cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
39101
Views
15
Helpful
52
Replies

Ask the Expert: Wireless LAN Security

Monica Lluis
Level 9
Level 9

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to secure a wireless network with Cisco expert Roman Manchur

Wireless networks have became pervasive in today's world. Cisco offers very strong wireless porfolio that helps business to connect to the Internet anywhere anytime. Network managers need reassurance that solutions are available to protect their WLANs from these vulnerabilities and that WLANs can provide the same level of security, manageability, and scalability offered by wired LANs.

This session will focus on answering question regarding how to deploy, configure and troubleshot security in  a wireless network and also the common pitfalls and issues that might happen in an installed secured wireless network. 

To participate in this event, please use the Join the Discussion : Cisco Ask the Expert button to ask your question.

Ask questions from Monday June 20  to Friday July 1st , 2016

Roman Manchur is a Customer Support engineer in the Cisco Technical Assistance Center in Cisco Brussels.  He is expert on any wireless products, including Wireless LAN controllers and Access Points, as well as in many security products and technologies, including IBNS, ISE, ACS4.x/ACS5.x, AAA Security, RADIUS,  and TACACS. Roman  has over 8 years of experience in IT. He joined Cisco in 2011. Prior to Cisco he worked at Priocom, Pysus, Aricent and Telread. Roman holds a CCIE in Wireless (#47699) and a Master in Sciences in Telecommunications and IT from the National University Lviv Polytechnic.

Roman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security and Network Management  Community

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
2 Accepted Solutions

Accepted Solutions

Pradeep S.R.
Level 5
Level 5

Hi Roman,

We are using Anyconnect 4.2.02075 and ISE 1.4 version and  all of sudden we seeing the certificate errors for some wireless(MAC OS) users.

issue : client is trying to trust PSN local certificate but which is not configured for EAP authetication at all.

how user is getting the response to trust the cert which is not configured??

Error screenshot attached.

 

View solution in original post

Hi Michael,

Please, refer to following guide regarding rogue detection and management:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html#wp44449


A rogue is essentially any device that is sharing your spectrum, but is not in your control. This includes rogue Access Points (APs), wireless router, rogue clients, and rogue ad-hoc networks.


...


If probe response or beacons from a rogue device are heard by either local mode, FlexConnect mode, or monitor mode APs, then this information is communicated via CAPWAP to the Wireless LAN controller (WLC) for processing. Rogue device can be identified regardless of its SSID is broadcast or not. In order to prevent false positives, a number of methods are used to ensure that other managed Cisco-based APs are not identified as a rogue device. These methods include mobility group updates, RF neighbor packets, and white listing autonomous APs via Cisco Prime Infrastructure (PI).


Therefor those APs that aren’t joined to your 3850 and are seen by other APs that are joined with this controller are identified as rogues.
Rogue detection has no impact on wireless client connectivity unless you also have containment enabled for rogue APs.
If auto containment is on WLC then you need to disable it in order not to impact client connectivity to those others APs.
In case it’s already disabled, then there must be some other reasons for client connectivity problems, you may need to enable system traces on WLC to troubleshoot connectivity problems:

Enable these traces in order to obtain the L2 auth logs:

    set trace group-wireless-secure level debug
    set trace group-wireless-secure filter mac <client-mac-address>

Enable these traces in order to obtain the dot1X AAA events:

    set trace wcm-dot1x aaa level debug
    set trace wcm-dot1x aaa filter mac <client-mac-address>

Enable these traces in order to receive the DHCP events:

    set trace dhcp events level debug
    set trace dhcp events filter mac <client-mac-address>

Enter the show trace sys-filtered-traces command in order to view the traces:

Enable these traces in order to disable the traces and clear the buffer:

    set trace control sys-filtered-traces clear
    set trace wcm-dot1x aaa level default
    set trace wcm-dot1x aaa filter none
    set trace group-wireless-secure level default
    set trace group-wireless-secure filter none

View solution in original post

52 Replies 52

muhsi_2015
Level 1
Level 1

Hi,

What are the policies need to be applied  on an ssid (open)which is redirecting a user to an ise portal page ? 

for example post and pre authentication acl 

Thanks

Hi Muhsi,

Thanks for your question.

It depends what type of authentication with redirection are you trying to configure and on what platform. I will try to cover all scenarios in the response below.

  1. In case you are talking about CWA (central web auth) configurarion, you will need configure WLAN profile with MAC authentication / AAA override and RADIUS NAC. Redirect-ACL has also be configured on WLC and it must allow access to DNS and ISE servers and also can allow access to any additional resources that are considered to be accessible by your local security policy for users in pre-authentication state.  After initial MAC authentication, ISE will send redirect-ACL and redirect-URL in corresponding RADIUS AV-pairs. Any traffic that is denied in Redirect-ACL will be redirected to login portal on ISE. More details on that type of access can be found via this link: WLC CWA with ISE
  2. In case you are interested in LWA with redirection to external login portal, then you need configure web-authentication policy on WLAN profile and assign corresponding Redirect-ACL  directly to SSID configuration. Redirect-URL can either be defined in global configuration or over-ride on WLAN. Details regarding on LWA configuration with external portal can be found via following link: WLC LWA with ISE

Those configuration follow the same logic, though different command syntax, with IOS XE controllers (the major difference is  with ACL entries, with IOS XE controllers traffic that is permitted without redirection is defined with 'deny' statements).

  1. CWA configuration on 3650/3850/5760: CWA configuration on NGWC
  2. LWA configuration on 3650/3850/5760: LWA configuration on NGWC

Post authentication ACL defines what resources are available to client after web-authentication is performed, it's regulated by your company security policies requirements.

Hi Roman.

Thanks 
In the ACL-REDIRECT the below ace meaning

eans do not redirect dns request and redirect any www ?
deny udp any any eq domain
permit tcp any any eq www

What about the postauthentication acl ,
Where should I apply the postauth ACL
Is it ok applying it on the core switch interface vlan ?

Thanks

Hi Muhsi,

Correct, given that you have following entries in ACL-REDIRECT:

deny udp any any eq domain
permit tcp any any eq www

means don't redirect DNS traffic, but redirect all HTTP traffic

Post-authentication ACL is also defined on controller as it will be sent to WLC / NGWC in RADIUS AV-pairs during authorization phase, since policy enforcement are done on controller per client session and not on core switch. In that ACL you define traffic that is permitted with 'permit' statement and traffic that needs to be dropped with 'deny'.

Hi,

Can you give an example for  post-authentication acl and how do we assign the post-acl in ise

Thanks

Hi Muhshi,

Example can be simple as this:

Extended IP access list post-auth
    10 permit ip any any

Can be more restrictive, allowing internet access only:

Extended IP access list post-auth
    10 deny ip any 192.168.0.0 0.0.255.255
    20 deny ip any 172.0.0.0 0.31.255.255
    30 deny ip any 10.0.0.0 0.255.255.255

Again, as I mentioned earlier all depends on the access restrictions you want to enforce for the guest users or users connected with web-auth.

As for configuration, that ACL (post-auth) ACL can also be configured on the controller and sent back during authorization, in that case it's configured as either of below parameters (depending on WLC platform) under corresponding authorization profile on ISE in 'Common Tasks' section:

  • 'Filter-ID' --- for IOS XE controllers
  • 'Airespace --- ACL Name' for Aironet WLCs

With IOS XE controllers you can also use dynamic ACL assignment, in that case ACL is defined on ISE which is more scalable option as only one instance of ACL is kept on central AAA server, rather independent ACLs per WLC.

In attached documentation you can find more details on dACL functionality and configuration details.

Hi Roman,

I have a customer with a small site, only 7 APs managed by a pair of 2504 WLCs running 8.0.133. I recently updated the controller software so they could support new 3702 APs, and moved them from Prime Infrastructure 1.3 to 3 at the same time. Naturally, that caused a flood of questions!

The 2504s run AP-based HA, so the WLCs can get out of synch in terms of local users and their credentials, because they are effectively running as stand-alone controllers.

Is there any way of using Prime (or anything else!) to automatically synchronize the users/credentials across the two WLCs?

Hi Roman 

1 - I have a vWLC running 8.2 code, in a densely populated office. Recently the vWLC RRM features has been putting 2600 APs on the same channel on the 802.1a interface.

What would cause this to happen? 

2 - In the SNMP trap logs I see many instanced where 'Rogue AP are removed from Base Radio MAC'. What does this mean?

3- The SNMP Trap logs are not sent to syslog , why is this? I have set syslog to debug level. How can I get SNMP trap logs sent to syslog? 

Hi Mohamed,

Thanks for your questions.

  1. Is the issue specific to 2602 APs? What channel APs are set to? I would recommend following in this case, on WLC under 'Management -> SNMP -> Trap Controls -> Auto RF' enable 'Channel Update' traps.  Then whenever you get channel update on AP, WLC will also log the reason behind the change in traplogs and you can view it with either 'show traplog' or in UI under 'Management -> SNMP - Trap Logs>'.
  2. For that one can you paste example of the exact trap you are getting?
  3. Looks are confusing SNMP and SYSLOG, those are two separate protocols. SNMP traps are need to be sent to NMS (Network Management System) or to Trap receiver server.

    Hi,

    As per my understanding you running 2x 2504 in 1+1 redundancy and you want to keep configuration synchronized between WLCs.

    That platform doesn't support SSO redundancy, so you have to be sure to apply same configuration on both WLC.

    I would recommend you to use Prime infrastructure to define WLC templates and apply those templates to WLCs from PI, please refer to the link below regarding template configuration for local mgmt users in PI:

    http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/config-temp.html#62301

    Let me know if that helps.

    Hi Roman,

    Your description of the use of N+1 redundancy is correct, but sorry, my description was not as clear as it could have been!

    These are not management users: When new WLAN users attempt to associate with the AP, the WLCs present a splash page to which the users have to add their username/password to be allowed to associate with the AP.

    To summarise, I want to be able to use PI to replicate what the Lobby Ambassador sees on one WLC on the other, so that if one WLC fails, the users logon is available on the other automatically

    Hi Jblake,

    So the question was about local netuser accounts on WLC for guest authentication.

    First you will need to sync-up current configuration on both controllers for that:

    1. In WLC CLI "config passwd-cleartext enable"; that will disable account passwords encryption
    2. Then in CLI use 'show run-config commands' and from output provided you can get guest account configuration commands, e.i:
      • netuser add guest1 cisco123 wlan 0 userType guest lifetime 3600 description test_guest

         netuser add guest2 cisco345 wlan 0 userType guest lifetime 1800 description
    3. Do the same with other controller.
    4. Then using some text editor tool create unified configuration for guest accounts, copy and paste it to each WLC.
    5. Enable password encryption "config passwd-cleartext disable"

    After that I would recommend you to use Prime Infrastructure Ambassador Account for centralized management of guest accounts on WLCs.

    http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/administrator/guide/PIAdminBook/maint_user_access.html#86231

    Let me know if that helps or should you have any questions.

    Hi Roman,

    The first part of the advice works well, and allows me to manually duplicate netusers on each WLC and thereby synchronise them. However, I must have missed the point with regards using the Ambassador account. The manual says:

    Step 1 Log in to Prime Infrastructure as a lobby ambassador.

    Step 2 Choose Select a command > A dd User Group > Go.

    which makes perfect sense, but when I try to select the "Add User Group", its not there: see attached screenshot

    Am I doing something wrong, or is the manual at fault?

    Hi Jblake,

    It's mistype in manual, has to be written as  'Add Guest User' option'.

    Review Cisco Networking for a $25 gift card