Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT - WIRELESS SECURITY

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address your Wireless Security concerns with Cisco expert Sangita Patel. Sangita is a Mobility Solutions Manager at Cisco. As a Solutions Manager, Sangita is responsible for the marketing strategy of Cisco Mobility Solutions with an emphasis on articulating the business value of wireless security as well as the unified wired and wireless approach to enterprise-wide mobility. She has over 15 years of networking industry experience. Prior to joining Cisco, Sangita served as a Product Manager at Symbol Technologies / Motorola and was responsible for some of their flagship Wireless LAN infrastructure and management portfolio. Sangita holds a B.S. in Computer Science from San Jose State University and M.S. in Engineering Management from Santa Clara University.

Remember to use the rating system to let Sangita know if you have received an adequate response.

Sangita might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 25, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

56 REPLIES
New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

I was wondering how to setup a network between to separate buildings on the same property, yet both have their own DSL circuit from AT&T. No underground conduit is available to connect the two buildings. I would like to use (2) Cisco WRVS4400N Gigabit Security Routers to do this, because both buildings want wireless networking plus wired networking available. The main building already has a small "home" network created between (8) PC and their OS is Win XP Pro.

Sure would appreciate the help!

Thanks!

Hall of Fame Super Gold

Re: ASK THE EXPERT - WIRELESS SECURITY

Configure bridging.

New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

Thanks for the response.

Yes, I figured the ADSL lines coming in both modems would need to be bridged to the Cisco WRVS4400 routers on both sides, I'm just not sure what to do from there. How will computers from the second building access the file server and join the one network located in the main building? Is there more of a step-by-step instruction manual I can get for these routers or the procedure I'm trying to setup between both buildings?

Sure appreciate the feedback!

Thanks!

Hall of Fame Super Gold

Re: ASK THE EXPERT - WIRELESS SECURITY

I meant configure two Access Points as Bridges.

Wireless Bridges Point-to-Point Link Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058f53e.shtml

Access Point as a Workgroup Bridge Configuration Example

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_example09186a00805b9b87.shtml

Hope this helps.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Sales Engineer should be able to help design and point you to the right configuration documents.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Great to see everyone helping out.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

This is certainly one option. Best to design our with an SE.

New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

Hello everyone;

I'm trying to configure cisco aironet 1250N, but I can not get a rate faster than 54mbps, which is passing, I have a linksys WMP300N wireless card, someone could help me?

Hall of Fame Super Gold

Re: ASK THE EXPERT - WIRELESS SECURITY

Make sure you have Open encryption or WEP enabled.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Best to follow client security recommendations to properly secure the network including clients.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi Rod - so there could be few things happening. I will try and provide some information but if this doesn't help you might want to contact TAC and do further troubleshooting. Assuming your controller is at 4.2.x or later maker sure that have configured the radios for bonded channel configuration. n order for your clients to be able to realize 11n rates, necessary WLANs need to be enabled for WMM (either 'allowed' or 'required', depending on your needs and client support).

Also, you should have AES cryptography on all encrypted links. You should haveo have WPA2 AES enabled (with either PSK or back-end AAA) or that WLAN won't work at all for 11n rates. You can go for a mixture (WPA with TKIP or AES and WPA2 with TKIP), just so long as you have WPA2 with AES enabled.

The easiest way to make sure that your clients are connected at these rates (after you make sure your WLAN config set per recommendation) is to check the client records in the WLC GUI or via WCS.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi thanks for the post. Overall this is more a general deployment topic and you would be best suited to work with a Sales Engineer and do a design session so that you can design optimal network for the applications you are deploying.

Hall of Fame Super Gold

Re: ASK THE EXPERT - WIRELESS SECURITY

Thanks for the opportunity to open this topic. A significant number of the forum experts are unhappy as to the implications and solutions to the recently announced vulnerability of OTAP that was first discovered by Jerome Henry and made public by AirMagnet.

According to some, even when OTAP is disabled (by default) the details of the WLC's IP and MAC address are still being advertised in the open.

Hope to hear from you soon, Sangita.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi thanks for the message. Yes the OTAP vulnerability is known and is going to be completely disabled in a 6.0.x patch. Having said that there are ways to apply best practices for your WLAN to help minimize security risk.

Below are good references on understanding OTAP and detecting Rogues.

Useful References for customers:

1. IntelliShield alert

2. Tech Note - “Understanding OTAP”

3. Whitepaper - “Rogue Detection under Unified Wireless Networks”

4. PSIRT HOT Page

5. Safeguard with LSC - Locally Significant Certificates on Wireless LAN Controllers Configuration Example

Hall of Fame Super Gold

Re: ASK THE EXPERT - WIRELESS SECURITY

Thanks for this. Do you know when is the 6.0.X patch scheduled for release?

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

The patch release is coming soon though I do not have a specific release date. Again there is very little risk if OTAP is not being used and rogue detection and other wireless security best practices are in place.

Hall of Fame Super Gold

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi Sangita,

Thanks for your response. Me and my team members agree with your response, however, we must respond to the Paranoid Team (aka IT Security). And they haven't taken their hourly dose of Prozac. This is why I'm asking for the release date of the 6.0.X just to calm them down.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

I can understand the paranoia. Our team is currently working on the patch and testing so it should be coming soon.

Hall of Fame Super Gold

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi Sangita,

Thanks for the response. +5

New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi Sangita. Can you please help me or point me in the correct direction. I want to find out more about Cisco's Virtual Service Provider Model - what it is, how it works, how to implement it, etc. Please help.

Thank you.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Hello there. So VSP is more a SMB and a Service Provider solution and I am not best suited to answer you questions as I am in the Enterprise Wireless group. I would suggest contact your local Cisco rep. You can find the Cisco offices by visiting Cisco Website at http://www.cisco.com/web/EA/index.html

New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi! I'm trying to find information about LDAPS support for WLC 5.2 and how to configure LDAPS (Port 636) on WLC/WISM 5.2. LDAP works just fine but when I configure LDAPS, actually just by configure Portnumber 636, it doesn't work. What more needs to be configured?

Regards Peter

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi thanks for the posting. Your posting seems to be about very specific scenario and may not be best resolved on this forum. This should be worked through with the support organization. (http://www.cisco.com/cisco/web/support/index.html)

New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

Can you clarify the use of validating the certificate for PEAP?

My original understanding was that a certificate was REQUIRED in order to properly authenticate against an ACS Radius server. However, after many Iphone and other handheld devices have proven, only 802.1x AD credentials are required to get on a Wlan secured by PEAP.

I believe I understand that windows machines that are validating the certificate are more securely PEAPing than those that are not by encrypting the original handshake - but is there a way to enforce the use of a certificate to authenticate with PEAP?

New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

I am trying to install a certificate on my WiSM controller (Running 6.0) so that my Guest clients do not get the certificate error while redirected to the 1.1.1.1 login page.

I added DNS Host Name under the controller -> interfaces ->virtual so that the redirect will go to a more meaningful name. i.e. wirelessguest.company.com

Added an A record in my DNS server for wirelessguest.company.com to resolve to 1.1.1.1 (not sure if this is needed or not.)

I used the following document to generate the certificate on my CA server and am going to upload this afternoon.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

Is there anything I am missing? Will this certificate work for my purpose or do I have to purchase a cert from Verisign or RapidSSL? I am really try to avoid purchasing a cert but if that is the only option then I will.

New Member

Re: ASK THE EXPERT - WIRELESS SECURITY

In order to resolve this error on a guest wlan, you can disable the https management on both your local and anchor controllers, reboot them - and the certificate warning will no longer come up.

This is due to the clients not trusting the self signed cert on the WLC when they are attempting to go to the virtual IP address.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Brian thanks for providing input. Everyone should always follow the security best practices and not take and short cuts unless aware of the risks.

Cisco Employee

Re: ASK THE EXPERT - WIRELESS SECURITY

Hi, it seems that more troubleshooting is needed and would be best for you to work with our Technical Support folks http://www.cisco.com/cisco/web/support/index.html. Thanks for your post.

Re: ASK THE EXPERT - WIRELESS SECURITY

cjoesph23

If your clients automatically trust the certificate you generated (because they already trust the CA that issued the certificate), then you should be in business.

If your clients do NOT trust the certificate, then you should either manually install the certificate (without the private key) on all the clients, or you should generate/install a 3rd Party certificate for your WLC that comes from a vendor that is already trusted by your clients (and, if necessary, update the DNS Host Name entry on the virtual interface to match the CN on the certificate).

1216
Views
5
Helpful
56
Replies
CreatePlease to create content