WLAN Security: Identifying Client and AP Security



Similar documents
Deploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led

Symantec VIP Integration with ISE

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

Security. AAA Identity Management. Premdeep Banga, CCIE # Cisco Press. Vivek Santuka, CCIE # Brandon J. Carroll, CCIE #23837

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Case Study - Configuration between NXC2500 and LDAP Server

1.1 Demonstrate how to recognize, perform, and prevent the following types of attacks, and discuss their impact on the organization:

MSC-131. Design and Deploy AirDefense Solutions Exam.

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Product Summary RADIUS Servers

Certified Wireless Security Professional (CWSP) Course Overview

Configure WorkGroup Bridge on the WAP131 Access Point

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Cisco Secure Access Control Server 4.2 for Windows

DOS ATTACKS IN INTRUSION DETECTION AND INHIBITION TECHNOLOGY FOR WIRELESS COMPUTER NETWORK

Configuring Security Solutions

Lab Configuring LEAP/EAP using Local RADIUS Authentication

DIGIPASS Authentication for Cisco ASA 5500 Series

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

Securing Cisco Network Devices (SND)

Configuring Settings on the Cisco Unified Wireless IP Phone 7925G

Recommended Wireless Local Area Network Architecture

Course Content for Managing Cisco Wireless LANs (WMNGI 1.2) Duration : 4 Days

On-boarding and Provisioning with Cisco Identity Services Engine

Using IEEE 802.1x to Enhance Network Security

CTS2134 Introduction to Networking. Module Network Security

Network Security 1 Module 4 Trust and Identity Technology

Ruckus Wireless ZoneDirector Command Line Interface

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Proxy POP3S. then authentication occurs. POP3S is for a receiving . IMAP4S. and then authentication occurs. SMTPS is for sending .

Wireless Local Area Networks (WLANs)

Particularities of security design for wireless networks in small and medium business (SMB)

TECHNICAL NOTE REFERENCE DOCUMENT. Improving Security for Axis Products. Created: 4 October Last updated: 11 October Rev: 1.

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

How to set up Outlook Anywhere on your home system

SonicWALL PCI 1.1 Implementation Guide

Eduroam wireless network Windows Vista

Phone: Fax: Box: 230

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Management, Logging and Troubleshooting

Policy Management: The Avenda Approach To An Essential Network Service

pfsense Captive Portal: Part One

CISCO IOS NETWORK SECURITY (IINS)

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS

Firewall Defaults and Some Basic Rules

Management Authentication using Windows IAS as a Radius Server

Massey University Wireless Network - Client

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

VLANs. Application Note

1.1.1 Security The integrated model will provide the following capabilities:

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

(d-5273) CCIE Security v3.0 Written Exam Topics

User Guide for eduroam

Scenario: IPsec Remote-Access VPN Configuration

Eduroam wireless network Apple Mac OSX 10.4

White paper. Cisco Compatible Extensions: Client Benefits on a Cisco WLAN

RSA SecurID Ready Implementation Guide

Exam Questions SY0-401

The data between TC Monitor and remote devices is exchanged using HTTP protocol. Monitored devices operate either as server or client mode.

Cisco Identity Services Engine

Cisco ASA. Administrators

Tim Bovles WILEY. Wiley Publishing, Inc.

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Managing Wireless Clients with the Administrator Tool. Intel PROSet/Wireless Software 10.1

NWA1120 Series. User s Guide. Quick Start Guide. Wireless LAN Ceiling Mountable PoE Access Point. Default Login Details

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Massey University Wireless Network Client Configuration Mac OS X

Cisco TrustSec How-To Guide: Guest Services

TrustSec How-To Guide: On-boarding and Provisioning

Accessing the Media General SSL VPN

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

VPN PPTP Application. Installation Guide

Cisco Unified Communications Manager 5.1 SIP Configuration Guide

Eduroam wireless network Apple Mac OSX 10.5

The Ultimate WLAN Management and Security Solution for Large and Distributed Deployments

Wavelink Avalanche Mobility Center Java Console User Guide. Version 5.3

Eduroam wireless network - Windows 7

Mac OS X Secure Wireless Setup Guide

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

IIS, FTP Server and Windows

Industrial Communication. Securing Industrial Wireless

User Management Guide

AeroLab Wireless Network Code of Conduct. Connecting to the AeroLab Wireless Network

Shield Pro. Quick Start Guide

Lab Organizing CCENT Objectives by OSI Layer

DESIGNING AND DEPLOYING SECURE WIRELESS LANS. Karl McDermott Cisco Systems Ireland

Secure Networks for Process Control

Cisco 526 Wireless Express Mobility Controller

All You Wanted to Know About WiFi Rogue Access Points

CCIE Security Written Exam ( ) version 4.0

Cisco CCNP Optimizing Converged Cisco Networks (ONT)

Cisco Certified Security Professional (CCSP)

Transcription:

WLAN Security: Identifying Client and AP Security 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-1 Lesson Overview & Objectives Overview This lesson provides detailed discussions on the Cisco Unified Wireless Network security options, considerations, issues, and configuration steps necessary for implementation. Objectives Upon completing this lesson, you will be able to explain the purpose for and operation of key security features that are configured through Cisco wireless administration tools. This ability includes being able to meet these objectives: Describe AAA implementation and configuration Describe how to create a new ACL Explain the purpose of peer-to-peer blocking mode Describe global configuration parameters for 802.1x authentication for APs Explain how to configure the LSCs both generally and on the AP Describe how to view and configure the WLAN to mitigate penetration by rogue APs Explain how to configure Cisco NAC Appliance Explain how to configure the intrusion detection system sensor Describe the methods that are supported with Local EAP and their configurations 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-2

Implement AAA Authentication Go to Security > AAA > RADIUS > Authentication to add RADIUS Authentication Servers or to view the list of RADIUS servers already configured. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-3 Adding a RADIUS Authentication Server When adding a new server, the Server Index determines the order in which the server will be utilized. The controller will attempt to use the server with the lowest priority number first. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-4

Per-WLAN Radius Authentication Per WLAN RADIUS Authentication will override the global server priorities. Go to WLAN > Configuration > Security > AAA Servers tab to configure up to 3 servers for the WLAN to use. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-5 AAA Local Authentication Database A WLAN authorization attribute is applied by the configured WLAN ID from the drop-down menu. Go to Security > AAA > Local Net Users to create a local database of WLAN users. The controller will attempt to authenticate users against the local database. If no local user name is found, the controller will attempt RADIUS authentication. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-6

Local Database Entries Go to Security > AAA > General to set the maximum number of entries allowed in the local database Local database entries include: Local Management Users Local Network Users MAC Filter Entries Exclusion List Entries AP Authorization List Entries 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-7 Configuring MAC Filtering Use Security > AAA > MAC Filtering to control network traffic based on the MAC address of the devices (usually clients). 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-8

Enabling MAC Filtering on WLANs After completing the input for allowed MAC addresses: 1. Go to the WLAN Configuration page to enable MAC Filtering per WLAN. 2. Choose Security > Layer 2. 3. Check MAC Filtering. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-9 Configuring Disabled Clients Clients can manually be disabled from using the network by going to Security > AAA > Disabled Clients and entering their MAC address. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-10

Limiting Concurrent Logins for a User By default, a user can login (authenticate) on an unlimited number of concurrent sessions. Go to Security > AAA > User Login Policies to set the maximum number (in the range of 1 to 8) of concurrent sessions allowed per user. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-11 Creating a New ACL Go to Security > Access Control Lists to create/view ACLs. After the ACL has been created, click on the name to edit. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-12

ACL Rules Each ACL will have one or more rules to permit or deny specific traffic. Each ACL can have up to 64 rules. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-13 CPU Access Control List Go to Security > Access Control Lists > CPU Access Control Lists to specify a CPU ACL. This configuration controls traffic to the controller CPU. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-14

Peer-to-Peer Blocking Mode Cisco Wireless LAN Controller X Servers Peer-to-peer blocking does not allow peer (WLAN) clients to communicate directly with each other through the controller. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-15 Enabling Peer-to-Peer Blocking Go to WLAN Configuration > Advanced to either enable or disable P2P Blocking (Default is disabled). 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-16

Client Exclusion Policies Configures the controller to exclude clients under certain conditions. Go to Security > Wireless Protection Policies > Client Exclusion Policies to select which failures will cause clients to be excluded. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-17 Rogue APs 1. Go to Monitor > Rogues to view lists of different rogue APs and clients detected in the network. 2. Select the type of rogue Friendly, Malicious, or Unclassified APs; Rogue Clients; Adhoc Rogues from the menu on the left 3. Choose the rogue MAC address to view details and to perform actions such as classifying or containing the rogue. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-18

Classifying and Containing Rogues 1. At the Rogue Detail page, classify the rogue as Friendly, Malicious, or Unclassified. 2. If you choose to contain the rogue, you can also select how many APs will work to contain the rogue. 3. For improved rogue scanning and containment, configure more APs to be Monitor Mode. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-19 RLDP and Auto-Containment Go to Security > Wireless Protection Policies > General to enable RLDP and Auto-containment. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-20

Shunned Clients To view clients that have been shunned by the controller due to CIDS, choose Security > Advanced > CIDS > Shunned Clients. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-21 Remote and Branch Office Security Solutions Local EAP The following EAP methods are supported with local EAP: LEAP EAP-FAST (both username and password with PAC and certificates) EAP-TLS PEAPv0/MS-CHAPv2 PEAPv1/GTC MAC authentication is also supported. Local EAP authentication can be used if the Cisco WLC fails to reach the configured RADIUS servers. Supports local users or LDAP users Requires WLAN configuration 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-22

Local EAP General Configuration Go to Security > Local EAP > General to view/configure Local EAP timers. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-23 Local EAP Profiles 1. Go to Security > Local EAP > Profiles to view/create Local EAP profiles. 2. Click on a profile name to edit the profile. 3. In the Local EAP profile, select the types of EAP and the types of certificates to be used. 4. Create up to 16 Local EAP Profiles. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-24

Local EAP Other Configurations Go to Security > Local EAP > EAP Fast Parameters to configure EAP-FAST parameters. Go to Security > Local EAP > Authentication Priority to set the preferred priority for user authentication between LDAP and the local user database. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-25 LDAP Notes Used In conjunction with local EAP Local EAP can be configured to use LDAP Configured on each WLAN Allows for unique LDAP databases per WLAN 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-26

LDAP Server Configuration Go to Security > LDAP to view or configure LDAP servers for the controller to access. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-27 Per-WLAN LDAP Server Configuration Go to WLAN Configuration > Security > AAA Servers to specify the LDAP Servers for the WLAN to use for user authentication. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-28

Lesson Summary RADIUS is a client-server protocol and software that enables remote access servers to communicate with a central server. ACLs need to be created and applied to AP-Manager, management, or dynamic interfaces. Enabling peer-to-peer blocking mode allows the Controller to prevent peer clients from communicating directly with each other via the Controller. Access points can be configured for authentication for individual access points. LSCs are installed on APs and Controllers to provide better security through your own PKI. Using RLDP is an active approach to rogue identification. The Cisco NAC Appliance is a network admission control product that allows network administrators to authenticate users prior to allowing them onto the network. The Cisco Intrusion Detection System Sensor Configuration page is used to configure IDS sensors to detect various types of IP-level attacks in your network. Local EAP allows the Cisco WLC to be used as an authenticator for wireless clients. 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-29 Cisco 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.0 4-30

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information