Solved: Hi Roman, - Page 3

Monica Lluis · ‎06-20-2016

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to secure a wireless network with Cisco expert Roman Manchur

Wireless networks have became pervasive in today's world. Cisco offers very strong wireless porfolio that helps business to connect to the Internet anywhere anytime. Network managers need reassurance that solutions are available to protect their WLANs from these vulnerabilities and that WLANs can provide the same level of security, manageability, and scalability offered by wired LANs.

This session will focus on answering question regarding how to deploy, configure and troubleshot security in a wireless network and also the common pitfalls and issues that might happen in an installed secured wireless network.

To participate in this event, please use the button to ask your question.

Ask questions from Monday June 20 to Friday July 1st , 2016

Roman Manchur is a Customer Support engineer in the Cisco Technical Assistance Center in Cisco Brussels. He is expert on any wireless products, including Wireless LAN controllers and Access Points, as well as in many security products and technologies, including IBNS, ISE, ACS4.x/ACS5.x, AAA Security, RADIUS, and TACACS. Roman has over 8 years of experience in IT. He joined Cisco in 2011. Prior to Cisco he worked at Priocom, Pysus, Aricent and Telread. Roman holds a CCIE in Wireless (#47699) and a Master in Sciences in Telecommunications and IT from the National University Lviv Polytechnic.

Roman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security and Network Management Community

Find other https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Roman Manchur · ‎06-22-2016

Hi Netops1,

Not possible since CTR and GCM ciphers aren't supported on WLC currently.

Please check below specification regarding supported encryption modes and cipher suits on 5500 controller series (Table #2 ):

http://www.cisco.com/c/en/us/products/collateral/wireless/5500-series-wireless-controllers/data_sheet_c78-521631.html

michael.yurchenko · ‎06-22-2016

Dear Roman,

I have a network that has a few access points connected to a 3850 that acts as a wireless controller, and a few more that cannot be directly connected due to the distance - so they are not a part of the wireless domain.

1) Is there any workaround to connect distant APs to the wireless domain without them being connected directly to the 3850 and without us having to buy another 3850 to act as an agent? They are physically connected to a WS-C2960S

2) When troubleshooting an issue on a wireless VLAN, I've set up a monitor session with the VLAN as the source and a single switchport as destination. On the wireshark capture at the destination, each frame is reproduced about 20 times - which makes it pretty much unusable. Why would it do that, and what can I do for more effective packet capture? Here's the example of a single host coming online...

3) Is there a best practices document that would outline the capacity planning, security considerations, and actual configuration for the wireless and wired components of an enterprise wlan using 3850 as a controller? I found bits and pieces in several documents, but not a single guide.

Roman Manchur · ‎06-23-2016

Hi Michael,

Thanks for your questions, please refer to answers below.

1) No, AP has to be connected directly to 3650/3850 in order to register successfully with NGWC.

Q. Does the Cisco Catalyst 3850 support indirectly connected access points?

A. No. The Cisco Catalyst 3850 switch will always terminate the CAPWAP tunnel locally. Pass-through mode or indirectly connected access point is not supported at this time. Note that a Cisco Catalyst 3850 12-port or 24-port SFP model can be a good choice to act as mobility controller for a stack of Cisco Catalyst 3850 switches that terminate CAPWAP tunnels locally.

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/qa_c67-722110.html

Technically you can connect APs indirectly via transparent switch, but that configuration is not officially supported, neither it scales well, since you can easy oversubscribe uplink on transparent switch if you have 802.11ac clients connected to APs.

2) I'm not sure why SPAN session behaves this way. Does the same problem happens if traffic is sourced from wired VLANs and / or if source defined as interface instead of VLAN?

3) There is excellent white paper Converged Access document that covers those topics please refer to attachment.

michael.yurchenko · ‎06-23-2016

Roman, thank you!

1) :(

2) monitor session source <wired vlan> brings normal traffic captures. Also normal traffic captures when the source is a wired port (eg. internet connection)

However, when a session source is a port that is connected to a switch that exclusively handles wireless access points, I again see this problem with huge packet duplication (10x-20)

We also have a performance problem with the wireless network that I'm trying to solve - the port monitoring is part of this effort.

So my gut suggests that the traffic does get duplicated somewhere somehow.

What would you suggest?

3) Thank you, a great document! Could you also please recommend a capacity planning guide for the wireless access points?

Roman Manchur · ‎06-23-2016

Hi Michael,

That problem with SPAN sound like potential bug, I would recommend you to open TAC case on it for further investigation.

Regarding AP capacity planning the best estimates of potential client population for a given install site come from a pre-sales site survey.

Following document is useful to summarize general recommendation regarding AP placement and capacity planning for location, voice and data deployment:

Access Point Placement and Capacity Planning

michael.yurchenko · ‎06-24-2016

Thank you. I have a tac case opened for the SPAN issue. Hopefully it can get resolved.

Appreciate your recommendations!

Clocktwister · ‎06-23-2016

Dear Roman,

Our organisation has a global WIFI policy where all WIFI configurations have the same SSID, and security policies which enables users to travel to company sites WWide and instantly connect to WIFI without needing local access credential. The network is based on Aironet 12xx series AP's. The security policy is open with EAP, and uses a RADIUS server for authenticating domain users. The wireless network on mobile clients Win7 etc, are set to connect using a 802.1x configuration.

I am playing with an 1852i k9c as mobility express is a good fit for our site infrastructure and use pattern, however I'm struggling to find an option to create an SSID that can use open with EAP and radius authentication. Has this feature been removed? Are there any new WAVE 2 products that would support this configuration?

Thanks

Marek

Roman Manchur · ‎06-23-2016

Hi Marek,

Thanks for your question.

I believe your are trying to configure WLAN profile from Web UI on 1852 CME (Cisco Mobility Express controller) and you struggle since in web interface not all supported options are shown.

WPA/WPA2 WLAN profile with dot1x authentication can be configured on CME controller the same way it's configured on any Aironet WLC, it follows the same configuration steps logic and same command syntax.

Try to configure it from CME WLC CLI, you may refer to this link for configuration details and commands:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001110.html#ID1048

Let me know if you face any issues with configuration.

Note: there is also known bug CSCuz73422 that several customers are facing with EAP-TLS failing on 1852 CME due to silent drops of client response on AP.

Clocktwister · ‎06-24-2016

Thankyou very much for the pointer Roman, the wlan is now configured.

Another happy cisco user will sleep easy tonight!

Roman Manchur · ‎06-26-2016

Hi Marek,

Glad to hear it helped :)

IMG USA · ‎06-24-2016

HI Roman,

recently upgraded controller vesion to 8.0.133.0

facing the below issue.

*Jun 10 14:54:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.29.146.145 peer_port: 5246
*Jun 10 14:55:13.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xBC689C8!

*Jun 10 14:55:43.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.29.146.145:5246
*Jun 10 14:55:53.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Jun 10 14:55:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.29.146.145 peer_port: 5246
*Jun 10 14:56:23.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xBC689C8!

*Jun 10 14:56:53.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.29.146.145:5246
*Jun 10 14:57:03.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Jun 10 14:57:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.29.146.145 peer_port: 5246

ap disjoins controller intermediatly.

Roman Manchur · ‎06-24-2016

Hi IMG USA,

I would need some further details regarding this problem, could you provide answers on questions below:

You mentioned issue is seen starting of upgrade to 8.0.133.0, what was the earlier SW version on WLC prior to upgrade? What controller model do you have?
What AP models are affected with this issue? Is it specific to certain platform(s)?
Does it happen with all APs that are registered to this WLC or only some are affected?
If I understand correctly, eventually those APs are joining WLC, but then disconnecting again for how long they stay registered to WLC before dropping off?
Please check output of 'more:event.log' on one of the affected AP for reason of disconnect events. You may also upload it to your answer, so I can check it as well.

Pradeep S.R. · ‎06-24-2016

Hi Roman,

We are using Anyconnect 4.2.02075 and ISE 1.4 version and all of sudden we seeing the certificate errors for some wireless(MAC OS) users.

issue : client is trying to trust PSN local certificate but which is not configured for EAP authetication at all.

how user is getting the response to trust the cert which is not configured??

Error screenshot attached.

Roman Manchur · ‎06-26-2016

Hi Pradeepa,

Thanks for your question.

That error message means that your client has no trust to the certificate presented by server.

You would need check ISE configuration and verify that right certificates are enabled for EAP authentication.

Based on what you are saying certificate returned is not enabled for EAP hence PSN shouldn't return it during client authentication.

Following can be done here for problem isolation:

Check ISE Live authentication logs details for given authentication session.
If the issue is seen with authentication against specific PSN try force syncup for that node.
Set 'runtime-AAA' service logging to 'TRACE' level and recreate the issue. Then refer to 'prrt.log' for the details on authentication session.

hikma · ‎06-26-2016

Hi Roman

On WLC8.0.133, I'm getting a lot of this msg:

Message: '802.11a/n/ac' interface of AP 'Corp-F1-02' associated to controller 'WLC01 (10.9.59.9)' is down. Reason: Indicates that while the radio state should be updated on controller, no reset should be reported.

Failure Source: AP Corp-F1-02, Interface 802.11a/n/ac

This causes the radio to be up/down ..

What does this mean? How can I get rid of this?

Regards

Ask the Expert: Wireless LAN Security