553-2447




http://www.ibm.com/support/

http://www.ibm.com/support/

http://www.ibm.com/services/

http://www.ibm.com/services/

http://www.ibm.com/software/support/

IBM Eserver and Personal Computing Division contact informationWeb support

http://www.IBM.com/support

Voice based support

1 800-426-7378

IBM Printing Systems Division support contact informationIBM PSD Web support

https://www.ibm.com/support/esc/signin.jsp

IBM PSD voice based support

1 800-553-2447

Cisco support contact informationCisco Web support

http://www.cisco.com/tac/

Cisco voice based support

800-553-2447


http://www.IBM.com/support

https://www.ibm.com/support/esc/signin.jsp

http://www.cisco.com/tac/

Index

Numerics1130AG

overview 1802800 Integrated Services Router

overview 181

Aabbreviations 205Access Connections

overview 184Access Control Server

overview 180Access IBM 185Access Point

overview 180acronyms 205Active Protection System 186

EEmbedded Security System

overview 185ESS

See Embedded Security System

IImageUltra Builder 186Infoprint 1422

overview 188

RRedbooks Web site 207

Contact us xRescue and Recovery 186

SSecure Data Disposal 186Software Delivery Center 186System Information Center 186System Migration Assistant 186

TThinkPad

models overview 183ThinkVantage Technologies

Access IBM 185Active Protection System 186ImageUltra Builder 186overview 185Rescue and Recovery 186Secure Data Disposal 186Software Delivery Center 186

© Copyright IBM Corp. 2005. All rights reserved.

System Information Center 186System Migration Assistant 186

WWebSphere Everyplace Connection Manager

overview 188WECM

See WebSphere Everyplace Connection Manager

XxSeries 226

overview 187

209


®

INTERNATIONAL TECHNICALSUPPORTORGANIZATION

BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE

IBM Redbooks are developed by the IBM International Technical Support Organization. Experts from IBM, Customers and Partners from around the world create timely technical information based on realistic scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment.

For more information:ibm.com/redbooks

Redpaper

Deploying the IBM SecureWireless Networking Solution for Cisco Systems

Sample deployment scenarios

Best practices

Site survey

Wireless local area networks (LAN) connectivity within a small or medium enterprise intranet is becoming affordable and, in many cases, a necessity for businesses of any size. Additionally, access to enterprise intranet applications from home, hotel, and wireless “hot spots” is a requirement for mobile employees.

However, small and medium businesses (SMBs) span companies of all sizes and industries. Therefore, finding a wireless LAN with a mobile connectivity support solution that fits all the requirements is practically impossible.

This Redpaper discusses planning and architecture considerations for SMBs looking at installing wireless Loans within their enterprise and mobile connectivity from the Internet. In addition, this Redpaper includes a detailed, step-by-step scenario of installing a wireless LAN and support for mobile connectivity in a very basic environment.

The intention is that these simple steps can be expanded on and modified as required to meet the installation requirements for whatever solution is arrived at for a specific customer environment.

Back cover




Documents

Redpaper - IBM · PDF file4.1.5 Cisco Secure Access Control Server ... 5.2.3 IBM Embedded Security System ... 5.3 IBM Eserver xSeries 226