Showing results for 
Search instead for 
Did you mean: 
Community Manager

Ask the Expert: Wireless LAN Security

Wireless LAN SecurityWith Jeal JimenezATE_Discussion-New-Icon_Nov2012_v2.png

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about about how to implement, configure, and troubleshoot WLAN security with expert Jeal Jimenez. 

Our expert will also discuss how WLAN security works and the different security methods that are available and implemented on enterprise WLANs to validate clients and protect their traffic along with the network. 

Jeal Jimenez is a customer support engineer for the Cisco High-Touch Technical Support department specializing in wireless LAN technology. Prior to joining the HTTS department, he worked as a customer support engineer focused on wireless LAN in the Technical Assistance Center before he was promoted to an escalation leader and trainer, working also as a Cisco lab admin during these years. Jeal's technical expertise in the area of wireless LAN technologies spans more than seven years, and he also contributed to Cisco documentation and to the CCIE Wireless written exam. He holds a bachelor's degree in systems engineering from Universidad Latina in Heredia, Costa Rica. Jeal also holds the certifications CCNA, CWNA, CWSP, CCNP, and CCIE wireless (# 31554).

Remember to use the rating system to let Jeal know if you've received an adequate response. 

Because of the volume expected during this event, Jeal might not be able to answer every question. Remember that you can continue the conversation in the Wireless - Mobility community, subcommunity, Security and Network Management, shortly after the event. This event lasts through October 18, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.



Hi Andrew,

I will need to do some troubleshooting to confirm that they are actually false positives, confirming the specific "attack" type and if it is actually a valid client as clients can also be impersonated like APs (perhaps getting some packet captures and checking the client behavior during the period the attack is reported)... But I can definitely tell you that some crowded environments and bad client behaviors could generate these false positives (bad client software/drivers as mentioned before, or bad client setup with credentials that keep failing to connect, or that decide to send deauthentications/dessasociations to leave the WLAN, or that send multiple probes just because they have a lot of WLAN profiles configured/learned or a software installed for this, etc.).

The document I shared about the wIPS deployment guide has some tables with the specific features and signatures added with the Adaptive wIPS or even with CleanAir APs, so I will recommend checking that for a more detailed list. What I can tell you is that most are related to DoS attacks as you mentioned, but remember that some of them could be related with actual threats to the network (for example, dictionary attacks trying to guess the password for some of your users, so they can then get access to your network using valid credentials).

Those "dictionary attacks" can be avoided with the exclusion feature, so you don't really need Adaptive wIPS for this.


- If you are not really concerned about those type of "wireless/RF specific attacks" (most of them DoS, as they basically attack the RF and 802.11 behaviors), then it is up to your security policies if you want to configure your setup to continue reporting these alarms or not.

- Also, if you already have a very good security implemented for your WLAN (strong EAP authentication tunneling the credentials or using certificates for example, and with WPA2 for key management encrypting with AES-CCMP), then I would say that your WLAN is secure enough and real attacks (other than DoS or password guess) can't really happen to your network from the wireless infrastructure (yes, WLANs are this secure nowadays if using proper authentication/encryption), but I would need to analyze your entire deployment and security policies (penetration tests) to confirm that you are completely secure

- Firewalls or wired IPS, or even WLC's Applications Visibility should be able to analyze traffic for valid clients already connected to the network if this is a concern (excluding the client as well or dropping traffic if needed; this doesn't need Adaptive wIPS).

If you want to share more details of your WLAN to get more feedback or if I didn't address some of your concerns, please feel free to let me know.



Hi Jeal,

Please help me with this scenerio:

- I have WiSM2 in 6509-E, I have configured 4 SSID

- I want that some users can login to WiFi network only with one device per-time. I know I can set it globaly on the WLC - Security > User Login Policies.  change that value from 0(unlimited) to 1.

- But I need VIP users can login with more than one device per-time. In add, in one SSID we don´t need the restriction for number of devices.

Thanks in advance.

Jorge Coveñas

Hi Jorge,

As you have noticed, the User Login Policies feature on the WLC is the one we have for this type of Max-Sessions restriction per user; however, this is a global setting and applies to all SSIDs, so there is really nothing that could be configured on the WLC to do exactly what you need.

What I can tell you is that you might be able to achieve this specific setup that you need (basically based on SSID, with Max sessions configured for some SSIDs and unlimited on the VIP SSID) but configuring the restrictions based on policies on the Authentication Server side. I remember this was possible on ACS 4.x and probably 5.x using SSID restrictions, but as far as I know, this is only possible on ISE for the guest users...

So if you have a Cisco RADIUS Server, I will recommend you to open a TAC case with the AAA team asking for assistance to setup this specific restriction based on your needs. If it were not supported on the specific server/version you have, you might be able to ask for the feature (in this case you could also get in touch with your Cisco account team to drive a Product Enhancement). If you are using a third-party RADIUS Server to perform the authentication on your WLANs, then I will recommend checking their documentation (or contacting their support) to check if this type of Max-sessions per user restriction is possible on their server.




Hi Jeal,

Is there a way to deploy Radius authentication using Microsoft 2003 or 2008 server(Only IAS/NPS) without installing any certifiacte on Server side.

What type of security types does controller supports(eg EAP-TlS,EAP-TTLS, MsCHAPv1 etc)

Is it possible to use CHAP or MsCHAP without using PEAP(without using them as inner method.)



Hello Kamal,

I will recommend you to read the second answer I provided on this event (Oct 7 answering to Evan), so you can better understand how secure authentication (802.1X/EAP) works on a WLAN.

To answer your specific question, no, you can't really deploy any authentication method for WLANs on the Windows 2003/IAS or Windows 2008/NPS servers without using certificates.

That is basically because those Windows servers only support EAP methods for WLANs (PEAP and EAP-TLS) that require certificates at least on the server side; hence the requirement of the PKI to have a CA issuing at least the server certificate (good news is that you normally use the same Windows server as the CA).

EAP-TLS requires the certificate on the server and on the clients since they will be authenticated based on this type of client credentials (a certificate).

PEAP can authenticate the clients using other type of credentials (such as AD username/password), but the certificate on the server is still required as this one is used to build a TLS tunnel between the client and the RADIUS Server in order to protect the client credentials during the authentication handshake (the P on PEAP actually stands for protected: Protected EAP; hence the server certificate, to protect the client credentials on a TLS tunnel).

You don't really need to worry about what type of authentication method is supported by the WLC, as this is not actually defined or limited by the Authenticator (we could say that the WLC/AP don't worry about the authentication method), but as I explained to Evan on my other answer, the specific authentication method to be used is defined on the wireless client and the RADIUS Server... So the question here is about what 802.1X/EAP authentication methods are used on WLANs, and mainly what methods are supported by your RADIUS Server and the supplicant of your wireless clients (the limitation about the EAP method to be used is actually found here).





can you please tell me if I need two AP licenses if I have two

AIR-CT2504-HA-K9 working in HA mode?

Do I need additional software for HA (Prime NCS) or is the included software enough?

Hi Smailmalik,

Yes as 2504 only supports n+1 HA and does not support AP sso.

If you plan on making other controller as backup you need another licence.

Please check document given below for N+1 HA licensing.

Q. What behavior can I get with the -HA SKU on the Cisco 2504 Wireless Controller (CT2504)?

A. Starting 7.5, the HA SKU on the Cisco 2504 can operate only in N+1 mode. It does not support access point or client SSO.

And please post question in correct discussion, this is WLAN security discussion.




if I have one AIR-CT2504-15-K9and one AIR-CT2504-HA-K9which can work only as secondary/backup WLC

then I don't need an second license?

I read this on this document


Standby Controller Licensing



Do I need to buy access point licenses on my standby controller?

A. No. When the active controller is unavailable, the standby controller will adopt the licenses from the primary controller. It is expected that the customer will be able to get the primary controller back online within 90 days. After 90 days, the customer will get a daily reminder to switch back to the primary controller."

Hi Smailmilak,

Even when the 2500 WLC can't really do AP/client SSO HA, the 2500 HA SKU (AIR-CT2504-HA-K9) can be purchased to be used as the secondary/backup WLC on the N+1 HA setup mentioned on the document you referenced.

So regarding your specific question, no, you don't need any license on the 2500 HA SKU as the HA part is already licensed from factory to support the maximum amount of APs for the specific WLC model (as it is supposed to be used as a backup, so that's why you get the reminder about switching back the APs to the primary WLC, which is the only controller that should have a license for the specific amount of APs that you need).



Great, thank you.

The reminder is just a reminder and the backup WCL will not stop to work after a 90+ days?

Hi Smailmilak,

Just a reminder because you shouldn't be using this HA WLC as the only primary WLC for your APs... But the WLC won't stop working after this period.




i've got a upcoming poc for a guest access solution and the scenario looks like this:

Guest Access with Captive Portal -> Internet only

Internal users with Captive Portal -> Internet only

Here is the deal:

How to avoid the reauthentication for internal users and stop them from using their private phones?

One idea was an MDM integration with Cisco ISE and check if the devices are registered in MDM, but i guess with an CWA "sleeping client" doesnt work ?!
The other idea is to make whitelist on Cisco ISE but how to keep it updated without alot of work?

5508 controller 7.5
Airwatch MDM
Cisco ISE

Any ideas?

Thanks in advance


Sent from Cisco Technical Support iPad App

Sent from Cisco Technical Support iPad App


When you say simple and your talking about NAC and MDM policies with personal devices I don't think you can use simple in that discussion. Especially not if your controlling a personal phone let alone a business provided phone. I actually use a third party radius (nac) but I am sure ISE can do the same thing where you use its profiling capabilities to determine if the device is corporate or personal. What are you planning to manage on personal devices are you going to tell them what they can and cannot install? Do you need to do that if it is internet only? We provide internet only and we do not manage personal devices.


Hi Sebastian,

I honestly don't have too much experience with all the features and possibilities available on the ISE, so I am actually struggling with this request, but I will share my thoughts about this...

First, I am not sure if the sleeping client feature will affect this setup when trying to do it with MDM integration; I don't see why this should be a problem, so you could try it.

Regarding a whitelist on Cisco ISE, this is definitely a possibility, but surely a lot of work that can't be avoided unless you can do something like this:

Configure the MAB_Auth policy for the wireless captive portal on the ISE to use also "Internal Endpoints". Once the policy is configured to match Internal Endpoints, then you just need to make sure that the Internal Endpoints for this policy are only the devices that you want to allow for the Internal users without permitting smartphones for example (based on Profilling).

Regarding your question about how to avoid reauthentication for Internal users, I am not sure if I understood this correctly, but you can't really avoid this since this would be a security issue; once the clients have left (after the sleeping client timeout for example), they are basically removed from the client's list, so they should reauthenticate to the Web-Auth portal if they later come back...



Thank you for your replies.


Only corporate devices will be managed. So with the integration of MDM in ISE i can filter the managed devices.
Private devices are not going to have any wifi.


We want to reduce the reauthentications. So sleeping client would be a nice feature to use. My concern is that when we use ISE and its captive portal that this feature is not going to work. Profiling could be a solution, but I'm not sure it will work a 100%.



Sent from Cisco Technical Support iPad App

Recognize Your Peers
Content for Community-Ad