WiNG5 DESIGN GUIDE By Sriram Venkiteswaran. WiNG5 Wireless Association Filters. How To Guide

Similar documents
WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Role-Based Firewall. June 2011 Revision 1.0

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Firewall. June 2011 Revision 1.0

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG5 How-To Guide. Network Address Translation. July 2011 Revision 1.0

VLANs. Application Note

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

Application-Centric WLAN. Rob Mellencamp

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG How-To Guide. Wireless IDS. January 2009 Revision A

Features Description Benefit AP-7131N support Adaptive AP Support for the AP7131N-GR and AP7131N- GRN

Configuring Network Address Translation (NAT)

AP6511 First Time Configuration Procedure

MSC-131. Design and Deploy AirDefense Solutions Exam.

WiNG 5.X How-To Guide

UTM10 in multi-ssid, multi-vlan network with WMS5316. Network diagram

Legacy Security

Penn State Wireless 2.0 and Related Services for Network Administrators

Wireless Local Area Networks (WLANs)

Microsoft Lync Certification Configuration Guide for WiNG 5.5

CTS2134 Introduction to Networking. Module Network Security

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

To configure firewall policies, you must install the Policy Enforcement Firewall license.

RAP Installation - Updated

United States Trustee Program s Wireless LAN Security Checklist

Motorola TEAM WS M Configuring Asterisk PBX Integration

300Mbps Wireless N Gigabit Ceilling Mount Access Point

ARUBA WIRELESS AND CLEARPASS 6 INTEGRATION GUIDE. Technical Note

Configuration Guide for connecting the Eircom Advantage 4800/1500/1200 PBXs to the Eircom SIP Voice platform.

Setting up IP address distribution in a LAN

Controller Management

Deploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led

Design and Implementation Guide. Apple iphone Compatibility

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

The Ultimate WLAN Management and Security Solution for Large and Distributed Deployments

Meraki Wireless Solution Comparison

PCI v2.0 Compliance for Wireless LAN

300Mbps Wireless N Ceiling Mount Access Point

BYOD: BRING YOUR OWN DEVICE.

300Mbps Wireless N Gigabit Ceilling Mount Access Point

Symantec VIP Integration with ISE

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

WLAN Security: Identifying Client and AP Security

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Intelligent WLAN Controller with Advanced Functions

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Eliminating the cost and complexity of hardware controllers with cloud-based centralized management

Using IEEE 802.1x to Enhance Network Security

Configuration Guide. How to Configure the AP Profile on the DWC Overview

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

Edgewater Routers User Guide

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Network Configuration Example

Policy Management: The Avenda Approach To An Essential Network Service

Edgewater Routers User Guide

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Enterprise A Closer Look at Wireless Intrusion Detection:

Cisco Unified Wireless Network Solution Positioning for the New PCI DSS Wireless Guideline

Ruckus-Bradford Interop Setup

Configure WorkGroup Bridge on the WAP131 Access Point

Getting Started Guide

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

The All-in-One, Intelligent WLAN Controller

On-boarding and Provisioning with Cisco Identity Services Engine

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Configuring RADIUS Server Support for Switch Services

Unified Access Point Administrator's Guide

Datasheet. Managed PoE+ Gigabit Switches with SFP. Models: ES W, ES W, ES W, ES W

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

How To Protect A Wireless Lan From A Rogue Access Point

Fortigate Features & Demo

Lab Organizing CCENT Objectives by OSI Layer

APPLICATION NOTES Seamless Integration of LAN and WLAN through Brocade mobility products and

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Deploying ACLs to Manage Network Security

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

CISCO WIRELESS CONTROL SYSTEM (WCS)

Deploy and Manage a Highly Scalable, Worry-Free WLAN

Managing a FortiSwitch unit with a FortiGate Administration Guide

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Service Managed Gateway TM. How to Configure a Firewall

Unified Access Point (AP) Administrator s Guide

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

How To Unify Your Wireless Architecture Without Limiting Performance or Flexibility

Wave IP 4.5. Wave Spectralink Phone Configuration Guide

Using Industrial Ethernet Networks for PROFInet

Cyclope Internet Filtering Proxy. - Installation Guide -

Recommended Wireless Local Area Network Architecture

Aerohive Online Exam Instructions Aerohive Certified Wireless Administrator (ACWA)

Ruckus Wireless ZoneDirector 9.1. User Guide. Part Number Rev B Published March

Transcription:

WiNG5 DESIGN GUIDE By Sriram Venkiteswaran WiNG5 Wireless Association Filters How To Guide June, 2011

TABLE OF CONTENTS HEADING STYLE INTRODUCTION... 1 Overview... 1 Applications... 1 Restrictions... 1 CONFIGURATION... 1 Deny Wireless Filters... 2 Configuration through Web UI... 2 Configuration through CLI... 6 Allow Wireless Filters... 7 Configuration through Web UI... 8 Configuration through CLI... 11 Points to Remember... 12 1-i WiNG5 Wireless Association Filters How To Guide

WiNG5 Wireless Association Filters How To Guide INTRODUCTION OVERVIEW Wireless filters can be applied to specific WLANs to grant or deny access to MUs based on individual or ranges of MAC addresses. Wireless filters may be applied to one or more WLANs and are used to grant or deny access to MUs during association. APPLICATIONS Wireless filters can be used for multiple applications including blacklisting malicious devices as well as providing an additional layer of security for less secure WLANs by restricting access to specific devices. Wireless filters may be applied to the WiNG5 Access Points using the CLI and Web UI of RFS Switch or from a Motorola AirDefense Enterprise server using SNMP when a threat is detected RESTRICTIONS Wireless filters are only used to allow or deny MUs from associating with a WLAN and are not intended to be used to filter layer 2 traffic passing through the Access Points. To restrict or limit traffic at layer 2, MAC firewall rules can be created which permits or denies traffic based on specific or wildcard source or destination MAC addresses. CONFIGURATION The following sections outline the configuration steps required to enable wireless filters on an RF Switch: Deny Wireless Association Filters Allow Wireless Association Filters In WiNG5 since the Access Points perform all the WLAN functions, the enforcement happens at the Access Point. 1-1 WiNG5 Wireless Association Filters How To Guide

DENY WIRELESS FILTERS Wireless filters can be used to block devices and a common application for wireless filtering is to block (or blacklist) associations from a suspicious of malicious device. Administrators can create up to 1000 wireless filter entries on the RF Switch which pushes the configuration to all the Access Points. The Access Points can deny access to individual MAC addresses or range of MAC addresses as required. All MAC addresses not matched by the wireless filter list will be able to associate to the WLAN. As shown in above figure wireless filtering has been deployed on a guest WLAN named MOTO-GUEST to block a device with the MAC address 00-0C-F1-25-18-F2. A wireless filter has been created on the RF Switch with a Start MAC and End MAC set to a specific devices MAC address. If the device attempts to associate with the MOTO-GUEST SSID, the AP will deny the association attempt and a log entry for the association attempt will be made. Precedence Start MAC End MAC Allow / Deny 1 00-0C-F1-25-18-F2 00-0C-F1-25-18-F2 Deny Configuration through Web UI 1. Create Association ACL a. Under the context: Configuration->Wireless->Association ACL click Add 1-2 WiNG5 Wireless Association Filters How To Guide

b. Enter Association ACL Name Deny List and Click Add Row c. Enter Precedence as 1, Starting MAC Address as 00-0C-F1-25-18-F2, Ending MAC Address 00-0C-F1-25-18-F2 and action as Deny and click OK. 1-3 WiNG5 Wireless Association Filters How To Guide

Note: This will block the client 00-0C-F1-25-18-F2 to connect to the wireless network The default rule is in an association ACL is allow all. So if a client does not match any of the rules, it will be allowed association. d. Enter Precedence as 2, Starting MAC Address as 00-27-10-24-4C-E4, Ending MAC Address as 00-27-10-24-4C-E4, action as Allow and click OK. 1-4 WiNG5 Wireless Association Filters How To Guide

Note: This will ensure that WLAN access is granted to the client with MAC address 00-27- 10-24-4C-E4. All other clients will be denied access, as the default rule is deny all. 2. Attach Association ACL to WLAN a. Under the context: Configuration->Wireless->Wireless LANS, click on the WLAN that you want to apply the ACL to b. Under the selected Wireless LAN, go to Firewall settings c. Select Association ACL as Deny List from the drop down box. The deny list is the Association ACL that was created above. 1-5 WiNG5 Wireless Association Filters How To Guide

Configuration through CLI 1. Create Association ACL rfs4000-22a5dc(config)*#association-acl-policy Deny\ List rfs4000-22a5dc(config-assoc-acl-deny List)*#deny 00-0C-F1-25-18-F2 00-0C-F1-25-18-F2 rfs4000-22a5dc(config-assoc-acl-deny List)*#show context association-acl-policy Deny\ List deny 00-0C-F1-25-18-F2 00-0C-F1-25-18-F2 precedence 1 2. Attach Association ACL to WLAN 1-6 WiNG5 Wireless Association Filters How To Guide

rfs4000-22a5dc(config)*#wlan Motorola-Guest rfs4000-22a5dc(config-wlan-motorola-guest)*# rfs4000-22a5dc(config-wlan-motorola-guest)*#use association-acl-policy Deny\ Lis t rfs4000-22a5dc(config-wlan-motorola-guest)*#show context wlan Motorola-Guest description WLAN for Guest Access ssid Motorola-Guest vlan 10 bridging-mode tunnel encryption-type none authentication-type none use association-acl-policy Deny\ List ALLOW WIRELESS FILTERS Wireless filters may also be used to allow access to a specific group of devices such as mobile handhelds or VoIP handsets while blocking associations for all other devices. As most enterprises typically deploy mobile devices from a common vendor, the vendors OUI can be leveraged in a wireless filter to restrict access to a range of the vendor s devices. As no implicit deny is provided an additional wireless filter must be created after the allow filter to block access from all other vendor devices Note: A current list of vendor assigned OUIs may be downloaded directly from the IEEE website http://standards.ieee.org/develop/regauth/oui/oui.txt 1-7 WiNG5 Wireless Association Filters How To Guide

As shown in above figure, wireless filtering has been deployed on a voice WLAN named MOTO-VOICE to only allow select SpectraLink VoIP handsets to associate with the WLAN. The first wireless filter has been created on the RF Switch / AP allowing a range of MAC addresses (00-40-96-4b-00-00 through 00-40-96-4b-ff-ff) to associate with the WLAN. A second catch all wireless filter has been created denying access to all MAC addresses from 00-00-00-00-00-01 through ff-ff-ff-ff-ff-fe. In this example an device with a MAC address that matches the range in the allow list will be allowed to associated with the WLAN. Devices which do not match the allowed list will be denied association from the Access Point and a log entry for the association attempt will be made Precedence Start MAC End MAC Allow / Deny 1 00-40-96-4B-00-00 00-40-96-4B-FF-FF Allow 2 00-00-00-00-00-01 FF-FF-FF-FF-FF-FE Deny Configuration through Web UI 1. Create Association ACL a. Under the context: Configuration->Wireless->Association ACL click Add 1-8 WiNG5 Wireless Association Filters How To Guide

b. Enter Association ACL Name Allow List and Click Add Row c. Enter Precedence as 1, Starting MAC Address as 00-40-96-4B-00-00, Ending MAC Address 00-40-96-4B-FF-FF and action as Allow and click OK. 1-9 WiNG5 Wireless Association Filters How To Guide

This will allow all the clients with MAC address in the range 00-40-96-4B-00-00 and 00-40-96-4B-FF-FF to associate to the WLAN Note: The default rule is in an association ACL is allow all. So if a client does not match any of the rules, it will be allowed association. d. Click Add Row. Enter Precedence as 2, Starting MAC Address as 00-00-00-00-00-01, Ending MAC Address as FF-FF-FF-FF-FF-FE, action as Deny and click OK. This will ensure that all clients not defined in precedence 1 is denied access to the WLAN 2. Attach Association ACL to WLAN a. Under the context: Configuration->Wireless->Wireless LANS, click on the WLAN that you want to apply the ACL to b. Under the selected Wireless LAN, go to Firewall settings c. Select Association ACL as Allow List from the drop down box. The Allow list is the Association ACL that was created above. 1-10 WiNG5 Wireless Association Filters How To Guide

Configuration through CLI 1. Create Association ACL rfs4000-22a5dc(config)*#association-acl-policy Allow\ List rfs4000-22a5dc(config-assoc-acl-deny List)*# permit 00-40-96-4B-00-00 00-40-96-4B-FF-FF precedence 1 rfs4000-22a5dc(config-assoc-acl-deny List)*# deny 00-00-00-00-00-01 FF-FF-FF-FF-FF-FE precedence 2 2. Attach Association ACL to WLAN 1-11 WiNG5 Wireless Association Filters How To Guide

rfs4000-22a5dc(config)*#wlan Motorola-Guest rfs4000-22a5dc(config-wlan-motorola-guest)*# rfs4000-22a5dc(config-wlan-motorola-guest)*#use association-acl-policy Allow\ Lis t Points to Remember To configure wireless association filters follow these 2 steps o Create an Association ACL Policy o Attach Association ACL policy to WLAN The default rule in Association ACL Policy is allow all. So if a wireless client does not match any rule, then it will be allowed access. So to deny access to a wireless clients, explicit deny rules must be created. 1-12 WiNG5 Wireless Association Filters How To Guide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information