Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

WLSE Security Policies

Hello,

Has anyone tried using the WLSE Security Policies? There is no information in the WLSE User Guide as to what configs they check. The Policies are checked via SNMP. By doing a tcpdump of the WLSE traffic I've managed to figure out which OIDs the Policies check. They all seem to be in the CISCO-DOT11-IF and CISCO-WLAN-VLAN MIBs. Most of the Policies seem to work but don't do what I would've expected. The "EAP Enforced" and "EAP per SSID Enforced" seem broken.

Anybody else get these to work?

Serge

  • Security and Network Management
3 REPLIES
Silver

Re: WLSE Security Policies

What version are you running?? I was told WLSE version 1.3 has a resolution to this proble..

Blue

Re: WLSE Security Policies

What WLSE vesion and what excatly you mean by 'broken'/what is not working?

New Member

Re: WLSE Security Policies

Hello,

I'm running WLSE 2.5. My first problem was that I found it frustrating to understand what the Security Policies were supposed to do. The documentation doesn't explain what they do just how to turn them on/off. Based on my testing, I now know which MIBs/OIDs are checked for each Policy. I can correlate this directly with configs on the APs.

The Policies that are giving me problems are the "EAP Enforced" and "EAP per SSID Enforced". These Policies both seem to check the following OIDs under the CISCO-DOT11-IF-MIB:

.1.3.6.1.4.1.9.9.272.1.1.1.7.1.1 -> cd11IfAuxSsidAuthAlgEnable

.1.3.6.1.4.1.9.9.272.1.1.1.7.1.2 -> cd11IfAuxSsidAuthAlgRequireEap

I'm doing testing with Cisco Airnet 1220s running IOS version 12.2(13)JA. The 2nd OID has 3 possible values: open, shared & eap. Each of these has a true or false entry. No matter what config I tried, the eap entry always had a value of false. You would think this value would change to true when EAP is on/required. I guess this could be a problem with the AP and not WLSE.

The EAP Enforced fault seems to only be supported if 1 SSID is configured. However, faults will continue to generate with multiple SSIDs but just on the first configured SSID. This doesn't seem right.

"EAP per SSID Enforced" checks the same MIBs as "EAP Enforced". The MIB is automatically exanded for multiple SSIDs. I've seen some very weird results here. For example, I tried the following config:

encryption vlan 1 key 1 size 40bit 7 1823F25A0AB8 transmit-key

encryption vlan 1 mode wep mandatory

encryption vlan 2 mode ciphers ckip-cmic

ssid TEST1SSID

vlan 1

authentication shared

ssid TEST2SSID

vlan 2

authentication network-eap eap_methods

With this config, WLSE generated a Security Policy Fault on both SSIDs. Why? The second is correct.

If I invert the config on both of these SSIDs, no fault is generated at all. It's almost like only the first SSID is being checked.

Basically I've found that if the 1st SSID is using EAP, no fault gets generated regardless of how the 2nd SSID is configured. If the first SSID isn't using EAP and the 2nd SSID is, a fault generates for the 1st SSID only. If neither SSID is using EAP, 2 faults are generated, one for each SSID.

I was wondering if anybody else has successfully used these Policies? Are you confortable that they will report faults correctly? Can you depend on them?

Thanks,

Serge

110
Views
0
Helpful
3
Replies