topic WLC 2504 Layer 2 Security in Wireless

WLC 2504 Layer 2 Security

as00001111 — Mon, 05 Jul 2021 16:48:36 GMT

Hey!

can someone tell me the difference between these two configurations:

Re: WLC 2504 Layer 2 Security

patoberli — Wed, 06 Feb 2019 14:42:33 GMT

First one is using the unsafe WEP protocol, while the second one is using the safe and state of the art WPA2 with AES. Only use the second.

Re: WLC 2504 Layer 2 Security

as00001111 — Wed, 06 Feb 2019 15:18:56 GMT

I wanted to ask regarding the 802.1X Auth.

What is the difference regarding 802.1X ?

Re: WLC 2504 Layer 2 Security

patoberli — Wed, 06 Feb 2019 15:30:01 GMT

That one I don't know for sure.
In any case, if you enable 802.1x, you can use a RADIUS server for authentication, something that would not work if you'd use PSK.
The same is valid for both variants, just that the first one will use WEP, while the second one will use WPA2-AES for data encryption in the air.

Re: WLC 2504 Layer 2 Security

Haydn Andrews — Wed, 06 Feb 2019 21:58:34 GMT

The First one is using using 802.1x is when using Cisco LEAP authentication, it doesn't use any WPA or WPA2 encryption but instead uses WEP encryption.

You will more than likely find that with the introduction of WPA3 that this option will be remove to enable the AP/ Controllers to gain WPA3 certification from the WIFI Alliance.

The second one is using the WPA2 AES encryption with 802.1x authentication. If you require a PSK network untick the 802.1X box and tick the PSK box and enter the PSK to the box that pops up

For Layer 2 security there are really only 2 options that you would use:

WPA+WPA2 or none

Re: WLC 2504 Layer 2 Security

as00001111 — Thu, 07 Feb 2019 08:24:06 GMT

@Haydn Andrews

Thanks for your answer.

I understand!

Additionally, I would like to do 802.1X Mac Authentication/Mac Filtering with a Microsoft Network Policy Radius Server.

I followed that manual:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

It says:

Click Security > MAC Filtering.
In the MAC Filtering window, choose the type of RADIUS server under RADIUS Compatibility Mode.
This example uses Cisco ACS.
From the MAC Delimiter pull down menu, choose the MAC delimiter.
This example uses Colon.

When I want to do that with the Microsoft NPS, which RADIUS Compatibility Mode and MAC Delimiter is correct?

Re: WLC 2504 Layer 2 Security

Haydn Andrews — Thu, 07 Feb 2019 08:36:39 GMT

Under the WLAN select you NPS server under the AAA servers.

For NPS I believe that Cisco ACS and colon delimiter is correct.

To determine which mode you need to know what the NPS RADIUS server is expecting for the password for the mac auth.
ACS expects to see the username and password to both be the mac address for mac authentication.
Free Radius uses a shared secret for a password.
And other Radius servers don't require any password for mac auths sent to the server.

Re: WLC 2504 Layer 2 Security

as00001111 — Fri, 08 Feb 2019 10:04:33 GMT

@Haydn Andrews

I also have to check the "Mac Filtering" box under Layer 2 Security, don't I?

What do you mean with password for the mac auth?

My NPS Server is installed on my domain controller with Active Directory. So my intention is to create a user that has the mac address as username and password, without colons, for example: 00a24455d223.

Then I want to add that user to a domain group. In the NPS I want to create a network policy with the condition "windows group". I then choose the group that contains the mac address users. (as I said before).

Do you think that works?

Re: WLC 2504 Layer 2 Security

Haydn Andrews — Fri, 08 Feb 2019 10:40:03 GMT

When your doing MAC auth with radius, the WLC sends a username and password to the RADIUS server.

If you select mode Cisco ACS it uses the client MAC address for both the username and password. If your configuring this on AD and having NPS check this then that will work.

Check the delimiter matches how you plan to enter these.

Is your plan to also look at user Auth? or only consumed with the mac auth?

If your looking at both, you could use RADIUS rules (now i cant talk for NPS as my RADIUS experience is limited to ISE) and the auth is against the users credentials but you also use the client MAC address to define the authorisation policy.

cheers

Haydn

Re: WLC 2504 Layer 2 Security

as00001111 — Fri, 08 Feb 2019 11:16:34 GMT

And I need to check that box, right?

Re: WLC 2504 Layer 2 Security

Haydn Andrews — Fri, 08 Feb 2019 11:18:11 GMT

correct