cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14131
Views
324
Helpful
64
Replies

Ask the Expert: Wireless LAN Security

ciscomoderator
Community Manager
Community Manager

Wireless LAN SecurityWith Jeal JimenezATE_Discussion-New-Icon_Nov2012_v2.png

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about about how to implement, configure, and troubleshoot WLAN security with expert Jeal Jimenez. 

Our expert will also discuss how WLAN security works and the different security methods that are available and implemented on enterprise WLANs to validate clients and protect their traffic along with the network. 

Jeal Jimenez is a customer support engineer for the Cisco High-Touch Technical Support department specializing in wireless LAN technology. Prior to joining the HTTS department, he worked as a customer support engineer focused on wireless LAN in the Technical Assistance Center before he was promoted to an escalation leader and trainer, working also as a Cisco lab admin during these years. Jeal's technical expertise in the area of wireless LAN technologies spans more than seven years, and he also contributed to Cisco documentation and to the CCIE Wireless written exam. He holds a bachelor's degree in systems engineering from Universidad Latina in Heredia, Costa Rica. Jeal also holds the certifications CCNA, CWNA, CWSP, CCNP, and CCIE wireless (# 31554).

Remember to use the rating system to let Jeal know if you've received an adequate response. 

Because of the volume expected during this event, Jeal might not be able to answer every question. Remember that you can continue the conversation in the Wireless - Mobility community, subcommunity, Security and Network Management, shortly after the event. This event lasts through October 18, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

      

64 Replies 64

Got it. Thanks Jeal !!

Hi Jeal Jimenez

                                           We implement new AP 5 Sets(AIR-SAP2602I-E-K9)  for medium warehouse , but exiting AP we used 

AIR-AP1242G-E-K9  for 3 Sets

                                        User used handheld symbol " MC3190 " for 50 Sets

                                          when new AP Already install  user can't working with handheld  , it's show on screen handheld " disconnect from program " 

I try shutdown dot11radio 0 of New 5 AP Sets  and try with AIR-AP1242G-E-K9 3 Sets  ,but  It's Fine

                                        Handheld Symbol  " MC3190 " has data rate support maximum 54 Mbps

  Best Regards,

Thamon

Hello Thamon,

The configurations look fine (I just noticed the subnet mask of the BVI1 interface on the 2602 AP is different than on the 1240, but this shouldn't cause this problem where the handhelds are not connecting at all; however, I still recommend you to check this).

Now, this is an issue where you can definitely be affected by interoperability with these handhelds (mainly if they are old radios, and the 2600 AP's radios are new radios with 802.11n features supported, while the 1240s are not, just 802.11b/g). Therefore, I will recommend configuring the radio settings similar to the 1240, and I noticed that the data-rates configuration is not matching (you are using the default data-rates setup on the 1240, while you are not allowing the lower data-rates on the 2600). This could definitely be a problem depending on the handhelds behavior, so you could configure the data-rates the same way on the 2600 for testing:

basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

If the problem continues, then some wireless packet captures might be the best way to go as there could be a software issue negotiating the association, since this is a very simple setup that should work just fine (check also if you see this problem with other type of wireless clients, and if this is the case, then I will recommend reconfiguring the PSK manually on the AP).

Regards,

Jeal

vijay kumar
Level 2
Level 2

Hi Jeal ,

We want to use MDM in our test lab for mobile devices posture and security purposes. IS there any free or trial period MDM is available that we can integrate with cisco ISE ?

Thanks!,

Regards,

Hi Vijay,

MDM integration capabilities are supported on the ISE with the Advanced license, and the free trial evaluation license on the ISE (when you first install it) includes Base and Advanced licenses for a 90-day trial period.

If you need to extend this ISE evaluation license for any reason, then you could contact your Cisco sales/account team, and they should be able to help you generating the specific license that you need to do your tests (a specific license or simply extende the trial evaluation license for another 90-day period, so you can use the Advanced license features).

Regards,

Jeal

Hi jeal,

Thanks a lo for ur reply. Is ther any free version of MDM i can integrate with ISE?

Regards,

Vijay

usamanisarkhan
Level 1
Level 1

hello sir ,

i m CCNA qualified and i want online part time learning job as a volunteer ...i m ready to work for free as i want to learn ...i m a student of undergraduate software enigneering .

thanx

Hi jeal,

                                             Thank you very much for your information Support , I have some any question 

what's mean of configuration  datarate  in detail belows 

"  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 "

and 

" basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic- 54.0"

It Mean Similar or Different

and  for ap's 2600  , Can I open only Data A,G  ???  Because  Handheld Symbol  MC3190  Support  A/G 

Best Regards, 

Thamon Poomsuwan

Hi Thamon,

Regarding the data-rates, when you see the CLI configuration on an autonomous IOS AP with the "basic" word (basic-1.0 for example), this means that this is a Required data-rate, meaning that the wireless client must be able to support it when connecting to this WLAN/SSID.

So for this setup:

"basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 "

You are only forcing data-rates 1, 2, 5.5, and 11 to be required on the 2.4GHz radio, which are the rates achieved using DSSS modulation technique by 802.11b clients or 802.11g clients (which support them mainly for backwards compatibility with old 802.11b clients).

For the other data-rates setup where all the rates are configured as basic, then you are forcing all rates to be required, so all clients connecting to this AP's radio must be able to support them, but this setup is not normal and could cause some compatibility issues with specific clients (this data-rates setup also affects the AP's coverage area and overall design, but this is why you need to test this carefully; we just need to modify them sometimes due to clients having problems or specific behaviors with some data-rates setups).

Regarding your other question, if I understood correctly, you want to know if you can use the 802.11a radio (which is actually the 5GHz band radio) and the 802.11b/g radio (which is the 2.4GHz band radio) on these 2600 series APs. Yes, your 2600 AP has two radio interfaces, one for the 2.4GHz 802.11b/g/n clients (the interface dot11Radio 0) and another one for the 5GHz 802.11a/n clients (the interface dot11Radio 1). Therefore, if your clients support both radio bands with 802.11a and 802.11g technologies, then you could definitely use both radios on the AP for these clients; you just need to assign the SSID and its encryption to the 5GHz interface dot11Radio 1 as well (and also configure the VLANs for this radio interface, which will make subinterfaces as you currently have on the other radio).

PS: Please note that these recommendations are mainly because it really seems that your Handhelds are having some compatibility issues with your new 2600 series APs, but the current setup should work fine for any wireless client properly working within the standards... There are just some extra features that could "confuse" or affect some specific clients (this is probably why you will only face problems with these specific handhelds and not laptops), so if your clients are currently working fine with the 1240 AP, I am just recommending that you could match the setup between APs to check if this can help (for example, you could also disable "stbc" within the interface Dot11Radio 0 -using the "no stbc" command-, which is an 802.11n feature that your wireless clients don't support).

Regards,

Jeal

ajc
Level 7
Level 7

                   Hi Jeal,

One more question regarding step 7 on the Web Auth process. See next screenshot.

When the user is forwarded to the URL the client entered???. In my case, I am always forwarded to the Web Auth Redirect URL configured in the WLC even though the URL I entered was for example espn.com, once I am associated and got a valid IP from DHCP (including DNS info, default GW, etc) and later on authenticated.

In addition to that, using the ISE Authz policy I could do Splash Web Redirect on the WLC after a successfully PEAP authentication, BUT the URL redirection is not working in the way I need it. DO I have to customize something in the URL Redirect html files??. I will send you later some additional screenshot.

Hi Abraham,

Regarding your first question about when the client is forwarded to the URL the user entered, let me tell you that this will only happen if you don't have any redirect URL configured on the WLC... In that case, after successful Web-Authentication, the client is redirected to the web site it was trying to access when it got redirected to the Web-Auth page for authentication/login, but as long as you configure a web site on the "Redirect URL after login" feature on the WLC, then the controller will always redirect the clients to this specific web site because you are asking it to do it (for example, you want all users to get to your company's web site once authenticated on your guest WLAN, regardless of where they wanted to go. If you don't want to do this, then you just don't configure this "Redirect URL after login" field/feature on the WLC).

Regarding your other question, I will need more details about the specific setup and the specific behavior that you are having which is not working as you want (also understand clearly what is exactly what you want), so I can try to give a hand

Regards,

Jeal

Hi Jeal, thanks for your answer.

I will give it a try (just curious) since that the URL Redirect to the external login page takes the credentials I introduce and send it back to the action_url in order to complete the authentication process. Therefore, I assume in this case the WLC Login Page will be presented so I can complete the auth process.

With respect to my 2nd questions, PEAP auth is completed but I need something like an UAP page before the user can access Internet. I think there is something that I need to customize in the ISE--- > Web Portal Mgmt --- > Guest --- > Multiportal --- > Test (preliminary UAP html file inside). I will post some screenshots later.

Hola Jeal

Todo bien!!!

Tengo los siguientes equipos:

* Dos controllers 5508

* 120 APs 3602i

* IOS version: 7.5

Se hace un balanceo entre los 2 controllers para la cantidad de APs.

Existe un SSID con nombre Invitados que tiene las siguientes politicas:

* Layer 2: WPA2 -> PSK

* Layer 3: Web Authentication.

* Advanced:

      - Enable Session Timeout: 65535

      - Client Exclusion: 0

      - Client user idle Timeout: 86400

El problema es que los usuarios se pasan desconectando, es decir, ellos por la mañana se loguean al iPad o iphone y a los 30 minutos le vuelve a pedir el usuario y contraseña para loguear y conectar a la red, la pregunta es como hacer para que ese tiempo de reconexion no sea 30 minutos sino 8 horas o mas.

Sticky tambien esta habilitado para el SSID.

Saludos y Pura Vida.

Pura Vida Francisco!

Este problema es típico con este tipo de dispositivos (principalmente Apple iDevices), ya que estos se van a dormir (sleep mode) al bloquearse y normalmente lo que sucedía es que el WLC los desconecta una vez que ha expirado el user-idle timeout. Es por esto que creamos un nuevo feature llamado "Sleeping client timeout" que se utiliza para mantener a los guest clients en la tabla de asociación por el tiempo que se configure aquí (evitando desconectar a todos aquellos que vayan a sleep mode):

http://www.cisco.com/en/US/docs/wireless/controller/7.5/config_guide/b_cg75_chapter_010111.html#d87649e2025a1635

Sin embargo, este feature no es soportado cuando se combina layer-3 Web-Auth con Layer-2 security (este setup con layer-2 WPA/WPA2-PSK no es normal, ya que normalmente los "guest" invitados solo utilizan layer-3 Web-Auth), y te comento que probablemente los clientes se estén desconectando debido a comportamientos o reconecciones relacionadas con este método de seguridad en layer-2 (es por eso que pasa incluso antes de que termine el user-idle timeout o session timeout que ya se configuraron con valores altos). Esto puede pasar por varias razones durante el proceso de asociation, pero probablemente el "broadcast key rotation interval" es el que les esté dando problemas... Si quiere prueba configurando este intervalo a un valor más alto usando este comando:

config advanced eap bcast-key-interval

Si el problema continua recomiendo analizar los debugs cuando el problema sucede para confirmar la razón exacta del porque se desconecta el cliente. Puede usar el debug macro que muestra la actividad de un cliente en específico:

debug client

Saludos!

Jeal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: