Aruba highlighted an architectural challenge that most "fat" AP vendors such as Cisco have: Every access point is also the NAS in the RADIUS authentication scheme, leaving every one of those links vulnerable to ARP attacks. Wireless infrastructure switch vendors such as Airespace, Trapeze, and Chantry, as well as Aruba, have the advantage that the RADIUS key exchanges are centralized and occur between their wireless switch or appliance, usually located in a wiring closet or control room, and their RADIUS server.
Aruba's premise is that the RADIUS communications between wireless switches and the RADIUS server are more likely to be secure because there are less of them and more likely to go over the management network as opposed to data network.
Cisco's traditional access point deployment without at WDS would have had each AP function as a NAS device, vulnerable to the attacks laid out by Aruba. However, Cisco's new WLSM (Wireless LAN Services Module), or more affectionately called "Screaming Eagle", avoids this issue because of its centralized architecture, confirmed by Cisco in a statement. Cisco also states that the report submitted to the IETF has "no new or useful findings that help the industry better address these known issues", and follows up their statement with some best practices.
The remaining question lingering on the minds of some wireless administrators is what this means for 802.11i. By extension, the same question should be asked about any device -- wired or wireless -- that depends on RADIUS.
The answer is to secure the link between the RADIUS server and the NAS, either via encryption or network isolation. That relates to the first point " how much do you trust your physical security: Ethernet ports, wiring closets, and cabling?
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
