About Remote Access Points

Remote APs connect to a managed device using XAuth Extended Authentication. XAuth provides a mechanism for requesting individual authentication information from the user, and a local user database or an external authentication server. It provides a method for storing the authentication information centrally in the local network. or IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.. AP control and 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. data traffic are carried through this tunnel. Secure Remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. Service extends the corporate office to the remote site. Remote users can use the same features as corporate office users. For example, VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. applications can be extended to remote sites while the servers and the PBX remain secure in the corporate office.

For bothRemote APs and Campus APs, tunneled SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. will be brought down eight seconds after the AP detects that there is no connectivity to the managed device. However, Remote AP bridge-mode SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. are configurable to stay up indefinitely (always-on or persistent). For Campus AP bridge-mode SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., the Campus AP will be brought down after the keepalive Signal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. times out (default 3.5 minutes).

Secure Remote AP Service can also be used to secure control traffic between an AP and the managed device in a corporate environment. In this case, both the AP and managed device are in the company’s private address space.

The Remote AP must be configured with the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel termination point. Once the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel is established, the AP bootstraps and becomes operational. The tunnel termination point used by the Remote AP depends upon the AP deployment, as shown in the following scenarios:

Deployment Scenario 1: The Remote AP and managed device reside in a private network which secures AP-to-Managed Device communication. (This deployment is recommended when AP-to-Managed Device communications on a private network need to be secured.) In this scenario, the Remote AP uses the managed device’s IP address on the private network to establish the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel.

Deployment Scenario 2: The Remote AP is on the public network or behind a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device and the managed device is on the public network. The Remote AP must be configured with the tunnel termination point, which must be a publicly-routable IP address. In this scenario, a routable interface is configured on the managed device in the DMZ. The Remote AP uses the managed device’s IP address on the public network to establish the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel.

Deployment Scenario 3: The Remote AP is on the public network or behind a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device and the managed device is also behind a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device. (This deployment is recommended for remote access.) The Remote AP must be configured with the tunnel termination point, which must be a publicly-routable IP address. In this scenario, the Remote AP uses the public IP address of the corporate firewall Firewall is a network security system used for preventing unauthorized access to or from a private network.. The firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. forwards traffic to an existing interface on the managed device (The firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. must be configured to pass NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T traffic (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500) to the managed device).

In any of the described deployment scenarios, the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel can be terminated on a managed device, with a managed device located elsewhere in the corporate network. The remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. must be able to communicate with the managed device after the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel is established. Make sure that the L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. IP pool configured on the managed device (from which the Remote AP obtains its address) is reachable in the managed device network by the managed device.

It is not recommended to place a Remote AP in the same subnet Subnet is the logical division of an IP network. as its terminating controller. Each Remote AP is deployed at a remote location that is connected over a multi-hop public or private IP network where a direct Layer 2 path to the Mobility Controllers in the data center is not possible. As a best practice, always place an IP router between the APs and the Mobility Controllers as it establishes Layer 2 fault domains.