topic Hi Roman, in Wireless

Ask the Expert: Wireless LAN Security

Monica Lluis — Mon, 05 Jul 2021 12:15:33 GMT

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to secure a wireless network with Cisco expert Roman Manchur

Wireless networks have became pervasive in today's world. Cisco offers very strong wireless porfolio that helps business to connect to the Internet anywhere anytime. Network managers need reassurance that solutions are available to protect their WLANs from these vulnerabilities and that WLANs can provide the same level of security, manageability, and scalability offered by wired LANs.

This session will focus on answering question regarding how to deploy, configure and troubleshot security in a wireless network and also the common pitfalls and issues that might happen in an installed secured wireless network.

To participate in this event, please use the button to ask your question.

Ask questions from Monday June 20 to Friday July 1st , 2016

Roman Manchur is a Customer Support engineer in the Cisco Technical Assistance Center in Cisco Brussels. He is expert on any wireless products, including Wireless LAN controllers and Access Points, as well as in many security products and technologies, including IBNS, ISE, ACS4.x/ACS5.x, AAA Security, RADIUS, and TACACS. Roman has over 8 years of experience in IT. He joined Cisco in 2011. Prior to Cisco he worked at Priocom, Pysus, Aricent and Telread. Roman holds a CCIE in Wireless (#47699) and a Master in Sciences in Telecommunications and IT from the National University Lviv Polytechnic.

Roman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security and Network Management Community

Find other https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

Hi,

muhsi_2015 — Tue, 21 Jun 2016 00:04:44 GMT

Hi,

What are the policies need to be applied on an ssid (open)which is redirecting a user to an ise portal page ?

for example post and pre authentication acl

Thanks

Hi Roman,

CSCO10662744_2 — Tue, 21 Jun 2016 00:14:36 GMT

Hi Roman,

One of our customers has Cisco WLC, MS NPS RADIUS server, and some clients doing WPA2-Enterprise authentication.
For some reason, all the endpoints work, except Win7 clients.

With either self, or public signed certs, Win7 would prompt for username/password, but after clicking OK, authentication would fail.

Win7 does NOT prompt for user to accept cert, while NPS has a log saying cert is not trusted.
Why would Win7 not prompt for user to accept cert, and how do we enable that prompt?

As a temporary workaround for testing purpose, we unchecked the option to validate server cert.
I don't remember having to do this extra step in any of my previous WPA2-Enterprise deployments...did Win7 clients change this behavior somehow in the past year or two?

Have you seen this same issue before?

Hi Muhsi,

Roman Manchur — Tue, 21 Jun 2016 16:29:43 GMT

Hi Muhsi,

Thanks for your question.

It depends what type of authentication with redirection are you trying to configure and on what platform. I will try to cover all scenarios in the response below.

In case you are talking about CWA (central web auth) configurarion, you will need configure WLAN profile with MAC authentication / AAA override and RADIUS NAC. Redirect-ACL has also be configured on WLC and it must allow access to DNS and ISE servers and also can allow access to any additional resources that are considered to be accessible by your local security policy for users in pre-authentication state. After initial MAC authentication, ISE will send redirect-ACL and redirect-URL in corresponding RADIUS AV-pairs. Any traffic that is denied in Redirect-ACL will be redirected to login portal on ISE. More details on that type of access can be found via this link: WLC CWA with ISE
In case you are interested in LWA with redirection to external login portal, then you need configure web-authentication policy on WLAN profile and assign corresponding Redirect-ACL directly to SSID configuration. Redirect-URL can either be defined in global configuration or over-ride on WLAN. Details regarding on LWA configuration with external portal can be found via following link: WLC LWA with ISE

Those configuration follow the same logic, though different command syntax, with IOS XE controllers (the major difference is with ACL entries, with IOS XE controllers traffic that is permitted without redirection is defined with 'deny' statements).

CWA configuration on 3650/3850/5760: CWA configuration on NGWC
LWA configuration on 3650/3850/5760: LWA configuration on NGWC

Post authentication ACL defines what resources are available to client after web-authentication is performed, it's regulated by your company security policies requirements.

Hi,

Roman Manchur — Tue, 21 Jun 2016 16:31:51 GMT

Hi,

Thanks for your question.

From what you are saying your customer is using EAP-PEAP authentication in the network. In generic case it does require server certificate to be trusted by client, only after certificate validation is successful client will be prompted for username and password.

In native supplicant configuration settings on Windows you have following options:

Validate server certificate (enabled by default). Can be disabled as workaround in cases client has no trust for server certificate, like in your case.
Do not prompt user to authorize new servers or trusted root certification authorities (disabled by default). That option enable / disable pop up for client to trust server certificate during authentication. That option is probably enabled on your Windows 7 client(s). If not, but no pop up is still happening, that's something you will need to check with Microsoft support team.

Reference screenshot:

As final solution I would recommend to import your NPS server certificate under trusted CA list on all clients in your network (can be pushed with GPO policies), so all clients have trust for the server certificate and therefor workaround with disabling server certificate validation is no longer needed.

It has to be installed under following location "Console Root\Certificates(Local Computer)\Trusted Root Certification Authorities\Certificates".

Thanks for the reply Roman.

CSCO10662744_2 — Tue, 21 Jun 2016 19:19:39 GMT

Thanks for the reply Roman. This particular customer is a University, where most of the endpoints are NOT managed, so ideally we prefer a solution that does not require the end user to modify any changes on their devices. We were hoping to know the root cause of the Win7 clients not prompting to accept the cert.

It could be that option "Do

Roman Manchur — Tue, 21 Jun 2016 20:00:18 GMT

It could be that option "Do not prompt user to authorize new servers or trusted root certification authorities" is enabled on those device, something I would check first - cause that's the only setting in native supplicant that enforce user interaction on accepting/declining server certificate.

But since you have no control on client device, neither you want to configure those client - another option will be generate CSR (certificate signing request) on your NPS server and sign it with some well known CA. After that install signed certificate on NPS server and use it as server certificate for EAP authentication. Clients will have trust for that certificate as they have corresponding signing CA certificate under default trusted CA list.

Hi

Prakash Parvathala — Wed, 22 Jun 2016 12:09:36 GMT

First i apologies to posting my question here because i do not know whether i am reaching to right group or not .

Please help me if it is right place.

AP 1552E with regulatory domain C (China, in 5Ghz band, it has 5 channels: 149, 153, 157, 161, 165)
AP 1572E with regulatory domain F (Indonesia, in 5Ghz, it has 4 channels: 149, 153, 157, 161)

WLC SW version 8.1

Questions:

1. Can We combine those two AP in single MESH bridge group?

2. Is there any potential problem if we put AP 1572 domain F as RAP and AP 1552 domain C as MAP? The logic is channel will be driven by RAP, so it will avoid to use channel 165 as backbone MESH, is it correct logic?

3. Is there any potential problem to combine AP 1552 and AP 1572 model in single MESH network since they have different capability?

Hi Prakash,

Roman Manchur — Wed, 22 Jun 2016 13:14:16 GMT

Hi Prakash,

You are in the right section 🙂

Answering your questions:

Yes, you can combine APs from different RF domain and different AP models in same BGN (bridge group name)
Normally, in the mesh world, channels are selected by the user for RAPs, and MAPs auto tune to RAP channels. In your question you are following this logic and if you configure 1572 domain -F as RAP with fixed channel, 1552 domain -C MAP will connect to it since it does scan on channels that RAP operates on.
Yes, in case you have 1552 domain -C being parent or RAP and operating on channel 165, then 1572 domain -F MAP won't be able to connect to given parent or RAP. So careful planning is needed.

You can use 'Backhaul channel deselect' feature to minimize administrative overhead when configuring MESH deployment to ensure you RAP/MAP never select certain channel (in your case channel 165): Backhaul channel deselect

Thank you so much for your

Prakash Parvathala — Wed, 22 Jun 2016 13:27:06 GMT

Thank you so much for your fast reply Roman.

I appreciate you.

Hi Roman

M. Wisely — Wed, 22 Jun 2016 13:56:54 GMT

Hi Roman

We have a rule in each policy set in our ISE 2.1 deployment that deals with staff attempting to connect their personal devices to our wireless network.

Currenty it just responds with AccessReject but I was wondering if in addition to this I could also statically add the endpoint into a group as part of the authorization result?

Thanks

Hi Martin,

Roman Manchur — Wed, 22 Jun 2016 14:26:13 GMT

Hi Martin,

Thanks for your question.

From what I know it's not possible to assign endpoint to certain group as part of authorization policy result. Authorization policies are a component of the Cisco ISE network authorization service. This service allows you to define authorization policies and configure authorization profiles for specific users and groups that access your network resources. They define permission on accessing certain network resources or do certain administrative actions.

If you need map client devices to certain device groups on ISE dynamically you should use profiling service. Based on your explanation you are interested to put personal devices in certain group, so probably best option would be to use AD probe and check condition 'AD-Host-Exists', then assign device to corresponding group if not found in AD.

Please refer to ISE profiling documentation for more details: Cisco ISE Endpoint Profiling Policies

I hope this information will be useful for you.

P.S: This section is related to Wireless LAN security, for your question more relevant topic will be in Security/AAA section.

Is there any way to pull up

kristina.pipes1 — Wed, 22 Jun 2016 14:31:45 GMT

Is there any way to pull up or scroll through the speed dial list on the screen of the 9971?

Hi,

netops1 — Wed, 22 Jun 2016 15:25:09 GMT

Hi,

On a 5508 WLC how can SSH Server CBC mode ciphers encryption be disabled and enable CTR or GCM cipher mode encryption?

Thank you.

Hi Netops1,

Roman Manchur — Wed, 22 Jun 2016 18:40:02 GMT

Hi Netops1,

Not possible since CTR and GCM ciphers aren't supported on WLC currently.

Please check below specification regarding supported encryption modes and cipher suits on 5500 controller series (Table #2 😞

http://www.cisco.com/c/en/us/products/collateral/wireless/5500-series-wireless-controllers/data_sheet_c78-521631.html

Hi Kristina,

Roman Manchur — Wed, 22 Jun 2016 18:43:29 GMT

Hi Kristina,

Unfortunately, I won't be able to answer your question since it's related to IP telephony and not to wireless technology.

I would recommend you to reach CUCM team regarding questions related to IP Phones functionality.

Dear Roman,

michael.yurchenko — Wed, 22 Jun 2016 21:52:53 GMT

Dear Roman,

I have a network that has a few access points connected to a 3850 that acts as a wireless controller, and a few more that cannot be directly connected due to the distance - so they are not a part of the wireless domain.

1) Is there any workaround to connect distant APs to the wireless domain without them being connected directly to the 3850 and without us having to buy another 3850 to act as an agent? They are physically connected to a WS-C2960S

2) When troubleshooting an issue on a wireless VLAN, I've set up a monitor session with the VLAN as the source and a single switchport as destination. On the wireshark capture at the destination, each frame is reproduced about 20 times - which makes it pretty much unusable. Why would it do that, and what can I do for more effective packet capture? Here's the example of a single host coming online...

3) Is there a best practices document that would outline the capacity planning, security considerations, and actual configuration for the wireless and wired components of an enterprise wlan using 3850 as a controller? I found bits and pieces in several documents, but not a single guide.

Hi Prakash,

Roman Manchur — Thu, 23 Jun 2016 09:26:15 GMT

Hi Prakash,

Thanks for your feedback, glad to hear you found this information useful.

Hi Roman.

muhsi_2015 — Thu, 23 Jun 2016 10:20:59 GMT

Hi Roman.

Thanks
In the ACL-REDIRECT the below ace meaning

eans do not redirect dns request and redirect any www ?
deny udp any any eq domain
permit tcp any any eq www

What about the postauthentication acl ,
Where should I apply the postauth ACL
Is it ok applying it on the core switch interface vlan ?

Thanks

Hi Muhsi,

Roman Manchur — Thu, 23 Jun 2016 14:08:39 GMT

Hi Muhsi,

Correct, given that you have following entries in ACL-REDIRECT:

deny udp any any eq domain
permit tcp any any eq www

means don't redirect DNS traffic, but redirect all HTTP traffic

Post-authentication ACL is also defined on controller as it will be sent to WLC / NGWC in RADIUS AV-pairs during authorization phase, since policy enforcement are done on controller per client session and not on core switch. In that ACL you define traffic that is permitted with 'permit' statement and traffic that needs to be dropped with 'deny'.