Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to secure a wireless network with Cisco expert Roman Manchur
Wireless networks have became pervasive in today's world. Cisco offers very strong wireless porfolio that helps business to connect to the Internet anywhere anytime. Network managers need reassurance that solutions are available to protect their WLANs from these vulnerabilities and that WLANs can provide the same level of security, manageability, and scalability offered by wired LANs.
This session will focus on answering question regarding how to deploy, configure and troubleshot security in a wireless network and also the common pitfalls and issues that might happen in an installed secured wireless network.
Ask questions from Monday June 20 to Friday July 1st , 2016
Roman Manchur is a Customer Support engineer in the Cisco Technical Assistance Center in Cisco Brussels. He is expert on any wireless products, including Wireless LAN controllers and Access Points, as well as in many security products and technologies, including IBNS, ISE, ACS4.x/ACS5.x, AAA Security, RADIUS, and TACACS. Roman has over 8 years of experience in IT. He joined Cisco in 2011. Prior to Cisco he worked at Priocom, Pysus, Aricent and Telread. Roman holds a CCIE in Wireless (#47699) and a Master in Sciences in Telecommunications and IT from the National University Lviv Polytechnic.
Roman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security and Network Management Community
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
We are using Anyconnect 4.2.02075 and ISE 1.4 version and all of sudden we seeing the certificate errors for some wireless(MAC OS) users.
issue : client is trying to trust PSN local certificate but which is not configured for EAP authetication at all.
how user is getting the response to trust the cert which is not configured??
Error screenshot attached.
Please, refer to following guide regarding rogue detection and management:
A rogue is essentially any device that is sharing your spectrum, but is not in your control. This includes rogue Access Points (APs), wireless router, rogue clients, and rogue ad-hoc networks.
If probe response or beacons from a rogue device are heard by either local mode, FlexConnect mode, or monitor mode APs, then this information is communicated via CAPWAP to the Wireless LAN controller (WLC) for processing. Rogue device can be identified regardless of its SSID is broadcast or not. In order to prevent false positives, a number of methods are used to ensure that other managed Cisco-based APs are not identified as a rogue device. These methods include mobility group updates, RF neighbor packets, and white listing autonomous APs via Cisco Prime Infrastructure (PI).
Therefor those APs that aren’t joined to your 3850 and are seen by other APs that are joined with this controller are identified as rogues.
Rogue detection has no impact on wireless client connectivity unless you also have containment enabled for rogue APs.
If auto containment is on WLC then you need to disable it in order not to impact client connectivity to those others APs.
In case it’s already disabled, then there must be some other reasons for client connectivity problems, you may need to enable system traces on WLC to troubleshoot connectivity problems:
Enable these traces in order to obtain the L2 auth logs:
set trace group-wireless-secure level debug
set trace group-wireless-secure filter mac <client-mac-address>
Enable these traces in order to obtain the dot1X AAA events:
set trace wcm-dot1x aaa level debug
set trace wcm-dot1x aaa filter mac <client-mac-address>
Enable these traces in order to receive the DHCP events:
set trace dhcp events level debug
set trace dhcp events filter mac <client-mac-address>
Enter the show trace sys-filtered-traces command in order to view the traces:
Enable these traces in order to disable the traces and clear the buffer:
set trace control sys-filtered-traces clear
set trace wcm-dot1x aaa level default
set trace wcm-dot1x aaa filter none
set trace group-wireless-secure level default
set trace group-wireless-secure filter none
What are the policies need to be applied on an ssid (open)which is redirecting a user to an ise portal page ?
for example post and pre authentication acl
Thanks for your question.
It depends what type of authentication with redirection are you trying to configure and on what platform. I will try to cover all scenarios in the response below.
Those configuration follow the same logic, though different command syntax, with IOS XE controllers (the major difference is with ACL entries, with IOS XE controllers traffic that is permitted without redirection is defined with 'deny' statements).
Post authentication ACL defines what resources are available to client after web-authentication is performed, it's regulated by your company security policies requirements.
In the ACL-REDIRECT the below ace meaning
eans do not redirect dns request and redirect any www ?
deny udp any any eq domain
permit tcp any any eq www
What about the postauthentication acl ,
Where should I apply the postauth ACL
Is it ok applying it on the core switch interface vlan ?
Correct, given that you have following entries in ACL-REDIRECT:
deny udp any any eq domain
permit tcp any any eq www
means don't redirect DNS traffic, but redirect all HTTP traffic
Post-authentication ACL is also defined on controller as it will be sent to WLC / NGWC in RADIUS AV-pairs during authorization phase, since policy enforcement are done on controller per client session and not on core switch. In that ACL you define traffic that is permitted with 'permit' statement and traffic that needs to be dropped with 'deny'.
Example can be simple as this:
Extended IP access list post-auth
10 permit ip any any
Can be more restrictive, allowing internet access only:
Extended IP access list post-auth
10 deny ip any 192.168.0.0 0.0.255.255
20 deny ip any 188.8.131.52 0.31.255.255
30 deny ip any 10.0.0.0 0.255.255.255
Again, as I mentioned earlier all depends on the access restrictions you want to enforce for the guest users or users connected with web-auth.
As for configuration, that ACL (post-auth) ACL can also be configured on the controller and sent back during authorization, in that case it's configured as either of below parameters (depending on WLC platform) under corresponding authorization profile on ISE in 'Common Tasks' section:
With IOS XE controllers you can also use dynamic ACL assignment, in that case ACL is defined on ISE which is more scalable option as only one instance of ACL is kept on central AAA server, rather independent ACLs per WLC.
In attached documentation you can find more details on dACL functionality and configuration details.
I have a customer with a small site, only 7 APs managed by a pair of 2504 WLCs running 8.0.133. I recently updated the controller software so they could support new 3702 APs, and moved them from Prime Infrastructure 1.3 to 3 at the same time. Naturally, that caused a flood of questions!
The 2504s run AP-based HA, so the WLCs can get out of synch in terms of local users and their credentials, because they are effectively running as stand-alone controllers.
Is there any way of using Prime (or anything else!) to automatically synchronize the users/credentials across the two WLCs?
1 - I have a vWLC running 8.2 code, in a densely populated office. Recently the vWLC RRM features has been putting 2600 APs on the same channel on the 802.1a interface.
What would cause this to happen?
2 - In the SNMP trap logs I see many instanced where 'Rogue AP are removed from Base Radio MAC'. What does this mean?
3- The SNMP Trap logs are not sent to syslog , why is this? I have set syslog to debug level. How can I get SNMP trap logs sent to syslog?
Thanks for your questions.
As per my understanding you running 2x 2504 in 1+1 redundancy and you want to keep configuration synchronized between WLCs.
That platform doesn't support SSO redundancy, so you have to be sure to apply same configuration on both WLC.
I would recommend you to use Prime infrastructure to define WLC templates and apply those templates to WLCs from PI, please refer to the link below regarding template configuration for local mgmt users in PI:
Let me know if that helps.
Your description of the use of N+1 redundancy is correct, but sorry, my description was not as clear as it could have been!
These are not management users: When new WLAN users attempt to associate with the AP, the WLCs present a splash page to which the users have to add their username/password to be allowed to associate with the AP.
To summarise, I want to be able to use PI to replicate what the Lobby Ambassador sees on one WLC on the other, so that if one WLC fails, the users logon is available on the other automatically
So the question was about local netuser accounts on WLC for guest authentication.
First you will need to sync-up current configuration on both controllers for that:
netuser add guest1 cisco123 wlan 0 userType guest lifetime 3600 description test_guest
netuser add guest2 cisco345 wlan 0 userType guest lifetime 1800 description
After that I would recommend you to use Prime Infrastructure Ambassador Account for centralized management of guest accounts on WLCs.
Let me know if that helps or should you have any questions.
The first part of the advice works well, and allows me to manually duplicate netusers on each WLC and thereby synchronise them. However, I must have missed the point with regards using the Ambassador account. The manual says:
Step 1 Log in to Prime Infrastructure as a lobby ambassador.
which makes perfect sense, but when I try to select the "Add User Group", its not there: see attached screenshot
Am I doing something wrong, or is the manual at fault?