Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35629
Views
15
Helpful
52
Replies

Ask the Expert: Wireless LAN Security

Go to solution
Monica Lluis
Level 9
Level 9

‎06-20-2016 08:12 AM - edited ‎07-05-2021 05:15 AM

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to secure a wireless network with Cisco expert Roman Manchur

Wireless networks have became pervasive in today's world. Cisco offers very strong wireless porfolio that helps business to connect to the Internet anywhere anytime. Network managers need reassurance that solutions are available to protect their WLANs from these vulnerabilities and that WLANs can provide the same level of security, manageability, and scalability offered by wired LANs.

This session will focus on answering question regarding how to deploy, configure and troubleshot security in  a wireless network and also the common pitfalls and issues that might happen in an installed secured wireless network. 

To participate in this event, please use the Join the Discussion : Cisco Ask the Expert button to ask your question.

Ask questions from Monday June 20  to Friday July 1st , 2016

Roman Manchur is a Customer Support engineer in the Cisco Technical Assistance Center in Cisco Brussels.  He is expert on any wireless products, including Wireless LAN controllers and Access Points, as well as in many security products and technologies, including IBNS, ISE, ACS4.x/ACS5.x, AAA Security, RADIUS,  and TACACS. Roman  has over 8 years of experience in IT. He joined Cisco in 2011. Prior to Cisco he worked at Priocom, Pysus, Aricent and Telread. Roman holds a CCIE in Wireless (#47699) and a Master in Sciences in Telecommunications and IT from the National University Lviv Polytechnic.

Roman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security and Network Management  Community

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
Labels:
0 Helpful
52 Replies 52

Go to solution
Roman Manchur
Cisco Employee
Cisco Employee
In response to hikma

‎06-26-2016 11:02 AM

Hi Mahmoud,

Thanks for your question.

The error message you are referring to is Prime Infrastructure alarm, it informs that there was radio reset event on specified AP hence 5GHz radio interface flapped changed to down and back to up state.

Having only PI alarm message  won't show the real reason of the issue, as it happened on AP and there are multiple reason that causing radio reset on AP.

You will need to log to AP CLI either via Telnet/SSH or via console and check if you have high radio reset counts as well as last reset occurrence with command: "show controllers dot11Radio 1 | be radio reset", correlate time with the alarm you have in PI.

In case you indeed having radio resets at time PI generates corresponding alert enable radio core files to be created on next reset event, given that issue is seen on 5GHz interface only use following command: "debug dot11 d1 save-on-failure"

After another radio reset happens collect following information from AP:

  1. 'show tech'
  2. 'show trace dot11_rst'
  3. 'more event.log'
  4. Transfer radio event log and radio core file to TFTP server from AP flash:
    1. debug capwap console cli
    2. copy flash://event.r1 tftp://<path>
    3. copy flash://r1.rcore tftp://<path>

Once you get that information, please open TAC service request and provide collected logs, 'show tech' info and core files for further investigation.

0 Helpful

Go to solution
michael.yurchenko
Level 1
Level 1

‎06-26-2016 12:51 PM

Hi Roman,

We have several wireless access points connected to a 3850 controller. We also have several access points that are not controlled by the 3850. They are however using the same ssids and VLANs (corporate and guest)

We have connectivity issues, and the clients frequently associate but then stop working.

There are strange messages in the logs on the 3850 about rogue APs that are actually tracked down to the access points that are ours but aren't a part of the 3850-configured network.

What would you recommend?

%RRM-6-FAILEDINTPROFILE:Switch 1 R0/0: wcm:  Radio Resource Management: RRM Interference profile threshold has been violated on 802.11bg AP 

*%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm:  Received replay error on slot 0, WLAN ID 1, count 1 from AP

*%RRM-6-FAILEDLOADPROFILE:Switch 1 R0/0: wcm:  Radio Resource Management: RRM Load profile threshold has been violated on 802.11bg AP

*%APF-3-PREAUTH_FAILURE:Switch 1 R0/0: wcm:   There is no PMK cache entry for client48e9.f1af.9893. Can't do preauth

*%APF-4-ROGUE_CLIENT_UPDATE_FAILED:Switch 1 R0/0: wcm:  Could not update rogue AP x.x.x with rogue client x.x.x information. Maximum number of 16 rogue clients per rogue AP exceeded

0 Helpful

Go to solution
Roman Manchur
Cisco Employee
Cisco Employee
In response to michael.yurchenko

‎06-27-2016 01:13 AM

Hi Michael,

Please, refer to following guide regarding rogue detection and management:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html#wp44449


A rogue is essentially any device that is sharing your spectrum, but is not in your control. This includes rogue Access Points (APs), wireless router, rogue clients, and rogue ad-hoc networks.


...


If probe response or beacons from a rogue device are heard by either local mode, FlexConnect mode, or monitor mode APs, then this information is communicated via CAPWAP to the Wireless LAN controller (WLC) for processing. Rogue device can be identified regardless of its SSID is broadcast or not. In order to prevent false positives, a number of methods are used to ensure that other managed Cisco-based APs are not identified as a rogue device. These methods include mobility group updates, RF neighbor packets, and white listing autonomous APs via Cisco Prime Infrastructure (PI).


Therefor those APs that aren’t joined to your 3850 and are seen by other APs that are joined with this controller are identified as rogues.
Rogue detection has no impact on wireless client connectivity unless you also have containment enabled for rogue APs.
If auto containment is on WLC then you need to disable it in order not to impact client connectivity to those others APs.
In case it’s already disabled, then there must be some other reasons for client connectivity problems, you may need to enable system traces on WLC to troubleshoot connectivity problems:

Enable these traces in order to obtain the L2 auth logs:

    set trace group-wireless-secure level debug
    set trace group-wireless-secure filter mac <client-mac-address>

Enable these traces in order to obtain the dot1X AAA events:

    set trace wcm-dot1x aaa level debug
    set trace wcm-dot1x aaa filter mac <client-mac-address>

Enable these traces in order to receive the DHCP events:

    set trace dhcp events level debug
    set trace dhcp events filter mac <client-mac-address>

Enter the show trace sys-filtered-traces command in order to view the traces:

Enable these traces in order to disable the traces and clear the buffer:

    set trace control sys-filtered-traces clear
    set trace wcm-dot1x aaa level default
    set trace wcm-dot1x aaa filter none
    set trace group-wireless-secure level default
    set trace group-wireless-secure filter none

0 Helpful

Go to solution
routexpert
Level 1
Level 1

‎06-26-2016 11:21 PM

Hi Roman,

Does the 5500 series controller supports hosting HA pairs across remote sites?

I'm looking to deploy 2 controllers in HA pair and a third at a remote site using ISE 2.0 as AAA.

what are pre-requisites to consider ?

Thanks

0 Helpful

Go to solution
Roman Manchur
Cisco Employee
Cisco Employee
In response to routexpert

‎06-27-2016 01:31 AM

Hi routexpert,

AP SSO functionality with pairing controllers in different location  is supported as of release 7.5 and later.

To support the active and standby WLCs in different data centers, in release 7.5, back-to-back redundancy port connectivity between peers is no longer mandatory and the redundancy ports can be connected via switches such that there is L2 adjacency between the two controllers.

Reference: http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#31576

You must have L2 adjacency between the two controllers located in different data centers in order to have SSO redundancy working accross the sites, also only two WLCs can be paired in AP SSO mode.

N+1 redundancy supports to have backup WLC in other location than main controllers.

So yes, either configuration is possible with  having 2x WLC in SSO mode on local site and backup WLC in remote, or having 2x WLC in SSO - one on local site and other in remote and third WLC as backup in local site.

You also need thoughtful planning for WAN link bandwidth so it won't be oversubscribed by AP management and clients traffic in case failover happens to WLC in remote site.

0 Helpful

Go to solution
michael.yurchenko
Level 1
Level 1

‎06-29-2016 09:02 AM

Hi Roman,

Thank you for sharing so much excellent advice!!!

I read the white paper you suggested. Great information.

One more thing I am looking for is a good resource for wireless capacity planning. Something to address the following fundamental questions (numbers used as example, not our actual numbers, and assuming relatively high density office cubicle heaven with no major sources of interference)

- I have 3 access points and 40 users. The users have on average 1.5 devices that try to connect wirelessly. Do I have enough bandwidth?

- I have 80 users; how many access points would I need?

with specific methodology to evaluate and confirm the traffic needs depending on how chatty the clients are and what would be the overload indicators both for sniffing and for NMS polling.

Could you please help?

0 Helpful

Go to solution
Roman Manchur
Cisco Employee
Cisco Employee
In response to michael.yurchenko

‎06-30-2016 02:44 AM

Hi Michael,

General rule of thumb is to have in between 15-25 clients per AP for data transmission and 7-8 for VoWLAN deployment. You can use that generic recommendation as baseline for the calculation on AP count required:

  1. Currently you have 40 users so 3 APs should be enough in general cases.
  2. With 80 users you will need 4-5 APs serving the area.

It's not hard set numbers though as you need to remember that it's shared medium with half duplex transmission, so actual number will greatly depend on type of clients and applications in your network.

You can use Prime Infrastructure to monitor wireless network utilization ( Performance / Wireless Network Utilization).

0 Helpful

Go to solution
muhsi_2015
Level 1
Level 1
In response to Roman Manchur

‎07-02-2016 04:53 AM

Hi,

Approximately 50 users are doing  a kind of  windows screen broadcast  ,So how many ap might  be required .

Is it a good idea enabling media streams , since the   multicast is really worse  how many ap might be required if we enable  media streams

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card