Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Darren Douglas how to secure your wireless network. Darren is a technical marketing engineer and has worked in the area of WLAN security since 2002, with Cisco's initial deployment of protected EAP authentication. Since joining Ciscos Wireless Networking Business Unit, he has focused on 802.11 security and IOS integration with wireless products.
Remember to use the rating system to let Darren know if you have received an adequate response.
Darren might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 21, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
1. What is the E911 location strategy on large campuses. Is it integrated with Cisco Emergency Responder now? Please post a URL that describes the integration.
2. Clean Access is now only supported in-band. When will it be supported out of band for wireless networks?
1) We are continuing to work on our location capabilities with the Cisco controller architecture. At this point, the Cisco 2700 location appliance does not integrate directly with Cisco's Emergency Responder. Currently, we have established partnerships with vendors who are focused on the location market- such as AeroScout and Pango. Please stay tuned to development on the 2700 for additional information.
2) Cisco Clean Access is one of the potential NAC solutions that can be used with Cisco WLAN. It is complementary to Cisco's NAC Framework and is useful for clients which can't support an 802.1X supplicant or Cisco Trust Agent.
Currently, out-of-band NAC is unsuitable for shared access environments (e.g. WLAN)- there are not currently suitable per-user access controls in Cisco WLAN equipment other than 802.1X and EAP.
As such, there are no specific plans to support Cisco Clean Access out-of-band deployment with WLAN. If this is a specific need in your deployment, I would suggest that you contact your Cisco sales team, as they'll be able to work with Cisco development to prioritize this developmental feature request.
Web Authentication. Wireless Controller (3.2)
Hello Darren. Thanks for taking a look at this.
We are testing in our lab a wireless controller with APs (model 1200 converted to LWAPP.) We want to use the web authentication feature without creating the local user database on the controller. We prefer to have the controller authenticate against our RADIUS server and existing account base (LDAP.) We've heard this is possible but documentation doesn't mention it. Is this possible? Thanks.
Yes, it's possible to use an external RADIUS server for web authentication. With the 3.2 software on the Cisco wireless controllers, its possible to utilize either PAP or CHAP format authentication, which should be compatible with LDAP.
Note that by default, the controller first checks the internal database for authentication, but will query the configured RADIUS server secondarily.
Starting to implement a solution with WCS running on our own server, ACS 4.0 using PEAP with LDAP to an MS AD. The certificate will not reside on the client. Wireless hardware will be 4400 series controllers in a failover mode with A/P 1240 series LWAPP with WPA2/AES. We will also be using the MS wireless zero configuraton utility running on MS XP SP2. Just wondering if there are any known issues that you have run into with roaming between A/P's or authentication issues using MS wireless zero?
There are a couple of considerations to keep in mind here:
1) When using the MS PEAP supplicant, the backend database must support MSCHAPv2- as this is the authentication protocol which is used within the "Protected EAP" or PEAP authentication tunnel. PEAP authentication to Active Directory is typically done using MS Windows Authentication database interface with ACS. Obviously, the database format should work fine, but I would check Microsoft's capability of handling an MSCHAPv2 authentication request via their LDAP interface.
2) With regards to inter-AP roaming, there are a couple of mechanisms that help with this: a) the server (ACS) and client (MS ZC) maintain a record of TLS session after the initial authentication; this is called "session resume" or "fast reconnect". This permits short-cutting the full PEAP re-authentication. b.) With WPA2, there is a feature called "Pairwise Master Key Caching", which permits the client and AP to cache the
Cisco WLAN controller must communicate with lightweight APs only right? i.e: WLC cannot communicate or manage IOS APs.
If the WLC fails for any reason, the users can communicate with lightweight APs (new sessions)? and what about the established sessions?
When configuring Cisco WLAN Controller, warning message appears that i need to buy SFP modules for the two Gbps interface, no RJ-45 ports installed at the device?
Thanks in advance
You are correct,
With current software in the existing Cisco controller, only Cisco AP1000 series APs or those Cisco AP1200, 1130, and 1240 APs that have been loaded with the Lightweight AP software are capable of communicating with the controller.
In standard mode, these APs direct all traffic through the controller.
For local bridging of traffic, there is a function known as "Remote Edge AP" (REAP), which is currently supported on the AP1030 which permits local bridging of traffic. The REAP also maintains existing 802.11 sessions upon controller outage, but does not accept new 802.11 sessions. Stay tuned for enhancements to this REAP functionality with upcoming software releases.
With regards to physical connection, only the Cisco 2006 supports direct ethernet connectivity, 4400 controllers require SFP modules.
I need to deploy 1242 lwapp with two 4402 WLC but I haven't any DHCP server in the network... Is it possible to configure lwapp with static IP addresses or to configure option 43 in the 4400 internal DHCP server?
Thanking you in advance,
There are a few mechanisms to accomplish LWAPP controller discovery by AP, DHCP is just one of them. DNS is another http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a008052d8fc.html#wp1105199
The controller internal DHCP server doesn't support option 43 (or DHCP for APs- it is only intended for wireless clients).
If I understand well, DNS works in conjunction with DHCP (without option 43) but there's no way to define a static IP on a 1242 LWAPP.
Is that right?
No, that is incorrect. DNS can work by itself to permit an LWAPP AP to discover a controller.
However, this is kind of a "chicken or egg" question- since once the AP is converted to LWAPP, there is no facility for assigning it a static address (until it joins a controller).
If converting an AP from IOS to LWAPP, it's possible to maintain the AP's static address & discover the controller via DNS.
Wireless Controller Arch with a WCS server vs. without one.
We have a customer that will be migrating from a traditional Antonamous Wireless Architecture to the new Cisco Controller Architecture. Due to budgets they want to roll out several sites with just the Controllers and add the WCS component down the road. What are the major items you cannot do without the WCS component vs. with it?
There are a couple of security considerations here:
1) WCS offers a graphical display of location of rogue APs and clients. This graphical display is not available without WCS.
2) WCS offers an alarm dashboard which consolidates and prioritizes security alarms from a collection of controllers.
Without WCS, the controller will still provide alarms for rogue, Wireless IDS, etc, but are presented in a textual format.
Generally, WCS is recommended where more than 2-3 controllers are deployed and where location, RF planning/visualization are requirements.
Are there plans to take the mesh products and create an indoor only product based arround the mesh technology? There are competive products that are in the space. The mesh products would be great in a warehouse / indoor type of environment if the price point could be lowered to accomodate an indoor only solution.
Sorry, this is a little outside my realm of expertise.
I know that there are some simple bridging functions (single hop) possible with the Controller for indoor deployments, but I'd recommend speaking with your local Cisco rep to get some details and to get the latest on Cisco's plans for mesh networking, both indoor & outdoor.
Using 12.3(7)JA on 1131 AP, Encryption is set to (AES, TKIP) and VLAN are dynamically set (pushed by ACS). Strange behavior occured which I think is a bug (can you confirm if you know if this is a known Bug ?). What happens is User is initially set in the right Vlan as dictated by ACS. However if the user disable the Radio with the Aeronet card function and reenable it, the users will then push back in the default vlan (Vlan associate to the SSID).
That specific problem is not occuring when only TKIP is specified for encryption instead of AES, TKIP.
I'm unaware of any bugs having to do with AES encryption and dynamic VLAN's in 12.3(7)JA, but there are a couple of considerations to keep in mind with the "Autonomous"- i.e. non-controller-connnected AP.
1) VLAN and SSID are not independent. Thus, if assigning a user from VLAN A to VLAN B, there MUST be SSID's associated with both VLAN A & VLAN B & there must be equivalent encryption and authentication types assigned.
2) dynamic VLAN assignment is not supported when the MBSSID feature is enabled on the AP's
However, if this functions correctly with a TKIP client, I wouldn't suspect that these are the root of your problem.
I would be suspicious of potential PMK caching by the AP and client not permitting RADIUS VLAN assignment- PMK caching circumvents AAA authentication and COULD explain this symptom. PMK caching may be disabled at the client via a registry modification.
we have several 1200 APs, running 12.3(7)JA2 in a WDS infrastructure and are using PEAP authentication with WEP encryption for the clients. I am looking for a smooth migration path to WPA encryption and was hoping to use the WPA migration mode. Once I tested this mode with older firmware and could only verify that the migration mode worked successfully for Cisco WLAN cards (CB21AG). Somehow WLAN cards from other vendors were not able to authenticate.
Is the WPA migration mode only supported by Cisco WLAN cards?
(Anyhow, another migration option would be to use a separate SSID/VLAN for WPA clients. Maybe that's the better migration path...)
Fast-roaming is currently only supported for LEAP and EAP-FAST clients. Will this option also become available for PEAP clients in the future?
1) WPA "migration mode"- the coexistence of the TKIP & WEP ciphers- is a required component of WPA-certificed devices. Thus, any device which is WPA (version 1) certified must be capable of supporting the "TKIP + WEP" cipher configured on the IOS AP. Make sure that the AP SSID is also set for "Authenticated key management- WPA- Optional".
2) Fast Secure Roaming using the Cisco Centralized Key Management (CCKM) protocol may be supported by any EAP type for which the appropriate CCKM keying drivers have been enabled. Thus, this is a client device limitation and currently is rather limited, The ability to use CCKM with other EAP types is a component of CCX version 4.
Hi darren, we are trying to configure a MAR 3250 without any foreign agent (-> with collocated-care-of-address) to use mobileIPUDP tunneling, so that the firewall in between can do PAT. the only documentation found shows a config with foreign agent involved.
sorry, I know, this is not your core competence, but perhaps you can help us, regards, fabian
Sorry, I haven't worked with the 3200 & PMIP for a couple of years- I cannot really help you out on this question.
I would suggest contacting your local Cisco Systems Engineer.
In a multiple VLAN SSID deployment using ACS,
Do you recommend assigning a VLAN with IETF option 81 or Aironet VSA for SSID?
Why should we use the one or the other? Or both?
The use of RADIUS IETF attribute 64,65, and 81 is probably more flexible than assignment of SSID.
Technically, when using Aironet VSA for SSID, the SSID is not re-assigned, but rather, is restricted. E.g., it's not possible to move a client from SSID A to SSID B- it's only possible to restrict a client to the use of SSID B.
However, if the AP is not connected via dot1q, or a simple restriction vs. VLAN assignment is required, the Aironet VSA may be employed.
thanks for the clarification
One more question for Option 81,
with that we actually can dicatate the Vlan Group ID. not just a VLAN number. By doing that (assigning "Guest"VLANGroupID for example) we can give different guest VLAN in each L2 domain. (considering a large campus).
is there a list of L2 devices both Wireless and L2 switches that support this VLAN GROUP ID.
Is there a way to restrict for a particular SSID the authentication EAP to be used, ex: only PEAP not LEAP. If I'am not mistaken with the WDS concept, infrastructure AP use LEAP to authenticate themselves to the WDS. Activating LEAP on the ACS server open the door for that authenticating scheme for regular users ! So my simple question is : how to enforce the authentication EAP by SSID ?
From the WLAN controller (or IOS AP), it is possible to restrict the RADIUS server to be used for authentication per SSID, but it is not possible to restrict the specific EAP type.
Some customers have employed the Local Authentication Service (which supports LEAP) available on the IOS AP, WLSM, and ISR to segregate authentication from the WDS to 2 different servers (LEAP-Local/ PEAP-ACS).
1. Is it possible to assign a VLAN to a SSID without assigning an IP address for each vlan interfaces created?
2. Is it possible to enabled more than 4 SSID with static WEP key at a time? It seems that the key index is common to every SSID and that it isn't allowed to assign the same key index for different SSID.
3. Is there a way on a LWAPP itself to verify the available VLANs?
4. How using specific channels on the LWAPP (for example channels 10 to 13)?
5. Is it possible to connect the WCS to the network (Distribution System) instead of the management network (connexion by the service port)?
6. How implementing an authentication for APs but not for end users?
1) No, in the current implementation, each VLAN interface on controller must be assigned an IP address.
2) No, each WLAN/SSID must be enabled with a unique WEP key; 4 unique keys are permitted; thus 4 WEP-encrypted WLAN/SSID total, each with a unique key + index.
3) No, VLANs are defined at the controller
4) Each AP may be assigned specific channel or power level from "config AP" prompt or GUI, if it is not desired to use Auto-RF
5) Yes, WCS will manage the controller via either Management or Service port, but service port is higher priority, by design
6) LWAPP AP may be authenticated (MAC address) by local database or RADIUS (Security> AP policy)