Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to ask questions on how next generation wireless with 802.11n can enhance mobile performance while decreasing operational costs with Cisco expert Neil Anderson. Neil is director of Enterprise Systems Engineering with Cisco. His focus is on business networks in the areas of network design, wireless networking, voice-over-IP (VoIP), and video-over-IP systems. He has more than 20 years of broad experience in communications systems, including public telephone, mobile phone, and IP networks. Neil is the coauthor of the Networking Simplified series, published by Cisco Press.
Remember to use the rating system to let Neil know if you have received an adequate response.
Neil might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 7, 2008. Visit this forum often to view responses to your questions and the questions of other community members.
Can you comment on using WPA2 in a Cisco environment? I have had issues in the past where certain applications do not survive a two or three ping loss during a re-authentication (roam) in a test environment. This is with the cache credentials turned on. Every so often it will re-authenticate and if it misses two pings or more the app is crashed.
Have you heard of this and is there a firmware update, magic Santaria dance or anything that addresses it?
How can we secure the LAPs registration to the wireeless controller? You know that any Cisco LAP can register itself with the wireless controller without any authentication
Thanks in advance
One of the advantages of using an LWAPP topology is that during establishment of the LWAPP tunnel between the LAP and WLC (controller), there is mutual authentication.
Is your question about a non-LWAPP scenario?
Are you running an LWAPP topology with centralized controllers? Also what kind of supplicants are being used on the clients?
Thanks for your reply.
Yes, i'm running LWAPP with one controller.
My question, can we do an authentication method for registering LAPs to the WLC.
In other words, i don't need to allow any new LAP to be registered automatically to the WLC without authentication method.
Like, it is required for the administrator to add the new LAP mac-address to the WLC before it can be registered.
It seems like you could accomplish what you are trying to do using LWAPP mutual authentication and certificates. That way no one can plug in a LAP that you have not issued a certificate for.
I will have to investigate whether its possible to MAC lock LWAPP authentication. The LAP adding method was designed to minimize manual configuration for adding new LAPs, such as having to enter a MAC.
Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:
1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
2) Should I be using some kind of supplicant client on the laptops?
3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
>1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
This depends on your company security policy, but in general EAP-FAST is considered better wireless security than LEAP. There is a good discussion about the two methods in chapter 4 of the Secure Wireless design guide here:
>2) Should I be using some kind of supplicant client on the laptops?
Is your question regarding using a supplicant versus Windows Wireless Zero Configuration built into the OS? Essentially you should choose your authentication method to meet your security policy, determine if that method is supported by the built-in supplicant in your client OS(s), and then decide if you need an add-on supplicant.
>3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
MAC filtering can be challenging to implement and maintain, and its not that difficult to spoof a MAC. For these reasons, I would recommend a couple of measures:
* rogue clients are prevented mainly by having a good client authentication in place, such as EAP-FAST
* LWAPP has built-in mutual authentication of LAPs to wireless controllers, and if desired digital certificates can be used to prevent unauthorized LAPs from joining the network
* implement Rogue AP detection to "sniff out" unauthorized APs
Probably more important than preventing unauthorized APs from associating with your controller (which can be mitigated easily with LWAPP) is the problem of consumer-grade AP's being plugged into switch ports which do not need to associate with a controller. For this threat, its a good idea to secure your wired infrastructure using 802.1x to authenticate devices, and also to implement a "Rogue" AP detection based on RF.
There is a good discussion of rogue AP detection in chapter 2 of the Secure Wireless design guide here:
>4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
If you are running LWAPP and mutually authenticating LAPs to WLCs, this is considered best practice.
>5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
You can do rogue detection with all APs in your network, where they will go off channel for a few milliseconds and scan around them, or with dedicated APs. There is a great discussion of how to configure both in this technology paper:
What is the recommendation for controlling client access to the wireless network? Should we be using EAP with 802.1x? Also, should we consider PKI to issue digital certificates?
The best practices recommendation for client authentication is to use EAP-FAST, which does rely on 802.1x to carry the authentication frames. EAP-FAST does not require using PKI.
EAP-FAST is considered to achieve the same level of security as EAP-TLS, but with less deployment complexity since EAP-FAST can be implemented without establishing a PKI/certificate infrastructure.
Our best practice recommendation is to use EAP-FAST for Authentication and WPA2 for Encryption (WPA if WPA2 is not possible).
Can you elaborate a little bit about the need for Identity-based networking in a WI-FI environment? Is it a must at corporate level? What does Cisco offer to meet this requirement?
Do you mean at an elemental level, why deploy credentials-based wireless security instead of a site-wide key?
Assuming so, one of the reasons for using session/client specific keys is that it provides a granular way to permit/deny access to the network as a single sign-on.
So for example, if you deploy a site-wide key with WPA, its fairly secure, but as long as a client/user has the initial password to the WPA network, they can join. What if you want to block a particular client or user? You now have to change the WPA password on all clients except the one you are trying to block.
In contrast, with credentials/identity based keying, you can simply block that client in your AAA database, and they no longer have access to the wireless (or wired if you also deploy 802.1x on your switches) network.
In a home network or fairly small business with a small number of clients and users, its easier to manage and so a site-wide key is good enough. In a corporate network with potentially thousands of clients, it makes alot more sense to deploy identity-based keying.
Looking forward, it may also be advantageous to be able to apply policies based on the client identity. For example, not only does the identity determine if the client is allowed to join the wireless network, but in addition which network resources is the client permitted to access.
Does this answer your question?
There is a much more thorough discussion in the Secure Wireless Design guide here:
thanks for your answer.
Before you said that the recommendation was using EAP-FAST and WPA2. So you're saying now that for a large install that it would be better to use credentials based keying?
Sorry I mis-typed, i meant credentials-based login/auth, not keying.
Definitely EAP-FAST and WPA2 are the best practice recommendations.
I am working with ONGC Ltd. India. In our organization right now we are looking for wireless LAN in our office. In our office approximatelly 1200 users. Please guide me which device are required for wireless lan. I am waiting for your replay.
I would highly recommend starting with this Mobility Design guide, which helps you assess the requirements for your wireless network and then steps through the design and deployment aspects.
There are a number of Cisco validated design guides available for wireless networking and mobility available here:
I have a serious problem of default route on a vpn with IPsec and preshared keys. I have four sites to connect but to make it easier, I reduce to two. the problem is to make that the internet traffic of networks have only one default route. You would find attached the graph of network and the config files of sites. Please it's very important for me to solve this problem as soon as possible .
I don't thing that this is the good place to post vpn question is here!
any way,I have looked at your config and the first thing is do not post passwords at the config since i accessed the omnisport router. Please change the passwords soon!
If I deploy 1130 AP can I set various vlans on the AP and lease IP address base on user account authentication via RADIUS and LDAP?
If so can you assist please with a plan or resource.
I am curious what the requirement you have is for doing this?
The scenario you are describing is a form of network virtualization, having multiple logical partitions on the same physical infrastructure.
One "brute force" way to do this, if you have a requirement for fairly "hard" partitions is to use multiple SSIDs, so that the logical networks even extend over the air to the client. Each SSID can be mapped to a separate VLAN. This is useful for guest and partner access situations where you want alot of separation between client populations.
Another way to do it is as you describe, to use a single SSID, but map clients to multiple VLANs and use per-VLAN address pools.
Because 802.1x authentication happens at layer 2, you authenticate the client, and then assign the client to their appropriate VLAN on the AP. Once L2/802.1x authentication is completed the client requests an IP address which can be satisfied from the VLANs address pool.
Here's a paper that describes how to configure this scenario:
For some reason I cannot access that page. Based on the error, it looks like I don't have rights to that page.
Hi Jeff, sorry it looks like that paper is inside our channel partner section. I emailed it to you directly (I think). If you do not receive it, contact me back at email@example.com
We seem to be encountering excessive reauthtication failures in our environment. The controllers show this in the debugs (TxAuthWhen timeouts and excessive client 802.1x retries) and we are concerned we will have to increase thw WLAN Session Timeout and/or the User Idle Timeout to compensate for these events, which usually result in the users having to reboot or manually reauthenticate via the ADU. RF coverage does not appear to be an issue. Is there a way to monitor the ACS to see if its a bottleneck? Are the client drivers to blame? We're in the 4.0 code train.
Thanks for your input,
One of our customers is using a mPOD device manufactured by CADEM
mPOD device is installed with NetGear WLAN adapter (WG111V3) which supports 802.11g (.b as well). The driver for this WLAN adapter is developed by CADEM. Please find the specifications of the NetGear adapter.
The customer says Encryption works fine when this WLAN adapter is associated with Linksys Access Points. Encryption does not work with Cisco AP 1100/1200 series.
Could you please let me know the reason for this behavior and is there any workaround