WLAN Security: Identifying Client and AP Security

Transcription

1 WLAN Security: Identifying Client and AP Security 2010 Cisco Systems, Inc. All rights reserved. CUWN v Lesson Overview & Objectives Overview This lesson provides detailed discussions on the Cisco Unified Wireless Network security options, considerations, issues, and configuration steps necessary for implementation. Objectives Upon completing this lesson, you will be able to explain the purpose for and operation of key security features that are configured through Cisco wireless administration tools. This ability includes being able to meet these objectives: Describe AAA implementation and configuration Describe how to create a new ACL Explain the purpose of peer-to-peer blocking mode Describe global configuration parameters for 802.1x authentication for APs Explain how to configure the LSCs both generally and on the AP Describe how to view and configure the WLAN to mitigate penetration by rogue APs Explain how to configure Cisco NAC Appliance Explain how to configure the intrusion detection system sensor Describe the methods that are supported with Local EAP and their configurations 2010 Cisco Systems, Inc. All rights reserved. CUWN v

2 Implement AAA Authentication Go to Security > AAA > RADIUS > Authentication to add RADIUS Authentication Servers or to view the list of RADIUS servers already configured Cisco Systems, Inc. All rights reserved. CUWN v Adding a RADIUS Authentication Server When adding a new server, the Server Index determines the order in which the server will be utilized. The controller will attempt to use the server with the lowest priority number first Cisco Systems, Inc. All rights reserved. CUWN v

3 Per-WLAN Radius Authentication Per WLAN RADIUS Authentication will override the global server priorities. Go to WLAN > Configuration > Security > AAA Servers tab to configure up to 3 servers for the WLAN to use Cisco Systems, Inc. All rights reserved. CUWN v AAA Local Authentication Database A WLAN authorization attribute is applied by the configured WLAN ID from the drop-down menu. Go to Security > AAA > Local Net Users to create a local database of WLAN users. The controller will attempt to authenticate users against the local database. If no local user name is found, the controller will attempt RADIUS authentication Cisco Systems, Inc. All rights reserved. CUWN v

4 Local Database Entries Go to Security > AAA > General to set the maximum number of entries allowed in the local database Local database entries include: Local Management Users Local Network Users MAC Filter Entries Exclusion List Entries AP Authorization List Entries 2010 Cisco Systems, Inc. All rights reserved. CUWN v Configuring MAC Filtering Use Security > AAA > MAC Filtering to control network traffic based on the MAC address of the devices (usually clients) Cisco Systems, Inc. All rights reserved. CUWN v

5 Enabling MAC Filtering on WLANs After completing the input for allowed MAC addresses: 1. Go to the WLAN Configuration page to enable MAC Filtering per WLAN. 2. Choose Security > Layer Check MAC Filtering Cisco Systems, Inc. All rights reserved. CUWN v Configuring Disabled Clients Clients can manually be disabled from using the network by going to Security > AAA > Disabled Clients and entering their MAC address Cisco Systems, Inc. All rights reserved. CUWN v

6 Limiting Concurrent Logins for a User By default, a user can login (authenticate) on an unlimited number of concurrent sessions. Go to Security > AAA > User Login Policies to set the maximum number (in the range of 1 to 8) of concurrent sessions allowed per user Cisco Systems, Inc. All rights reserved. CUWN v Creating a New ACL Go to Security > Access Control Lists to create/view ACLs. After the ACL has been created, click on the name to edit Cisco Systems, Inc. All rights reserved. CUWN v

7 ACL Rules Each ACL will have one or more rules to permit or deny specific traffic. Each ACL can have up to 64 rules Cisco Systems, Inc. All rights reserved. CUWN v CPU Access Control List Go to Security > Access Control Lists > CPU Access Control Lists to specify a CPU ACL. This configuration controls traffic to the controller CPU Cisco Systems, Inc. All rights reserved. CUWN v

8 Peer-to-Peer Blocking Mode Cisco Wireless LAN Controller X Servers Peer-to-peer blocking does not allow peer (WLAN) clients to communicate directly with each other through the controller Cisco Systems, Inc. All rights reserved. CUWN v Enabling Peer-to-Peer Blocking Go to WLAN Configuration > Advanced to either enable or disable P2P Blocking (Default is disabled) Cisco Systems, Inc. All rights reserved. CUWN v

9 Client Exclusion Policies Configures the controller to exclude clients under certain conditions. Go to Security > Wireless Protection Policies > Client Exclusion Policies to select which failures will cause clients to be excluded Cisco Systems, Inc. All rights reserved. CUWN v Rogue APs 1. Go to Monitor > Rogues to view lists of different rogue APs and clients detected in the network. 2. Select the type of rogue Friendly, Malicious, or Unclassified APs; Rogue Clients; Adhoc Rogues from the menu on the left 3. Choose the rogue MAC address to view details and to perform actions such as classifying or containing the rogue Cisco Systems, Inc. All rights reserved. CUWN v

10 Classifying and Containing Rogues 1. At the Rogue Detail page, classify the rogue as Friendly, Malicious, or Unclassified. 2. If you choose to contain the rogue, you can also select how many APs will work to contain the rogue. 3. For improved rogue scanning and containment, configure more APs to be Monitor Mode Cisco Systems, Inc. All rights reserved. CUWN v RLDP and Auto-Containment Go to Security > Wireless Protection Policies > General to enable RLDP and Auto-containment Cisco Systems, Inc. All rights reserved. CUWN v

11 Shunned Clients To view clients that have been shunned by the controller due to CIDS, choose Security > Advanced > CIDS > Shunned Clients Cisco Systems, Inc. All rights reserved. CUWN v Remote and Branch Office Security Solutions Local EAP The following EAP methods are supported with local EAP: LEAP EAP-FAST (both username and password with PAC and certificates) EAP-TLS PEAPv0/MS-CHAPv2 PEAPv1/GTC MAC authentication is also supported. Local EAP authentication can be used if the Cisco WLC fails to reach the configured RADIUS servers. Supports local users or LDAP users Requires WLAN configuration 2010 Cisco Systems, Inc. All rights reserved. CUWN v

12 Local EAP General Configuration Go to Security > Local EAP > General to view/configure Local EAP timers Cisco Systems, Inc. All rights reserved. CUWN v Local EAP Profiles 1. Go to Security > Local EAP > Profiles to view/create Local EAP profiles. 2. Click on a profile name to edit the profile. 3. In the Local EAP profile, select the types of EAP and the types of certificates to be used. 4. Create up to 16 Local EAP Profiles Cisco Systems, Inc. All rights reserved. CUWN v

13 Local EAP Other Configurations Go to Security > Local EAP > EAP Fast Parameters to configure EAP-FAST parameters. Go to Security > Local EAP > Authentication Priority to set the preferred priority for user authentication between LDAP and the local user database Cisco Systems, Inc. All rights reserved. CUWN v LDAP Notes Used In conjunction with local EAP Local EAP can be configured to use LDAP Configured on each WLAN Allows for unique LDAP databases per WLAN 2010 Cisco Systems, Inc. All rights reserved. CUWN v

14 LDAP Server Configuration Go to Security > LDAP to view or configure LDAP servers for the controller to access Cisco Systems, Inc. All rights reserved. CUWN v Per-WLAN LDAP Server Configuration Go to WLAN Configuration > Security > AAA Servers to specify the LDAP Servers for the WLAN to use for user authentication Cisco Systems, Inc. All rights reserved. CUWN v

15 Lesson Summary RADIUS is a client-server protocol and software that enables remote access servers to communicate with a central server. ACLs need to be created and applied to AP-Manager, management, or dynamic interfaces. Enabling peer-to-peer blocking mode allows the Controller to prevent peer clients from communicating directly with each other via the Controller. Access points can be configured for authentication for individual access points. LSCs are installed on APs and Controllers to provide better security through your own PKI. Using RLDP is an active approach to rogue identification. The Cisco NAC Appliance is a network admission control product that allows network administrators to authenticate users prior to allowing them onto the network. The Cisco Intrusion Detection System Sensor Configuration page is used to configure IDS sensors to detect various types of IP-level attacks in your network. Local EAP allows the Cisco WLC to be used as an authenticator for wireless clients Cisco Systems, Inc. All rights reserved. CUWN v Cisco 2010 Cisco Systems, Inc. All rights reserved. CUWN v