Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
5
Helpful
10
Replies

Mesh security

Go to solution
mvlaardingerbroek
Level 1
Level 1

‎12-30-2024 07:25 AM

I'm researching how to build a mesh securely, and some pages of Cisco itself puzzle me.

Configure Mesh on Catalyst 9800 Wireless LAN Controllers - Cisco is one of the latest guides. It shows how to use local authentication and EAP-FAST on the controller to set this up.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - Mesh Access Points [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco says that APs can get hijacked if not using provisioned PSK. I was hoping the EAP-FAST would prevent this, but a very old page specifically says that EAP-FAST can not be configured and it uses the MAC address and AP type as credential: Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 8.7 - Connecting the Cisco Mesh Access Points to the Network [Cisco Wireless LAN Controller Software] - Cisco.

Controllers also can only use EAP-FAST when used for local authentication.

My questions:

  1. Am I correct that the EAP-FAST with MAC list is still vulnerable?
    1. If yes, why is it in guides?
  2. 9800 WLCs allow an LSC configuration. If LSC is on, is EAP-FAST still using the MAC-address and AP type, or does it use the LSC?
  3. Am I correct in assuming that only provisioned PSK or LSC in combination with an external AAA is safe?
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎12-30-2024 08:37 AM

@mvlaardingerbroek 

 

 

"Am I correct that the EAP-FAST with MAC list is still vulnerable?"

   Yes.


"If yes, why is it in guides?"

There was a time when we had no security at all. Now is possible to setup EAP-FAST. You need also consider when the guide was written. Now, it is possible to use LSC for Mesh AP. 

 


"9800 WLCs allow an LSC configuration. If LSC is on, is EAP-FAST still using the MAC-address and AP type, or does it use the LSC?"

 "Locally significant certificate-based (LSC-based) EAP authentication is also supported for MAPs. To use this feature, you should have a public key infrastructure (PKI) to control certification authority, define policies, validity periods, and restrictions and usages on the certificates that are generated, and get these certificates installed on the APs and controller."

 Answering your question, I would say no. EAP-FAST have no relation with LSC.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - Mesh Access Points [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

 


"Am I correct in assuming that only provisioned PSK or LSC in combination with an external AAA is safe?"

Yes, I agree with you. 

View solution in original post

10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎12-30-2024 07:44 AM - edited ‎12-30-2024 07:58 AM

MHM

0 Helpful

Go to solution
mvlaardingerbroek
Level 1
Level 1

‎12-30-2024 07:47 AM

I know, that's one of the pages I linked in the opening post. It answers none of my questions.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mvlaardingerbroek

‎12-30-2024 07:51 AM - edited ‎12-30-2024 07:57 AM

MHM

0 Helpful

Go to solution
mvlaardingerbroek
Level 1
Level 1

‎12-30-2024 07:53 AM

Correct, I stated that before asking my 3 questions, 4 with the subquestion. Those are facts I could find and also wrote in my opening post. Do you have an answer to one of my questions?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mvlaardingerbroek

‎12-30-2024 07:58 AM

Goodluck in your Q. 
sorry I dont have time to answer 

MHM

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎12-30-2024 08:37 AM

@mvlaardingerbroek 

 

 

"Am I correct that the EAP-FAST with MAC list is still vulnerable?"

   Yes.


"If yes, why is it in guides?"

There was a time when we had no security at all. Now is possible to setup EAP-FAST. You need also consider when the guide was written. Now, it is possible to use LSC for Mesh AP. 

 


"9800 WLCs allow an LSC configuration. If LSC is on, is EAP-FAST still using the MAC-address and AP type, or does it use the LSC?"

 "Locally significant certificate-based (LSC-based) EAP authentication is also supported for MAPs. To use this feature, you should have a public key infrastructure (PKI) to control certification authority, define policies, validity periods, and restrictions and usages on the certificates that are generated, and get these certificates installed on the APs and controller."

 Answering your question, I would say no. EAP-FAST have no relation with LSC.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - Mesh Access Points [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

 


"Am I correct in assuming that only provisioned PSK or LSC in combination with an external AAA is safe?"

Yes, I agree with you. 

Go to solution
mvlaardingerbroek
Level 1
Level 1

‎12-30-2024 08:40 AM

The guide is from a 9800, written this year. But you confirmed my fears. So I need either a provisioned PSK, or a complete PKI. Thank you.

Go to solution
Flavio Miranda
VIP
VIP
In response to mvlaardingerbroek

‎12-30-2024 08:55 AM

If you can, PKI is indubitably more secure

0 Helpful

Go to solution
mvlaardingerbroek
Level 1
Level 1

‎12-30-2024 08:57 AM

For now I'm going to make a PoC for a customer. I very much agree PKI is the way to go, but it also needs much more work and infrastructure for the client. Guess we're going to have a talk about that

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to mvlaardingerbroek

‎12-30-2024 10:12 AM

My suggestion if you have not built out any mesh prior, is to work with your Cisco SE to understand the pro's and cons, especially when it comes down to support.  The customer will need to be able to support this once you have deployed it and have left it in their hands.  It's easy when they have the infrastructure already, because they should have the staff to support that.  So as a former consultant, you just need to work with Cisco and the customer to really balance security and support longevity of your solution.  You are heading in the right direction.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card