Wireless LAN Controller 5508 and Cisco ACS 5.3 WPA2

Kai Onken · ‎01-15-2012

Hello,

is it possible in the following combination of hard- and software to setup the following requirements:

Available Hardware:

Cisco Wireless LAN Controller 5508

Cisco Aironet 1140 Series Access Points

Cisco Wireless Control System

Cisco Secure Access Control Server 5.3

Additional hardware/software can be provieded like, e.g. Active Directory, CA, ...

1. Allow only access to the wireless network 'internal', when:

- every trusted, internal Client should be deployed with an 802.1x certificate

- every trusted, internal Client should get his own personalized WPA2 Key

2. Allow only access to the wireless network 'guest', when:

- every untrusted Guest (Client) sould get his own personalized WPA2 Key, generate by a lobby user on the WCS or a permited sponsor (somethine like internal user is member of a special Active Directory Group or WCS Group)

- every untrusted Guest (Client) has also to use WebAuth with his on personal username und password

- Loggin should be enabled to a Syslog Server

Wishes:

- Is it possible to deny trusted, internal Clients access to the wireless guest network using WCS and/or ACS?

- This setup should also be used inside the wired environment like:

trusted, internal Client with 802.1x certificate -> VLAN 100

trusted, internal Client with a register MAC Address at the ACS -> VLAN 200

untrusted Client -> VLAN 300 (like wireless quest network, webauth will requiered)

Kind regard

Kai

Scott Fella · ‎01-15-2012

I will try to give this a shot:)

1. Allow only access to the wireless network 'internal', when:

- every trusted, internal Client should be deployed with an 802.1x certificate

You will need to use EAP-TLS (WPA2/AES 802.1x). The requirement here is that the devices must be able to obtain a certificate from your CA and also trust your CA. Devices that do not support EAP-TLS will have to use another encryption method or get put on the guest network.

- every trusted, internal Client should get his own personalized WPA2 Key

I don't know what you mean by this. Internal clients will be using WPA2/AES w/ 802.1x There is no PSK when doing 802.1x.

2. Allow only access to the wireless network 'guest', when:

- every untrusted Guest (Client) should get his own personalized WPA2 Key, generate by a lobby user on the WCS or a permitted sponsor (something like internal user is member of a special Active Directory Group or WCS Group)

When using lobby administrator or a "Sponsor", you only create accounts. That is username and password and how long the user is available on the guest network. Again.... what do you mean personalized WPA2 Key? If you are talking about WPA2/AES PSK, every user will be using the same PSK that is configured on the WLAN SSID.

- every untrusted Guest (Client) has also to use WebAuth with his on personal username und password

You can do this using the WLC. The lobby admin or sponsor can create guest user accounts wither from the WLC or WCS.

- Logging should be enabled to a Syslog Server

You can use a syslog server and determining what syslog level you want to use.

Wishes:

- Is it possible to deny trusted, internal Clients access to the wireless guest network using WCS and/or ACS?

Not if you are creating local accounts on the WLC. To do something like this, you will need to either use the Nac Guest Server or the Identity Services Engine.

- This setup should also be used inside the wired environment like:

trusted, internal Client with 802.1x certificate -> VLAN 100

trusted, internal Client with a register MAC Address at the ACS -> VLAN 200

untrusted Client -> VLAN 300 (like wireless quest network, webauth will required)

What is the difference between a client with 802.1x and one with a registered MAC Address? Have you looked a getting another WLC5508-12 for use as a guest anchor WLC? This way guest traffic is tunneled to the DMZ. With ACS, you can place users who are in different AD groups in what ever vlan they are suppose to be on. For example, if an executive in the executive group logs in (802.1x), ACS will match that user to the executive group in AD and put that user in vlan 110. Now if a regular user (member of Wireless AD group) connects using 802.1x also on the same SSID you can match against that AD group and place then on vlan 120.

The thing here is that Guest is not using 802.1x nor will you be using ACS for login accounts, so the WLC will be the place where you determine what subnet these user who connect of the Guest SSID will be placed on.

Take a look at te ISE product, because that might be the way to go if you want ot be able to do all your wishes:) ISE doesn't do Tacacs though if you plan on doing that. ACS will be required for that.

-Scott
*** Please rate helpful posts ***

Kai Onken · ‎01-15-2012

Hi Scott,

many thanks for your answer.

1. both dashed

I would like to know, if it is possible to lock the internal Wireless SSID with a WPA2 key, OK, yes I know that this works. But is it possible to use also 802.1x certification, like you worte correctly, by using a CA

1. second dash

With "personalized WPA2 Key" I had on my mind, if you have a company with, e.g. 500 employee. Everybody would be allowed to use the internal truestes wireless network. I would like to know, if it ist possible to provied for this wirless network multiple key's ?

Like:

Employee 1 Notebook: WPA2 alv0alasd

Employee 2 Notebook: WPA2 bladl30ad

Employee 3 Notebook: WPA2 aasdmoas

- To secure, that employee will not share their key, if the know it. And if it will be shared, it could may be possible to check with which key, the 3rd Party guy has logged on.

- Also to use this feature with guest, so that every quest will get an own WPA2 key fort the quest network.

Kind regards

Kai

PS: Excuse me, if I wrote some mistakes or terrible sentences.

Scott Fella · ‎01-15-2012

With 802.1x, each device will get a "master key" that is unique to each device. You can't have multiple pre shared keys or else you would have to have a separate SSID for each user. With 802.1x there is no need for a pre shared key.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎01-15-2012

Vendors like aerohive have a ppsk which can do as you requested, just an FYI. Cisco can not ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Stephen Rodriguez · ‎01-15-2012

adding my two cents.

If you are wanting all 'trusted' to have a certificate and do 802.1x there is no need for a PSK for them as well. PEAP with machine auth would work, fine if you enforce certificate validation. Or run with TLS and rely on the PlI infrastructure.

For the guest, you can put a PSK on the WLAN and have the lobby ambassador five the guest the key as well as create credentials for the user for webauth as well.

To keep the internal users off of the guest, you enable NAR on the ACS. So long as you allow the guest WLAN to check local and radius it will keep the internal user off of the guest network when they put their AD credentials in the webauth login page.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered