Cisco 2106 Wireless LAN Controller and Location Appliance

Cisco delivers a smart wireless management and monitoring system which is easily deployed and can be upgraded with demand. We found the mapping facilities very effective and the accurate location tracking of rogue APs and RFID tags makes it highly versatile.

When Cisco Systems acquired AireSpace in 2005 it took on a sophisticated wireless monitoring and security system that was already ahead of its time. It hasn't sat on its laurels since then either and has continued to development these products and in this exclusive review we take a closer look at its 2106 Wireless LAN Controller. Aimed at small to medium businesses and enterprise branch office deployments this desktop box runs pretty much the same code as its bigger brethren and as such integrates with Cisco's WCS software and its 2710 location tracking appliance. Cisco delivered the complete solution to our labs so this allowed us to conduct live tests on rogue AP identification and RFID tag tracking as well.

The 2106 controller has eight Fast Ethernet ports two of which are PoE enabled and it's designed to facilitate the deployment of Cisco's AiroNet lightweight access points. This partnership forms the foundation of Cisco's wireless security solution as the APs are used to provide secure network access but also to monitor wireless networks and identify rogue APs, clients and Ad-Hoc networks. The main concept here is that clients use the AiroNet APs and all other devices are considered rogues unless expressly permitted to function.

For testing we used both AiroNet 1130AG and 1242AG APs with the latter supporting both 2.4GHz and 5GHz operations. These all run the LWAPP (lightweight access point protocol) and so cannot be accessed individually and can only be configured via the 2106. Essentially, you plug the APs in whereupon they contact the controller and automatically receive all their security settings and general configuration details.

Installation of the 2106 is simple enough and it provides a quick-start wizard for setting up the management port along with the interfaces for communicating with the access points. The web interface opens with a complete overview of wireless clients along with all AiroNet APs and details of which 802.11a, b or g services are being provided. The main page also provides a list on all detected rogue APs and clients and choosing the former gives you the low-down on each one's associated wireless clients. During testing we were impressed with the efficiency of the AiroNet devices as even before we deployed them outside the main testing lab they were picking up APs not only across our office block but also in adjacent buildings on the campus.

The AiroNet APs are managed using policies which contain details on security settings and wireless services. Policies are used to enforce encryption and authentication whilst QoS parameters can restrict the number of clients that are allowed to associate with a particular AP. It gets very interesting if you use the containment policies but be very, very careful. With these in action the AiroNet APs will stop clients associating with rogue APs and Ad-Hoc networks by sending out continuous de-auth packets. Naturally, these are deactivated by default and you'll receive plenty of warnings when you opt to activate them. AiroNet APs included in a containment policy can be configured either to act only as a monitor or as an active AP as well as you can decide what percentage of their CPU is dedicated to each task.

Multiple controllers can be managed more effectively with Cisco's WCS (wireless control system) software. Group templates can be used to configure multiple controllers and APs and WCS brings mobility groups into the picture to allow seamless roaming. When a client accesses the network the AP used first is designated as their anchor. When they move to another AP in the same subnet the anchor passes their credentials across and promotes the next AP as the new anchor. Along with Layer 2 the groups work at Layer 3 so if a user moves to an AP on a different subnet their anchor remains the same but the new AP will tunnel through to the anchor allowing the client's IP address to stay the same.

WCS provides a mapping facility that allows you to position your APs and see a heat signature style mapping of their radio coverage. We imported a JPEG map of the ground floor of our offices and used WCS to define the type of building and walls along with location of windows and doors. WCS is unable to position rogue wireless devices on the map although it can give an indication of where they may be using a heat signature style mapping. This is where the location tracking appliance comes into play as it integrates with WCS and provides more precise positioning.

The AiroNet APs each supply details of radio signal strength measurements and the location appliance queries the WCS server and uses triangulation to place each device on your map. For this test we needed to get our three APs positioned correctly so we kept a 1242AG in the lab and moved 1130AGs out to the corners of a triangle over 50m metres to a side. We connected them all to our HP ProCurve 2626-PWR switch and ran them over PoE through the building network infrastructure. From WCS you need to make sure you have the position and height of each AP entered and even the correct aerial orientation although this is easy enough to do. Now we could sit back and wait for the APs to tell what was occurring in our office block and within a few minutes it had mapped some twenty APs and fifteen clients within the monitoring zone and designated each one a skull and crossbones icon to indicate their rogue status. For accuracy Cisco reckons the system is good to within five metres and our test results generally agreed with this. Selecting an AP icon brings up plenty of detail about the device and this includes lists of associated clients and WCS provides plenty of reporting and trending tools as well.

Cisco's RFID tracking solution is designed to work with active tags such as those from AeroScout. For testing we used a couple of AeroScout tags and handed them to assistants to allow us to track their movements. The tags send out a beacon signal once a minute which allows their battery to last up to two years. The location appliance had no problem picking them up and placing them in the map and we could edit their details so we could see which tag belonged to which tester. Location accuracy was as good as for rogue APs and in some instances we found the system could get this down to as little as 2-3 metres.

AeroScout chokepoints, or exciters, can be used to improve location accuracy and provide a security or alarm system if required. These small boxes are fixed in various locations on the premises and will interact directly with an RFID tag and force it to send out a wireless beacon signal immediately. We tested with one exciter which needed to be positioned correctly on our map. Walking past it caused the tag to beacon which was picked up by the controller and location appliance allowing it to nail its position down to under a metre.

Our tests of this Cisco wireless management and location tracking solution proved to be very successful and we were impressed with the ease of installation, the level of features and, in particular, the accuracy of the location appliance. The uses this system can be put to are considerable and the base price makes this an affordable option for SMBs. You can start out with wireless network management and monitoring and it can be easily expanded to accommodate changing requirements such as asset tracking and providing security for high value equipment.

Verdict

Cisco delivers a smart wireless management and monitoring system which is easily deployed and can be upgraded with demand. We found the mapping facilities very effective and the accurate location tracking of rogue APs and RFID tags makes it highly versatile.

2106 Wireless LAN Controller: Desktop chassis 8 x 10/100 Ethernet ports (2 x 803.2af PoE enabled) Supports up to six AiroNet access points Web browser management 2710 Location appliance: 1U rack server 3.2GHz Intel Pentium D 1GB 667MHz DDR2 80GB Hitachi DeskStar SATA hard disk Linux OS 2 x Gigabit Ethernet

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.