Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Darren Douglas about the security of your wireless networks. Darren is a technical marketing engineer and has worked in the area of WLAN security since 2002, with Cisco's initial deployment of protected EAP authentication. Since joining Cisco's Wireless Networking Business Unit, he has focused on 802.11 security and IOS integration with wireless products.
Remember to use the rating system to let Darren know if you have received an adequate response.
Darren might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 8, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
If I am currently using Cisco LEAP for authentication in my WLAN, do I need to immediately switch to another authentication method?
I'm a colleague of Darren's and will be assisting him answering questions.
As you probably know, Cisco LEAP has both a known vulnerability and exploit (ASLEAP tool) that can be used to compromise username/password combinations. With LEAP, the vulnerabilities can be mitigated somewhat by enforcing strong passwords, but that isn't easy to do.
Cisco's recommendation is to migrate from LEAP to a new authentication scheme. EAP-FAST is a nice migration path because it is designed to be lightweight like LEAP and you won't have to make many changes.
We currently have airespace 4100 controllers. They are set up for L2, and want to move to L3 communications. Are there any gothcas or advice.
The only difference between L2 & L3 is whether the AP-to-controller communication is encapsulated in an IP packet or not. So from a WLAN security perspective, there's no difference.
The major requirement with a L3 deployment is the requirement to provide the AP's with a controller discovery mechanism on the subnet which they're deployed. This is typically done via DHCP Option 43 or DNS. I'd suggest the Controller Config Guide as a reference: http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a00806b0757.html#wp1069102
or the following AP reference:
Hi Darren.. How are you..?
Would you mind responding to the queries posted in this link..
We are sort of not heading anywhere..
TAC says it is not Cisco issue, but Intel doesnt seem to providing any fix either..
The original post does not specify what type of failure is experienced with the Intel adapter & PEAP with WinXP, but there are a couple of diagnostic steps that I'd recommend:
1) Does the adapter associate/authenticate properly with the network with non-EAP SSID configured?
2) Is there any error indicated at the RADIUS EAP server when the client attempts connection?
3) Is the same failure seen with Intel ProSet instead of WinXP used for client card control?
Assuming that other PEAP clients are functional on this network, there aren't really any configurations on the infrastructure to alter EAP operation (other than permitting EAP protocol and timing parameters)- the client and EAP server really control this operation.
If another vendor's lightweight APs (pick any vendor you like, such as Aruba, Symbol, Bluesocket, Meru, etc.) support marking an upstream Ethernet frame's MAC header's 802.1Q PCP (priority code point) bits to maintain end-to-end QoS at both L2 and L3, what will happen to the upstream Cisco L2 Ethernet switch if the pipe between the lightweight AP and the Cisco Ethernet switch is not configured as a trunk?
The standard says that the Cisco switch is supposed to support an incoming frame that is expanded for 802.1Q regardless of anything else...however, I don't think Cisco plays along with the standard in this case.
My sources tell me that the Cisco switch may crash, but I'd like to hear it from the horse's mouth.
This is a question about LAN switching that belongs in a LAN switching forum. Cisco has many switching platforms and there may have been a revision of code at some point that had an issue, but it is not consistent with my experience. I've double-checked with experts in the 3750, 4K, and 6K groups and they do not confirm what your sources are telling you.
I would like to deploy an EAP authentication that doesn't reuire certifcates and that works with Microsoft's IAS radius server. Will EAP-FAST work?
No, EAP-FAST is not currently supported on Microsoft's IAS server.
Note that PEAP authentication requires only a server certificate, the key from which is used to encrypt the "inner" authentication exchange with clients when they attempt authentication to the server. Clients must "trust" the Certificate Authority that issued the server's certificate. This is easily accomplished by obtaining the server certificate from a public CA, such as Verisign.
So to compare PEAP and EAP-FAST authentication types- EAP-FAST does have the advantage of simpler deployment, and integration with NAC; PEAP has the advantage of being supported natively supported on Microsoft platforms.
Thanks for taking the time with this discussion.
In the old (autonomous) architecture we had a BBSM server that provided what was called a "walled garden" feature (a list of web sites that could be visited without authenticating). Does the WLC have this functionalitiy. Have tried using ACL with preauthentication set on WLAN web policy but this did not do the trick. Any attempt at surfing is premempted with login page no matter what sites are listed in the ACL.
Thanks again, Simon
Simon, (Filling in for Darren who is coving a customer case)
This feature does not exist on the controller. Typically the web/url filtering is done by an external box/firewall. From a design standpoint this makes more sense because it can provide the service for all internet/outbound traffic.
Airespace and ssid's
Is it possible to select which ssid's/wlan's are broadcasted for a certain accesspoint when you are using an airspace controller (wlan with filter on accesspoint)?
I believe the feature you are looking for is called "WLAN Override". This allows you to specify certain WLANs for subsets of APs.
Just a little question:
If I have a AP with 802.11g can I do connect it with 802.11b clients and viceversa, how works this environment?
Thank you very much.
Yes, you can connect with 802.11b client devices to the 802.11g AP as long as the 802.11b datarates (1,2,5.5 and 11Mbps)are configured on the Access Point. You can also have 802.11g clients communicate with 802.11b AP but obviusly at the lower data rates configured on the 802.11b AP and the maximum data rate will be 11Mbps if it is configured on the AP.
Yes, if the AP supports 802.11g it also supports the 802.11b mode (unless you specifically disable it) so the clients will connect at the 802.11b rates. On the other side, if the AP only supports 802.11b then 802.11g clients are backward compatible and will connect at the 802.11b rates.