ASK THE EXPERT - SECURING WIRELESS NETWORKS

Unanswered Question
Feb 22nd, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to ask questions on how next generation wireless with 802.11n can enhance mobile performance while decreasing operational costs with Cisco expert Neil Anderson. Neil is director of Enterprise Systems Engineering with Cisco. His focus is on business networks in the areas of network design, wireless networking, voice-over-IP (VoIP), and video-over-IP systems. He has more than 20 years of broad experience in communications systems, including public telephone, mobile phone, and IP networks. Neil is the coauthor of the Networking Simplified series, published by Cisco Press.

Remember to use the rating system to let Neil know if you have received an adequate response.

Neil might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 7, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (22 ratings)
Loading.
john.preves Fri, 02/22/2008 - 18:23

Can you comment on using WPA2 in a Cisco environment? I have had issues in the past where certain applications do not survive a two or three ping loss during a re-authentication (roam) in a test environment. This is with the cache credentials turned on. Every so often it will re-authenticate and if it misses two pings or more the app is crashed.

Have you heard of this and is there a firmware update, magic Santaria dance or anything that addresses it?

Thanks-

a.hajhamad Sun, 02/24/2008 - 00:59

Hi Neil,

How can we secure the LAPs registration to the wireeless controller? You know that any Cisco LAP can register itself with the wireless controller without any authentication

Thanks in advance

Abd Alqader

neiander Tue, 02/26/2008 - 11:04

One of the advantages of using an LWAPP topology is that during establishment of the LWAPP tunnel between the LAP and WLC (controller), there is mutual authentication.

Is your question about a non-LWAPP scenario?

neiander Tue, 02/26/2008 - 08:18

Are you running an LWAPP topology with centralized controllers? Also what kind of supplicants are being used on the clients?

a.hajhamad Tue, 02/26/2008 - 12:29

Hi Neil,

Thanks for your reply.

Yes, i'm running LWAPP with one controller.

My question, can we do an authentication method for registering LAPs to the WLC.

In other words, i don't need to allow any new LAP to be registered automatically to the WLC without authentication method.

Like, it is required for the administrator to add the new LAP mac-address to the WLC before it can be registered.

Thanks

Abd Alqader

neiander Fri, 02/29/2008 - 05:36

It seems like you could accomplish what you are trying to do using LWAPP mutual authentication and certificates. That way no one can plug in a LAP that you have not issued a certificate for.

I will have to investigate whether its possible to MAC lock LWAPP authentication. The LAP adding method was designed to minimize manual configuration for adding new LAPs, such as having to enter a MAC.

Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:

1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.

2) Should I be using some kind of supplicant client on the laptops?

3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.

4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?

5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?

neiander Fri, 02/29/2008 - 06:27

>1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.

This depends on your company security policy, but in general EAP-FAST is considered better wireless security than LEAP. There is a good discussion about the two methods in chapter 4 of the Secure Wireless design guide here:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a0080871da5.pdf

>2) Should I be using some kind of supplicant client on the laptops?

Is your question regarding using a supplicant versus Windows Wireless Zero Configuration built into the OS? Essentially you should choose your authentication method to meet your security policy, determine if that method is supported by the built-in supplicant in your client OS(s), and then decide if you need an add-on supplicant.

>3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.

MAC filtering can be challenging to implement and maintain, and its not that difficult to spoof a MAC. For these reasons, I would recommend a couple of measures:

* rogue clients are prevented mainly by having a good client authentication in place, such as EAP-FAST

* LWAPP has built-in mutual authentication of LAPs to wireless controllers, and if desired digital certificates can be used to prevent unauthorized LAPs from joining the network

* implement Rogue AP detection to "sniff out" unauthorized APs

Probably more important than preventing unauthorized APs from associating with your controller (which can be mitigated easily with LWAPP) is the problem of consumer-grade AP's being plugged into switch ports which do not need to associate with a controller. For this threat, its a good idea to secure your wired infrastructure using 802.1x to authenticate devices, and also to implement a "Rogue" AP detection based on RF.

There is a good discussion of rogue AP detection in chapter 2 of the Secure Wireless design guide here:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a0080871da5.pdf

>4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?

If you are running LWAPP and mutually authenticating LAPs to WLCs, this is considered best practice.

>5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?

You can do rogue detection with all APs in your network, where they will go off channel for a few milliseconds and scan around them, or with dedicated APs. There is a great discussion of how to configure both in this technology paper:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

Great questions!

joe-vieira Thu, 02/28/2008 - 10:16

Hi,

What is the recommendation for controlling client access to the wireless network? Should we be using EAP with 802.1x? Also, should we consider PKI to issue digital certificates?

Thanks

neiander Fri, 02/29/2008 - 05:44

The best practices recommendation for client authentication is to use EAP-FAST, which does rely on 802.1x to carry the authentication frames. EAP-FAST does not require using PKI.

neiander Mon, 03/03/2008 - 19:23

EAP-FAST is considered to achieve the same level of security as EAP-TLS, but with less deployment complexity since EAP-FAST can be implemented without establishing a PKI/certificate infrastructure.

joe-vieira Mon, 03/03/2008 - 12:45

One more question.

What about encryption is the recommende method still to use EAP-TLS with PKI?

neiander Mon, 03/03/2008 - 19:41

Our best practice recommendation is to use EAP-FAST for Authentication and WPA2 for Encryption (WPA if WPA2 is not possible).

joe-vieira Tue, 03/04/2008 - 09:30

Can you elaborate a little bit about the need for Identity-based networking in a WI-FI environment? Is it a must at corporate level? What does Cisco offer to meet this requirement?

neiander Wed, 03/05/2008 - 07:10

Do you mean at an elemental level, why deploy credentials-based wireless security instead of a site-wide key?

Assuming so, one of the reasons for using session/client specific keys is that it provides a granular way to permit/deny access to the network as a single sign-on.

So for example, if you deploy a site-wide key with WPA, its fairly secure, but as long as a client/user has the initial password to the WPA network, they can join. What if you want to block a particular client or user? You now have to change the WPA password on all clients except the one you are trying to block.

In contrast, with credentials/identity based keying, you can simply block that client in your AAA database, and they no longer have access to the wireless (or wired if you also deploy 802.1x on your switches) network.

In a home network or fairly small business with a small number of clients and users, its easier to manage and so a site-wide key is good enough. In a corporate network with potentially thousands of clients, it makes alot more sense to deploy identity-based keying.

Looking forward, it may also be advantageous to be able to apply policies based on the client identity. For example, not only does the identity determine if the client is allowed to join the wireless network, but in addition which network resources is the client permitted to access.

Does this answer your question?

There is a much more thorough discussion in the Secure Wireless Design guide here:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a0080871da5.pdf

joe-vieira Wed, 03/05/2008 - 13:52

thanks for your answer.

Before you said that the recommendation was using EAP-FAST and WPA2. So you're saying now that for a large install that it would be better to use credentials based keying?

neiander Fri, 03/07/2008 - 05:43

Joe,

Sorry I mis-typed, i meant credentials-based login/auth, not keying.

Definitely EAP-FAST and WPA2 are the best practice recommendations.

pradip.chavda Fri, 02/29/2008 - 04:10

Respected sir,

I am working with ONGC Ltd. India. In our organization right now we are looking for wireless LAN in our office. In our office approximatelly 1200 users. Please guide me which device are required for wireless lan. I am waiting for your replay.

neiander Fri, 02/29/2008 - 05:49

I would highly recommend starting with this Mobility Design guide, which helps you assess the requirements for your wireless network and then steps through the design and deployment aspects.

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns279/c649/ccmigration_09186a00808d9330.pdf

There are a number of Cisco validated design guides available for wireless networking and mobility available here:

http://www.cisco.com/go/srnd

FONKOU FOSSO Fri, 02/29/2008 - 20:14

Hello,

I have a serious problem of default route on a vpn with IPsec and preshared keys. I have four sites to connect but to make it easier, I reduce to two. the problem is to make that the internet traffic of networks have only one default route. You would find attached the graph of network and the config files of sites. Please it's very important for me to solve this problem as soon as possible .

Sincerely

Attachment: 
a.hajhamad Sat, 03/01/2008 - 00:13

Hi,

I don't thing that this is the good place to post vpn question is here!

any way,I have looked at your config and the first thing is do not post passwords at the config since i accessed the omnisport router. Please change the passwords soon!

Regards

Abd Alqader

neiander Sat, 03/01/2008 - 07:51

I would suggest asking this question on the VPN and Security forums.

lansingschools_ops Wed, 03/05/2008 - 08:23

If I deploy 1130 AP can I set various vlans on the AP and lease IP address base on user account authentication via RADIUS and LDAP?

If so can you assist please with a plan or resource.

Thanks

neiander Thu, 03/06/2008 - 06:49

I am curious what the requirement you have is for doing this?

The scenario you are describing is a form of network virtualization, having multiple logical partitions on the same physical infrastructure.

One "brute force" way to do this, if you have a requirement for fairly "hard" partitions is to use multiple SSIDs, so that the logical networks even extend over the air to the client. Each SSID can be mapped to a separate VLAN. This is useful for guest and partner access situations where you want alot of separation between client populations.

Another way to do it is as you describe, to use a single SSID, but map clients to multiple VLANs and use per-VLAN address pools.

Because 802.1x authentication happens at layer 2, you authenticate the client, and then assign the client to their appropriate VLAN on the AP. Once L2/802.1x authentication is completed the client requests an IP address which can be satisfied from the VLANs address pool.

Here's a paper that describes how to configure this scenario:

http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

lansingschools_ops Thu, 03/06/2008 - 11:43

For some reason I cannot access that page. Based on the error, it looks like I don't have rights to that page.

Thanks,

Lansing

Neil,

We seem to be encountering excessive reauthtication failures in our environment. The controllers show this in the debugs (TxAuthWhen timeouts and excessive client 802.1x retries) and we are concerned we will have to increase thw WLAN Session Timeout and/or the User Idle Timeout to compensate for these events, which usually result in the users having to reboot or manually reauthenticate via the ADU. RF coverage does not appear to be an issue. Is there a way to monitor the ACS to see if its a bottleneck? Are the client drivers to blame? We're in the 4.0 code train.

Thanks for your input,

--Bruce Johnson

visprasa Wed, 03/05/2008 - 21:56

One of our customers is using a mPOD device manufactured by CADEM

mPOD device is installed with NetGear WLAN adapter (WG111V3) which supports 802.11g (.b as well). The driver for this WLAN adapter is developed by CADEM. Please find the specifications of the NetGear adapter.

The customer says Encryption works fine when this WLAN adapter is associated with Linksys Access Points. Encryption does not work with Cisco AP 1100/1200 series.

Could you please let me know the reason for this behavior and is there any workaround

Hi,

Its a LEAP deployment, and I should correct myself, the debug timer messages refer to 'reAuthWhen.' Clients are either Cisco cards or Atheros cards, both using Cisco or Atheros ADU client supplicants. The WLAN Session Timeout is at the default of 1800 seconds. I hate to have to extend this out further, given the vulnerability of LEAP. I also wondered if it was related to client inactivity, and whether the User Idle Timeout may be applicable to the issue.

Regards,

--Bruce Johnson

neiander Fri, 03/07/2008 - 10:56

Hi Bruce,

If I understand you correctly you are seeing auth failures in the statistics at the controller. Do you have clients that are having issues?

The reason I ask is that one thing our wireless security looks for in terms of wireless intrusion (intentional or unintentional) are an abundance of auth failures.

If you rule that out, you may want to try and capture what is happening from the client point of view. Auth failures can happen even from wireless interference, i.e. the RF itself is having issues which would show up in client statistics as things like CRC errors.

Another possibility is that ACS is not functioning properly or may be being over saturated with requests.

How many clients are being authenticated through your ACS and what do you think your likely TPS may be?

neiander Thu, 03/06/2008 - 08:13

I am not familiar with the NetGear adapter. I have encountered only one situation where an AP and client had a compatibility issue.

What wireless security model are you running?

tpacjer Thu, 03/06/2008 - 08:33

is it possible to use microsoft ISA server in conjunction with stell belt radius. i am going to be using isa as the primary and would like to use steelbelt as the backup for redundancy.

neiander Fri, 03/07/2008 - 05:45

Not sure about using MS-ISA with Radius. I suggest asking this question on one of the AAA threads.

bermanmf2 Thu, 03/06/2008 - 15:17

Naive question, here. Why does the Cisco Aironet Desktop Utility for XP not include a choice for EAP-TTLS? I've been told we must turn off the Cisco Aironet Desktop Utility and rely on Windows configuration and a 3rd party vendor such as SecureW2. Is there a way to use Cisco's configuration with EAP-TTLS. Can you point me to a white paper that explains this?

Many thanks.

neiander Fri, 03/07/2008 - 06:26

In general, WLAN client utilities such as Cisco ACU (and you will find this true of many other WLAN NIC vendors) are typically stop-gap measures to support extensions to a WiFi standard until they are available in the majority of client OS's.

This was particularly the case when holes in WiFi security were being found regularly about 5-6 years ago, and so newer and better authentication methods like PEAP and EAP had to be devised.

It takes considerable time for those extensions to work their way into OS's like MS-Windows XP. So you needed an additional client.

Current versions with SP's applied have "caught up" many of the WiFi security extensions, and so for protocols like EAP-TLS you don't necessarily need an additional WiFI NIC client, you can use the OS built-in functionality.

The vast majority of Cisco customers told us that they would much rather not have to manage an additional client software on all client machines if they didn't have to, and so we always try to leverage client OS built-in functionality to reduce Operations costs for our customers.

neiander Fri, 03/07/2008 - 10:41

As far as I am aware, Microsoft's strategy is to incorporate only standardized WiFi security and functionality natively in the OS.

CCX inherently offers extensions beyond standardization for WLAN NICs when operating on a Cisco wireless network.

So I think its likely over time that some CCX features become standardized and integrated into the OS natively, but as long as WiFi continues to quickly evolve, I think its unlikely Windows OS will include all of CCX at a given point in time.

Actions

This Discussion