FACULTY OF INFORMATION TECHNOLOGY

>>> COURSE MATERIAL <<<

WIRELESS AND MOBILE NETWORK SECURITY

Course ID 503075

LAB PART 4 –Cấu Hình Mạng Không Dây

Objectives
• Connect to a wireless router
• Configure the wireless router
• Connect a wired device to the wireless router
• Connect a wireless device to the wireless router
• Add an AP to the network to extend wireless coverage
• Update default router settings

I. Introduction to Wireless LAN

Lesson Contents
● SOHO Wireless LAN
● Enterprise Wireless LAN
● Conclusion

Nowadays, there are about more wireless than wired devices. About 10 years ago, most offices
only had desktops and some other network devices like printers. All of these were connected with
wires. Today, a lot of users have a laptop, smartphone, and tablet. That’s three wireless devices for
each user. Wireless speeds have increased significantly, getting close to wireless Gigabit.
IEEE uses 802.11 for all protocols that are related to wireless. Most of us have seen or heard about
802.11a, 802.11b, 802.11g, 802.11n and/or 802.11ac before. We also have the Wi-Fi Alliance that
helps with the promotion of wireless networking. For example, IEEE has described authentication and

1
encryption in their 802.11i standard. The Wi-Fi alliance has based WEP, WPA, and WPA2 on this
standard. These names are easier to work with than referring to 802.11i.

1.1. SOHO Wireless LAN (SOHO:Small Office/Home Office)

Your router at home probably has the same capabilities as the one below:

It is connected to your ISP (Internet Service Provider) through cable or DSL, or perhaps fiber. It has
some Ethernet ports to connect your computers and it has antennas for wireless users. In reality, these
components are all built into one device:

● Ethernet Switch
● Wireless Access Point
● (Cable or DSL Modem)
● Router
If you take everything apart, it looks like this:

In small networks like this, the AP does everything by itself. We call this an autonomous access
point. It uses 802.11 protocols to talk with the wireless clients and uses Ethernet on the LAN side.

2
1.2. Enterprise Wireless LAN

When we look at large Enterprise networks, a single access point is not enough. Imagine a
network with hundreds or thousands of users. When you walk around the office, you don’t want to get
disconnected every time when your phone switches from one access point to another. You want to
have a stable wireless connection, wherever you go. Switching seamlessly switching from one access
point to another is called roaming.
A single access point also has limited bandwidth. If you have a meeting room with 100 users
then a single access point might be unable to provide enough bandwidth for everyone.
Since we use wireless networking for our users, it has to be close to our users. That’s why you
will find access points on the access layer of your network, just like your computers and printers:

There’s still one issue. Let’s say you are connected to an access point and you start walking
around the office, your phone will switch to another access point. How does this second access point
know that you are already authenticated to the network? You could re-authenticate but that will break
your connection…not a good idea.

3
 To solve this issue, we work with wireless LAN controllers:

All management tasks are moved from the access points to the wireless LAN controller. It
takes care of authentication, roaming, creating new wireless networks etc. The access points are only
responsible for forwarding traffic, we call these LWAPs (Light Weight Access Point).
To achieve this, all traffic has to be sent from the access points to the wireless LAN controller.
This is done by tunnels called CAPWAP (Control And Provisioning of Wireless Access Points). The
green dotted lines are the CAPWAP tunnels between the APs and WLC.
We now have one big wireless network. If you create a new wireless network (SSID) then it
will be pushed to all access points. Roaming is also no problem since all traffic is forwarded to the
WLC.

4
II. Wireless LAN 802.11 Service Sets

Lesson Contents
● IBSS
● Infrastructure Mode
○ Basic Service Set (BSS)
■ Distribution System (DS)
○ Extended Service Set (ESS)
○ Mesh Basic Service Set (MBSS)
● AP Modes
○ Repeater
○ Workgroup Bridge
○ Outdoor Bridge
● Conclusion

Like wired networks, wireless networks have different physical and logical topologies. The
802.11 standard describes different service sets. A service set describes how a group of wireless
devices communicate with each other.
Each service set uses the Same Service Set Identifier (SSID). The SSID is the “friendly” name
of the wireless network. It’s the wireless network name you see when you look at available wireless
networks on your wireless device.

In this lesson, I’ll explain the different service sets, and we’ll take a look at some other common
AP modes.

5
2.1. IBSS

With an Independent Basic Service Set (IBSS), two or more wireless devices connect directly
without an access point (AP). We also call this an ad hoc network. One of the devices has to start and
advertise an SSID, similar to what an AP would do. Other devices can then join the network.
An IBSS is not a popular solution. You could use this if you want to transfer files between two
or more laptops, smartphones, or tablets without connecting to the wireless network that an AP
provides.

2.2. Infrastructure Mode

With infrastructure mode, we connect all wireless devices to a central device, the AP. All data
goes through the AP. The 802.11 standard describes different service sets. Let’s take a look.

6
2.2.1. Basic Service Set (BSS)

With a Basic Service Set (BSS), wireless clients connect to a wireless network through an AP.
A BSS is what we use for most wireless networks. The idea behind a BSS is that the AP is responsible
for the wireless network.
Each wireless client advertises its capabilities to the AP, and the AP grants or denies permission
to join the network. The BSS uses a single channel for all communication. The AP and its wireless
clients use the same channel to transmit and receive.

The SSID is the “nice” name of the wireless network, and it doesn’t have to be unique.
The AP also advertises the Basic Service Set Identifier (BSSID). This is the MAC address of
the AP’s radio, a unique address that identifies the AP. All wireless clients have to connect to the AP.
This means the AP’s signal range defines the size of the BSS. We call this the Basic Service Area
(BSA).
In the picture above, the BSA is a beautiful circle. This might be the case if you install your
AP somewhere in the middle of a meadow with nothing around the AP. In a building, the BSA
probably looks more like this:

7
 When a wireless device wants to join the BSS, it sends an association request to the AP. The
AP either permits or denies the request. When the wireless device has joined the BSS, we call it a
wireless client or 802.11 station (STA).
All traffic from a wireless client has to go through the AP even if it is destined for another
wireless client.

Everything has to go through the AP because the AP is our central point for management, and
it limits the size of the BSS. The AP’s signal range defines the boundary of the BSS.

8
2.2.2 Distribution System (DS)
A BSS is a standalone network with a single AP. In the pictures above, there is no connection
with a wired network.
Most wireless networks, however, are an extension of the wired network. An AP supports both
wired and wireless connections. The 802.11 standard calls the upstream wired network the distribution
system (DS).
The AP bridges the wireless and wired L2 Ethernet frames, allowing traffic to flow from the
wired to the wireless network and vice versa.

We can also do this with VLANs. The AP connects to the switch with an 802.1Q trunk. Each
SSID maps to a different VLAN:

Each wireless network has a unique BSSID. The BSSID is based on the MAC address, so most
vendors (including Cisco) increment the last digit of the MAC address to create a unique BSSID.

9
 Even though we have multiple wireless networks, they all use the same underlying hardware,
radios, and channels. If you have an AP with multiple radios, then it’s possible to assign wireless
networks to different radios. For example, you could use one wireless network on the 2.4 GHz radio
and another one on the 5 GHz radio.

2.2.3 Extended Service Set (ESS)

A BSS uses a single AP. This might not be enough because of two reasons:
Coverage: A single AP’s signal can’t cover an entire floor or building. You need multiple APs
if you want wireless everywhere.
Bandwidth: An AP uses a single channel, and wireless is half-duplex. The more active wireless
clients you have, the lower your throughput will be. This also depends on the data rates you support.
A wireless client that sits on the border of your BSA might still be able to reach the AP, but can only
use low data rates. A wireless client that sits close to the AP can use high data rates. The distant
wireless client will claim more “airtime,” reducing bandwidth for everyone.
To create a larger wireless network, we use multiple APs and connect all of them to the wired
network. The APs work together to create a large wireless network that spans an entire floor or
building. The user only sees a single SSID, so they won’t notice whether we use one or multiple APs.
Each AP uses a different BSSID, so behind the scenes, the wireless client sees multiple APs it can
connect to. We call this topology with multiple APs, an Extended Service Set (ESS).

10
 APs work together. For example, if you associate with one AP and you walk around the
building, you won’t disconnect. The wireless client will automatically “jump” from one AP to another
AP. We call this roaming. To make this a seamless experience, we need an overlap between APs.
Each AP offers its own BSS and uses a different channel to prevent interference between APs.

2.2.4 Mesh Basic Service Set (MBSS)

If you want to provide a wireless network for a large area, like a city, then it’s not easy to
connect each AP to a wired network.
Instead, you could build a mesh network, also known as a Mesh Basic Service Set (MBSS).
With a mesh network, we bridge wireless traffic from one AP to another. Mesh APs usually have
multiple radios. One radio is for backhaul traffic of the mesh network between APs; the other radio is
to maintain a BSS for wireless clients on another channel.
At least one AP is connected to the wired network; we call this the Root AP (RAP). The other
APs are Mesh APs (MAP) and are only connected through the wireless backhaul.

There are multiple paths for a MAP to reach the wired network through the RAP, so we need
a protocol that finds the best loop-free path. Similar to how spanning-tree works for L2 or routing
protocols for L3, there are different wireless solutions. IEEE has the 802.11s standard for mesh
networks. Vendors sometimes also use proprietary solutions. For example, Cisco has the Adaptive
Wireless Path Protocol (AWPP).
Cisco APs support both indoor and outdoor mesh networks.

11
2.3. AP Modes

Thus far, we have only talked about service sets. Some APs also support different non-
infrastructure modes. I’ll explain the most common AP modes below.

2.3.1 Repeater

If you need to cover a large area with your wireless network, you usually create an ESS. An
ESS, however, requires wired connections. If it’s impossible to connect your AP with a wire, you
could configure an AP in repeater mode.
A wireless repeater receives a signal and retransmits it. This allows wireless devices that are
not close enough to the AP to join the network.

There must be an overlap between the cell size of the AP and the repeater. For optimal
performance, it should be about 50%. If the repeater has a single radio, then it will receive and transmit
on the same signal as the AP. In this case, the AP will also receive the retransmitted signal. Since
wireless is half-duplex, adding a repeater will reduce your available throughput by about 50%.
To work around this, some repeaters have two or more radios. They receive on one channel
(same as the AP) and retransmit on another.

12
2.3.2 Workgroup Bridge

What if you have a wired device that needs to connect to a wireless network but doesn’t have
a radio? For example, older printers, computers, or point of sale (PoS) systems. In this case, you can
use a workgroup bridge (WGB). The WGB has a wired connection you connect to the wired device
and a wireless connection, which it uses to act as a wireless client of a BSS.

There are two types of WGBs:

● Universal workgroup bridge (uWGB): Universal WGB only supports a single wired client.
This is based on the 802.11 standards.
● Workgroup Bridge (WGB): WGB (or Workgroup Bridge Mode) is a Cisco proprietary
extension to the 802.11 standards and supports multiple wired clients.

2.3.3 Outdoor Bridge

What if you want to connect two buildings, but there is no cable in between, and you don’t
want to use a WAN? You could use an outdoor wireless bridge. You can configure two APs to create
a wireless bridge between two LANs over a longer distance. Wireless bridges between two buildings,
and even between two cities are possible.

13
There are two options:
● Point-to-point
● Point-to-multipoint

Let’s start with point-to-point:

We have two buildings, each with a LAN. The APs are in bridge mode and use directional
antennas that focus their signal in one direction, towards the AP on the other side.
If you wonder what the maximum distance of a wireless bridge could be: The record for the
longest wifi link is from CISAR (Italian Center for Radio Activities). It’s 304 kilometers (188 miles).
If you want to bridge more than two LANs, you could use a point-to-multipoint bridge:

LAN 1 and 3 use APs with directional antennas. LAN 2 in the middle uses an omnidirectional
antenna so that the signal is transmitted equally in both directions.

14
PRACTICE

Introduction
In this activity, you will configure a wireless router and an access point to accept wireless
clients and route IP packets. Furthermore, you will also update some of the default settings.

Instructions
Part 1: Using the packet tracer design the network model as followd:

Part 2: Connect to a Wireless Router

Step 1: Connect Admin to WR.

a. Connect Admin to WR using a straight-through Ethernet cable through the Ethernet ports.
Select Connections, represented by a lightning bolt, from the bottom-left side of Packet
Tracer. Click Copper Straight-Through, represented by a solid black line.
b. When the cursor changes to connection mode, click Admin and choose FastEthernet0. Click
WR and choose an available Ethernet port to connect the other end of the cable.
WR will act as a switch to the devices connected to the LAN and as a router to the internet.
Admin is now connected to the LAN (GigabitEthernet 1). When Packet Tracer displays green
triangles on both sides of the connection between Admin and WR, continue to the next step.

15
 Note: If no green triangles are shown, make sure to enable Show Link Lights under Options
> Preferences. You may also click Fast Forward Time just above the Connections selection
box in the yellow bar.

Step 2: Configure Admin to use DHCP.

To reach the WR management page, Admin must communicate on the network. A wireless router
usually includes a DHCP server, and the DHCP server is usually enabled by default on the LAN.
Admin will receive IP address information from the DHCP server on WR.
a. Click Admin, and select the Desktop tab.
b. Click IP Configuration and select DHCP.

Questions:
What is the IP address of the computer?
What is the subnet mask of the computer?
What is the default gateway of the computer?
Type your answers here.
c. Close the IP Configuration window.
Note: Values can vary within the network range due to normal DHCP operation.

Step3: Connect to the WR Web Interface.

a. In the Desktop tab on Admin, choose Web Browser.

b. Enter 192.168.0.1 in the URL field to open the web configuration page of the wireless router.
c. Use admin for both the username and password.
d. Under the Network Setup heading on the Basic Setup page, notice the IP address range for the
DHCP server.

Question:
Is the IP address for Admin within this range? Is it expected? Explain your answer.

Step 4: Configure the Internet Port of WR.

In this step, WR is configured to route the packets from the wireless clients to internet. You will
configure the Internet port on WR to connect to the internet.
a. Under the Internet Setup at the top of the Basic Setup page, change the Internet IP address
method from Automatic Configuration – DHCP to Static IP.
b. Type the IP address to be assigned to the Internet interface as follows:
Internet IP Address: 209.165.200.225

16
 Subnet Mask: 255.255.255.252
Default Gateway: 209.165.200.226
DNS Server: 209.165.201.226
c. Scroll down the page and click Save Settings.
Note: If you get a Request Timeout message, close the Admin window and wait for the orange
lights to turn into green triangles. Click the fast forward button to make this happen faster.
Then reconnect to WR from Admin’s browser using the process explained in Step 3.
d. To verify connectivity, open a new web browser and navigate to 209.165.201.226 server.
Note It may take a few seconds for the network to converge. Click Fast Forward Time or
Alt+D to speed up the process.

Part 3: Configure the Wireless Settings

In this activity, you will only configure the wireless settings for 2.4 GHz.

Step 1: Configure the WR SSID.

a. Navigate to the WR GUI interface at 192.168.0.1 in a web browser on Admin.

b. Navigate to Wireless > Basic Wireless Settings.
c. Change Network Name (SSID) to aCompany for only 2.4 GHz. Notice that SSIDs are case-
sensitive.
d. Change the Standard Channel to 6 - 2.437GHz.
e. For this activity, disable both 5 GHz frequencies. Leave the rest of the settings unchanged.
f. Scroll to the bottom of the window and click Save Settings.

Step 2: Configure wireless security settings.

In this step, you configure the wireless security settings using WPA2 security mode with
encryption and passphrase.
a. Navigate to Wireless > Wireless Security.
b. Under the 2.4 GHz heading, select WPA2 Personal for the Security Mode.=
c. For the Encryption field, keep the default AES setting.
d. In the Passphrase field, enter Cisco123! as the passphrase.
e. Click Save Settings.
f. Verify that the settings in the Basic Wireless Settings and Wireless Security pages are correct
and saved.

17
Step 3: Connect the Wireless Clients.

a. Open Laptop1. Select Desktop tab. Click PC Wireless.

b. Select the Connect tab. Click Refresh as necessary. Select the Wireless Network Name
aCompany.
c. Enter the passphrase configured in the previous step. Enter Cisco123! In the pre-shared key
field and click Connect. Close the PC Wireless window.
d. Open a web browser and verify that you can navigate to 209.165.201.226 server.
e. Repeat the above steps to connect Laptop2 to the wireless network.

Part 4: Connect Wireless Clients to an Access Point

An access point (AP) is a device that extends the wireless local area network. An access point is
connected to a wired router using an Ethernet cable to project the signal to a desired location.

Step 1: Configure the Access Point.

a. Connect Port 0 of AP to an available Ethernet port of WR using a straight-through Ethernet

cable.
b. Click AP. Select the Config tab.
c. Under the INTERFACE heading, select Port 1.
d. In the SSID field, enter aCompany.
e. Select WPA2-PSK. Enter the passphrase Cisco123! In the Pass Phrase field.
f. Keep AES as the default Encryption Type.

Step2: Connect the Wireless Clients.

a. Open Laptop3. Select Desktop tab. Click PC Wireless.

b. Select the Connect tab. Click Refresh as necessary. Select the Wireless Network Name
aCompany with the stronger signal (Channel 1) and click Connect.
c. Open a web browser and verify that you can navigate to 209.165.201.2 server.

18
Part 5: Other Administrative Tasks

Step 1: Change the WR Access Password.

a. On Admin, navigate to WR GUI interface at 192.168.0.1.

b. Navigate to Administration > Management and change the current Router Password to
cisco.
c. Scroll to the bottom of the window and click Save Settings.
d. Use the username admin and the new password cisco when prompted to log in to the wireless
router. Click OK to continue.
e. Click Continue and move on to the next step.

Step 2: Change the DHCP address range in WR.

In this step, you will change the internal network address from 192.168.0.0/24 to 192.168.50.0/24.
When the LAN network address changes, the IP addresses on the devices in the LAN and WLAN
must be renewed to receive new IP addresses before the lease is timed out.
a. Navigate to Setup > Basic Setup.
b. Scroll down the page to Network Setup.
c. The IP address assigned to Router IP is 192.168.0.1. Change it to 192.168.50.1. Verify that
IP address still start at .100, and there are 50 available IP addresses in the DHCP pool.
d. Add 209.165.201.226 as the DNS server with the DHCP settings.
e. Scroll to the bottom of the window and click Save Settings.
f. Note that the DHCP range of addresses has been automatically updated to reflect the interface
IP address change. The Web Browser will display a Request Timeout after a short time.
g. Close the Admin web browser.
h. In Admin Desktop tab, click Command Prompt.
i. Type ipconfig /renew to force Admin re-acquire its IP information via DHCP.

Question:
What is the new IP address information for Admin?
j. Verify that you can still navigate to 209.165.201.226 server.
k. Renew the IP address on other laptops to verify that you can still navigate to www.cisco.pka
server.
l. Notice that Laptop1 connected to the AP instead of WR.

19