WLAN Security: Identifying Client and AP Security 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-1 Lesson Overview & Objectives Overview This lesson provides detailed discussions on the Cisco Unified Wireless Network security options, considerations, issues, and configuration steps necessary for implementation. Objectives Upon completing this lesson, you will be able to explain the purpose for and operation of key security features that are configured through Cisco wireless administration tools. This ability includes being able to meet these objectives: Describe AAA implementation and configuration Describe how to create a new ACL Explain the purpose of peer-to-peer blocking mode Describe global configuration parameters for 802.1x authentication for APs Explain how to configure the LSCs both generally and on the AP Describe how to view and configure the WLAN to mitigate penetration by rogue APs Explain how to configure Cisco NAC Appliance Explain how to configure the intrusion detection system sensor Describe the methods that are supported with Local EAP and their configurations 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-2
Implement AAA Authentication Go to Security > AAA > RADIUS > Authentication to add RADIUS Authentication Servers or to view the list of RADIUS servers already configured. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-3 Adding a RADIUS Authentication Server When adding a new server, the Server Index determines the order in which the server will be utilized. The controller will attempt to use the server with the lowest priority number first. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-4
Per-WLAN Radius Authentication Per WLAN RADIUS Authentication will override the global server priorities. Go to WLAN > Configuration > Security > AAA Servers tab to configure up to 3 servers for the WLAN to use. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-5 AAA Local Authentication Database A WLAN authorization attribute is applied by the configured WLAN ID from the drop-down menu. Go to Security > AAA > Local Net Users to create a local database of WLAN users. The controller will attempt to authenticate users against the local database. If no local user name is found, the controller will attempt RADIUS authentication. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-6
Local Database Entries Go to Security > AAA > General to set the maximum number of entries allowed in the local database Local database entries include: Local Management Users Local Network Users MAC Filter Entries Exclusion List Entries AP Authorization List Entries 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-7 Configuring MAC Filtering Use Security > AAA > MAC Filtering to control network traffic based on the MAC address of the devices (usually clients). 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-8
Enabling MAC Filtering on WLANs After completing the input for allowed MAC addresses: 1. Go to the WLAN Configuration page to enable MAC Filtering per WLAN. 2. Choose Security > Layer 2. 3. Check MAC Filtering. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-9 Configuring Disabled Clients Clients can manually be disabled from using the network by going to Security > AAA > Disabled Clients and entering their MAC address. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-10
Limiting Concurrent Logins for a User By default, a user can login (authenticate) on an unlimited number of concurrent sessions. Go to Security > AAA > User Login Policies to set the maximum number (in the range of 1 to 8) of concurrent sessions allowed per user. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-11 Creating a New ACL Go to Security > Access Control Lists to create/view ACLs. After the ACL has been created, click on the name to edit. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-12
ACL Rules Each ACL will have one or more rules to permit or deny specific traffic. Each ACL can have up to 64 rules. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-13 CPU Access Control List Go to Security > Access Control Lists > CPU Access Control Lists to specify a CPU ACL. This configuration controls traffic to the controller CPU. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-14
Peer-to-Peer Blocking Mode Cisco Wireless LAN Controller X Servers Peer-to-peer blocking does not allow peer (WLAN) clients to communicate directly with each other through the controller. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-15 Enabling Peer-to-Peer Blocking Go to WLAN Configuration > Advanced to either enable or disable P2P Blocking (Default is disabled). 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-16
Client Exclusion Policies Configures the controller to exclude clients under certain conditions. Go to Security > Wireless Protection Policies > Client Exclusion Policies to select which failures will cause clients to be excluded. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-17 Rogue APs 1. Go to Monitor > Rogues to view lists of different rogue APs and clients detected in the network. 2. Select the type of rogue Friendly, Malicious, or Unclassified APs; Rogue Clients; Adhoc Rogues from the menu on the left 3. Choose the rogue MAC address to view details and to perform actions such as classifying or containing the rogue. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-18
Classifying and Containing Rogues 1. At the Rogue Detail page, classify the rogue as Friendly, Malicious, or Unclassified. 2. If you choose to contain the rogue, you can also select how many APs will work to contain the rogue. 3. For improved rogue scanning and containment, configure more APs to be Monitor Mode. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-19 RLDP and Auto-Containment Go to Security > Wireless Protection Policies > General to enable RLDP and Auto-containment. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-20
Shunned Clients To view clients that have been shunned by the controller due to CIDS, choose Security > Advanced > CIDS > Shunned Clients. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-21 Remote and Branch Office Security Solutions Local EAP The following EAP methods are supported with local EAP: LEAP EAP-FAST (both username and password with PAC and certificates) EAP-TLS PEAPv0/MS-CHAPv2 PEAPv1/GTC MAC authentication is also supported. Local EAP authentication can be used if the Cisco WLC fails to reach the configured RADIUS servers. Supports local users or LDAP users Requires WLAN configuration 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-22
Local EAP General Configuration Go to Security > Local EAP > General to view/configure Local EAP timers. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-23 Local EAP Profiles 1. Go to Security > Local EAP > Profiles to view/create Local EAP profiles. 2. Click on a profile name to edit the profile. 3. In the Local EAP profile, select the types of EAP and the types of certificates to be used. 4. Create up to 16 Local EAP Profiles. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-24
Local EAP Other Configurations Go to Security > Local EAP > EAP Fast Parameters to configure EAP-FAST parameters. Go to Security > Local EAP > Authentication Priority to set the preferred priority for user authentication between LDAP and the local user database. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-25 LDAP Notes Used In conjunction with local EAP Local EAP can be configured to use LDAP Configured on each WLAN Allows for unique LDAP databases per WLAN 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-26
LDAP Server Configuration Go to Security > LDAP to view or configure LDAP servers for the controller to access. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-27 Per-WLAN LDAP Server Configuration Go to WLAN Configuration > Security > AAA Servers to specify the LDAP Servers for the WLAN to use for user authentication. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-28
Lesson Summary RADIUS is a client-server protocol and software that enables remote access servers to communicate with a central server. ACLs need to be created and applied to AP-Manager, management, or dynamic interfaces. Enabling peer-to-peer blocking mode allows the Controller to prevent peer clients from communicating directly with each other via the Controller. Access points can be configured for authentication for individual access points. LSCs are installed on APs and Controllers to provide better security through your own PKI. Using RLDP is an active approach to rogue identification. The Cisco NAC Appliance is a network admission control product that allows network administrators to authenticate users prior to allowing them onto the network. The Cisco Intrusion Detection System Sensor Configuration page is used to configure IDS sensors to detect various types of IP-level attacks in your network. Local EAP allows the Cisco WLC to be used as an authenticator for wireless clients. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-29 Cisco 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-30