Has anyone tried using the WLSE Security Policies? There is no information in the WLSE User Guide as to what configs they check. The Policies are checked via SNMP. By doing a tcpdump of the WLSE traffic I've managed to figure out which OIDs the Policies check. They all seem to be in the CISCO-DOT11-IF and CISCO-WLAN-VLAN MIBs. Most of the Policies seem to work but don't do what I would've expected. The "EAP Enforced" and "EAP per SSID Enforced" seem broken.
I'm running WLSE 2.5. My first problem was that I found it frustrating to understand what the Security Policies were supposed to do. The documentation doesn't explain what they do just how to turn them on/off. Based on my testing, I now know which MIBs/OIDs are checked for each Policy. I can correlate this directly with configs on the APs.
The Policies that are giving me problems are the "EAP Enforced" and "EAP per SSID Enforced". These Policies both seem to check the following OIDs under the CISCO-DOT11-IF-MIB:
I'm doing testing with Cisco Airnet 1220s running IOS version 12.2(13)JA. The 2nd OID has 3 possible values: open, shared & eap. Each of these has a true or false entry. No matter what config I tried, the eap entry always had a value of false. You would think this value would change to true when EAP is on/required. I guess this could be a problem with the AP and not WLSE.
The EAP Enforced fault seems to only be supported if 1 SSID is configured. However, faults will continue to generate with multiple SSIDs but just on the first configured SSID. This doesn't seem right.
"EAP per SSID Enforced" checks the same MIBs as "EAP Enforced". The MIB is automatically exanded for multiple SSIDs. I've seen some very weird results here. For example, I tried the following config:
With this config, WLSE generated a Security Policy Fault on both SSIDs. Why? The second is correct.
If I invert the config on both of these SSIDs, no fault is generated at all. It's almost like only the first SSID is being checked.
Basically I've found that if the 1st SSID is using EAP, no fault gets generated regardless of how the 2nd SSID is configured. If the first SSID isn't using EAP and the 2nd SSID is, a fault generates for the 1st SSID only. If neither SSID is using EAP, 2 faults are generated, one for each SSID.
I was wondering if anybody else has successfully used these Policies? Are you confortable that they will report faults correctly? Can you depend on them?
We are moving! Please use WLCCA Forum for updates and discussions
[toc:faq] Wireless LAN Controller (WLC) Config Analyzer Download Click
here to Download To request access, send an e-mail to
firstname.lastname@example.org. Please include your Cisco.com userna...
[toc:faq] IntroductionHere is the step by step process that we have to
take care of while converting LWAPP to IOS and then vice versa..LWAPP to
IOSThe hardware used = 1141 AP (make sure we are using the right
[toc:faq] Introduction AnyConnect Secure Mobility Client 3.0: Network
Access Manager & Profile Editor on Windows Summary Use the Cisco
AnyConnect Network Access Manager Profile Editor to build custom
profiles for the AnyConnect Secure Mobility Client. App...