Cisco Systems 102087 User Guide

Regulatory Domain Unification

For

Cisco Wireless LAN Access Points

Table of Contents

1.1 Requirements ................................................................................................................... 2

1.2 Scope ................................................................................................................................ 2

2 Functional Overview ........................................................................................................ 2

2.1 Feature List (Software/Firmware) .................................................................................... 2

2.1.1 Universal AP Boot Sequence Cycle ................................................................................ 2

2.1.2 Domain Identification Engine ............................................................................................ 4

2.1.2.1 Manual Identification ................................................................................................... 4

2.1.2.2 Automatic Identification ............................................................................................... 8

2.1.3 External Interfaces (Software/Firmware) ......................................................................... 11

2.1.3.1 SmartPhone Application ............................................................................................. 11

2.1.4 Security Considerations .................................................................................................... 17

2.1.4.1 Infrastructure Security ................................................................................................. 17

2.1.4.2 Client Security ............................................................................................................. 17

2.2 Platform Requirements .................................................................................................. 18

2.2.1 Access Points ................................................................................................................. 18

2.2.2 SmartPhone Applications............................................................................................... 19

3 Glossary ......................................................................................................................... 19

4 Questionnaires from Previous Correspondence ............................................................. 20

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

1.1 Requirements

The purpose of the Universal Access Point (AP) is to address worldwide regulatory compliance requirements based on geo-location of Cisco Wireless Access Points.

Key elements of the requirements are:

• Domain and thus channel/power plan shall be determined based on the

geographical location of an AP prior to operation.

• The End User shouldn’t be allowed to change the Regulatory Domain and

Country configuration on APs.

• Any mechanism shall minimize user interaction to configure the correct

regulatory domain .

• The provision process shall work with all Cisco APs.

1.2 Scope

In order to meet the above requirements, the solution relies on information from trusted RF neighbors along with a smartphone based audit scheme in order to convert Universal APs into appropriate regulatory configurations post installation.

2 Functional Overview

2.1 Feature List (Software/Firmware)

2.1.1 Universal AP Boot Sequence Cycle

In order to honor compliance regulations for all countries, one of the key requirements for the Universal AP, will be to initially only operate on frequencies that are allowed in all countries across the world. Currently there are no available frequencies in the 5GHz spectrum that are valid in all countries, therefore during the Universal AP initial startup cycle, only 2.4GHZ transmissions will be allowed. 5GHz transmissions will not occur until the regulatory domain conversion is completed.

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

Image 1.1 Universal AP Boot Up Sequence Flowchart

The above flowchart shows the boot sequence diagram of Universal AP’s bring up cycle. When a fresh out-of-box AP gets installed at a customer site, after the boot loader initialization the host will read regulatory domain configurations from the cookie that is burned in the EEPROM of the device. For a non-configured APs, both Regulatory Domain and Country Code will be set to Universal Attribute “UX”.

For out-of-box APs, the Domain Identification Engine (DiE) will trigger regulatory domain migration. DiE will convert UX AP into correct domain using two phases of identification methods explained in section 2.2.2. After successful migration, AP will reset and come up with new regulatory domain and country configurations and operate similar to our existing pre-configured APs.

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

One key difference between a converted Universal AP and existing Cisco Aps (Non-Universal) is that the DiE engine’s Location Change Identifier (LCi) will run in the background during the Universal AP’s boot up cycle. LCi will ensure the Universal AP is installed with the correct regulatory domain in case APs are physically moved after priming. If the LCi reports no location change, AP will enable TX on 5GHz radios. Prior to the migration into correct SKU, only 2.4 GHz radios will be operational.

2.1.2 Domain Identification Engine

Overall SW architectural changes to migrate Universal AP into correct regulatory configs can be categorized into 2 major functional phases.

1. Manual Identification:

Manual identification encompasses a technique using a smartphone application that migrates Universal SKU AP into the correct regulatory domain.

2. Automatic Identification:

Automatic Identification leverages Cisco proprietary Neighbor Discovery Protocol (NDP) to propagate regulatory domain configurations across the AP’s localized RF neighborhoods.

2.1.2.1 Manual Identification

This method encompasses a Smartphone application that runs on different flavors of mobile OSs. Upon successful authentication smartphone will communicate with Universal AP on a secure 2.4 GHz channel. Smartphone then will request AP configurations to differentiate Universal SKU AP from other access points. When associated Access Point is identified as Universal AP, smartphone will push regulatory configurations to the AP.

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

Image 1.2 Highlights configuration exchanges between Smartphone App and the Universal AP

When user wants to prime a Universal AP, he/she must authenticate with CCO credentials. Without proper authentication, Smartphone will be disabled and not able to configure the AP. After successful authentication, Smartphone will associate to Universal AP over a secure 2.4 GHz channel as a client. Prior to the association with AP, smartphone app will also gather its location information from inbuilt GPS and cell tower that advertise country information by extracting Mobile Country Code (MCC) Identifier from the Public LAN Mobile Network (PLMN). Once associated, Universal AP then will send information about its AP type and Regulatory Domain and Country configurations in order to distinguish from existing Cisco APs and whether it has been primed already. For an unprimed/outof-box Universal AP, smartphone will configure the AP with the correct regulatory domain derived based on the AP information and country code details via GPS and MCC ID. Smartphone App will maintain a database that maps country configurations to regulatory domain for a specific AP model. This information will

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

be sent to the Universal AP to migrate it into the correct Regulatory Domain and country configurations.

Smartphone App will support following 2 modes of operations

1) Configure Mode: This will be the default mode of operation for

Smartphone App to configure Universal SKU AP, fresh out of box Aps will get configured via configure knob when associated AP is configured

with Universal Attributes (Reg. Domain: -UX, Country: UX)

2) Audit Mode: This special mode will handle wrongly primed Universal

Aps, when Universal Aps are shipped via tier-2 distributors or were misconfigured due to change in location, in such cases reg. domain configurations will be corrected via Smartphone App in audit mode. Audit mode can overwrite reg. domain configurations of an already primed Universal AP. During the Universal AP boot up process when LCI notifies host about the potential change in location, such Aps can be

only reconfigured via Smartphone App in audit mode.

When Universal AP gets re-primed by Smartphone App in audit mode, a special flag will be enabled in NDP frame to propagate corrected regulatory domain settings to rest of the RF neighborhood. It will speedup overall network convergence time when majority of the Aps installed in the network are misconfigured.

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

Image 1.3 Decision Flowchart of Smartphone App with modes of operations

Above decision flowchart explains the basic communication flow between the smartphone application and the Universal AP. Upon successful authentication with the required credentials, Smartphone will gather its location information from the GPS and Cell ID, once the location is determined it will associate to Universal AP over a secure 2.4GHz channel. After successful authentication, smartphone app will establish communication with the AP to gather AP information and regulatory details. If associated AP is identified as Universal AP, smartphone will configure regulatory settings into AP’s cookie under EEPROM to prime correct Regulatory Domain ID and Country configurations.

For misconfigured Universal APs, Smartphone App will operate in Audit mode that can correct regulatory domain configurations when user physically moves Universal APs into a new location or when Universal APs were primed in a different country. In such case, NDP Propagation Override flag will be enabled to automatically correct Reg. Domain information to rest of the RF neighborhood and with minimal user intervention.

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

2.1.2.2 Automatic Identification

Automatic Identification method solely relies on Cisco’s RF intelligence in order to propagate the new Regulatory Domain and Country configurations to the local RF neighborhood. Cisco proprietary Neighbor Discovery Protocol (NDP) frames will be leveraged to discover secure Cisco Universal APs in the network and propagate reg. domain attributes to the localized RF neighborhood. Sub mode of Automatic Identification process will run in the background during Universal AP’s boot up cycle (under Location Change Identifier) to determine change in AP’s location once it is primed.

Automatic Identification method will be the default method used by Cisco Universal APs. While manual identification helps migrate Universal APs into the correct regulatory domain, automatic method will propagate regulatory domain configuration to the localized RF neighborhood quickly and efficiently. This method is dependent on the presence of existing Cisco Universal Aps in the network, therefore user needs to prime at least one Universal AP in the network. Automatic Identification also helps to autocorrect already primed Universal AP; this will be addressed by special notification via NDP that can override other Universal AP’s configurations.

Cisco Proprietary Neighbor Discovery Frame needs information about the AP type, Regulatory Domain and Country Configurations to efficiently propagate to localized RF neighborhood. New NDP message for Universal Aps will be differentiated based on the versioning of the NDP frames.

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

Image 1.4 Automatic Identification Method Leveraging NDP For Domain Propagation

Above explains Universal AP’s communication with other Universal, existing Cisco and third party APs. AP maintains Geo-locator engine that is responsible to maintain database of the adjacent neighbors in the RF neighborhood, compute their approximate distance from the Universal AP, identify Cisco Universal AP, and filter out other third party or malicious rogue APs. Once secure AP list is established, Universal AP will process 802.11 beacons from such APs to learn regulatory configurations. The 802.11 beacon carries a country element includes country code details. All beacons from non-secure Cisco and third party Aps will be ignored.

When Smartphone configures Universal AP with regulatory configurations, an NDP propagation flag will be enabled to propagate the configuration out to the AP’s localized RF neighborhood.

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.

+ 20 hidden pages