Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
0
Helpful
10
Replies

WLC 2504 Layer 2 Security

as00001111
Level 1
Level 1

‎02-06-2019 04:51 AM - edited ‎07-05-2021 09:48 AM

Hey!

can someone tell me the difference between these two configurations:

wlan1.JPGwlan2.JPG

Labels:
Preview file
27 KB
0 Helpful
10 Replies 10

patoberli
VIP Alumni
VIP Alumni

‎02-06-2019 06:42 AM

First one is using the unsafe WEP protocol, while the second one is using the safe and state of the art WPA2 with AES. Only use the second.
0 Helpful

as00001111
Level 1
Level 1
In response to patoberli

‎02-06-2019 07:18 AM

I wanted to ask regarding the 802.1X Auth.

What is the difference regarding 802.1X ?

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to as00001111

‎02-06-2019 07:30 AM

That one I don't know for sure.
In any case, if you enable 802.1x, you can use a RADIUS server for authentication, something that would not work if you'd use PSK.
The same is valid for both variants, just that the first one will use WEP, while the second one will use WPA2-AES for data encryption in the air.
0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni

‎02-06-2019 01:58 PM

The First one is using using 802.1x is when using Cisco LEAP authentication, it doesn't use any WPA or WPA2 encryption but instead uses WEP encryption. 

You will more than likely find that with the introduction of WPA3 that this option will be remove to enable the AP/ Controllers to gain WPA3 certification from the WIFI Alliance.

 

The second one is using the WPA2 AES encryption with 802.1x authentication. If you require a PSK network untick the 802.1X box and tick the PSK box and enter the PSK to the box that pops up

 

For Layer 2 security there are really only 2 options that you would use:

WPA+WPA2 or none

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

as00001111
Level 1
Level 1
In response to Haydn Andrews

‎02-07-2019 12:23 AM - edited ‎02-07-2019 12:24 AM

@Haydn Andrews

Thanks for your answer.

I understand!

Additionally, I would like to do 802.1X Mac Authentication/Mac Filtering with a Microsoft Network Policy Radius Server.

I followed that manual:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

It says:

 

  • Click Security > MAC Filtering.

  • In the MAC Filtering window, choose the type of RADIUS server under RADIUS Compatibility Mode.

    This example uses Cisco ACS.

  • From the MAC Delimiter pull down menu, choose the MAC delimiter.

    This example uses Colon.

 

When I want to do that with the Microsoft NPS, which RADIUS Compatibility Mode and MAC Delimiter is correct?

 

 

0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni
In response to as00001111

‎02-07-2019 12:36 AM

Under the WLAN select you NPS server under the AAA servers.

For NPS I believe that Cisco ACS and colon delimiter is correct.

To determine which mode you need to know what the NPS RADIUS server is expecting for the password for the mac auth.
ACS expects to see the username and password to both be the mac address for mac authentication.
Free Radius uses a shared secret for a password.
And other Radius servers don't require any password for mac auths sent to the server.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

as00001111
Level 1
Level 1
In response to Haydn Andrews

‎02-08-2019 02:03 AM - edited ‎02-08-2019 02:04 AM

@Haydn Andrews

I also have to check the "Mac Filtering" box under Layer 2 Security, don't I?

 

What do you mean with password for the mac auth?

My NPS Server is installed on my domain controller with Active Directory. So my intention is to create a user that has the mac address as username and password, without colons, for example: 00a24455d223.

Then I want to add that user to a domain group. In the NPS I want to create a network policy with the condition "windows group". I then choose the group that contains the mac address users. (as I said before).

Do you think that works?

0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni
In response to as00001111

‎02-08-2019 02:40 AM

When your doing MAC auth with radius, the WLC sends a username and password to the RADIUS server.

If you select mode Cisco ACS it uses the client MAC address for both the username and password. If your configuring this on AD and having NPS check this then that will work.

Check the delimiter matches how you plan to enter these.

 

Is your plan to also look at user Auth? or only consumed with the mac auth? 

If your looking at both, you could use RADIUS rules (now i cant talk for NPS as my RADIUS experience is limited to ISE) and the auth is against the users credentials but you also use the client MAC address to define the authorisation policy.

 

cheers

Haydn

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

as00001111
Level 1
Level 1
In response to Haydn Andrews

‎02-08-2019 03:16 AM

And I need to check that box, right?

 

wlan.JPG

0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni
In response to as00001111

‎02-08-2019 03:18 AM

correct

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card