Field Office Use Case; A Field Office Example; The Plan - Motorola WS2000 - Wireless Switch - Network Management Device System Reference Manual

12-30 WS2000 Wireless Switch System Reference Guide

12.16 Field Office Use Case

12.16.1 A Field Office Example

12.16.1.1 Background
Leo is the network administrator, system administrator, and IT professional for a field office with 60
employees. The users include sales people, sales engineers, office administration and customer support
people. All of the sales personnel have laptops and many of them have personal digital assistants (PDAs).
The office is connected to the Internet and to corporate through a frame relay link. Between the office
network and the frame relay, there is a router and a virtual private network (VPN) appliance. All traffic to
corporate is encrypted by the VPN appliance. Traffic to other addresses passes straight through.
Leo installed a wireless access point about six months ago and quickly found that many employees preferred
to use it. However, the throughput of the lone unit was not enough to service 40 or so users and coverage
was weak in many areas of the building. In addition, Leo was doing user authentication by maintaining a list
of permissible user MAC addresses on the access point. This required modifications to the list once or twice
a week. Recently, when a laptop was stolen, Leo could not determine which MAC address to remove from
the list for several hours. He concluded that a better method of user authentication was needed. Also, the
data encryption on the old access point was WEP and WEP encryption can be broken with several hours of
data encrypted with the same key. Leo changes the key every week, but some users complain when last
week's key does not work anymore.
Leo has decided to upgrade to a WS 2000 wireless switch. He will have four Access Ports, one in the
administration office area, one in the sales office area, one in the sales engineering area, and one in the
engineers' demonstration room. Throughput and coverage will increase significantly. Leo will convert to
802.1x/EAP-TTLS user authentication through the corporate RADIUS server and convert to WPA2 encryption,
improving security considerably and reducing maintenance significantly.
Leo's company is also growing. Corporate has rented an expansion office for engineering in another part of
the same building. Leo needs to establish secure communication from the engineering subnet to this
expansion office. The other office will also have a WS 2000, so Leo will establish a direct VPN link to that
WS 2000 and use the VPN as the secure communication link.
The following links show the tasks that Leo will carry out to complete the wireless upgrade.

12.17 The Plan

Each WS 2000 WLAN has exactly one security policy, where a security policy is defined as a user
authentication method and a data encryption method. Because each WLAN can have one and only one
security policy, WLAN configuration is usually defined by the security needs of the installation. If two groups
of users require different security policies, then they must associate to the WS 2000 through different
WLANs. See the retail case study for an example of an installation where different security needs drive the
need for separate WLANs.
In this situation, all of Leo's users will use the same security system: 802.1x/EAP-TTLS user authentication
and WPA data encryption. Leo can set up the WLANs in any way that is convenient.
Corporate has given Leo three static IP addresses for the wireless network. He will configure the WS 2000
as a DHCP server giving out internal-use-only IP addresses and use network address translation (NAT) in the
switch to convert the outward-bound traffic to one of the static IP addresses.