Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
3
Replies

WLSE Security Policies

s.vautour
Level 1
Level 1

‎02-27-2004 10:27 AM - edited ‎07-04-2021 09:24 AM

Hello,

Has anyone tried using the WLSE Security Policies? There is no information in the WLSE User Guide as to what configs they check. The Policies are checked via SNMP. By doing a tcpdump of the WLSE traffic I've managed to figure out which OIDs the Policies check. They all seem to be in the CISCO-DOT11-IF and CISCO-WLAN-VLAN MIBs. Most of the Policies seem to work but don't do what I would've expected. The "EAP Enforced" and "EAP per SSID Enforced" seem broken.

Anybody else get these to work?

Serge

Labels:
0 Helpful
3 Replies 3

a-vazquez
Level 6
Level 6

‎03-05-2004 08:25 AM

What version are you running?? I was told WLSE version 1.3 has a resolution to this proble..

0 Helpful

rmushtaq
Level 8
Level 8

‎03-05-2004 03:57 PM

What WLSE vesion and what excatly you mean by 'broken'/what is not working?

0 Helpful

s.vautour
Level 1
Level 1
In response to rmushtaq

‎03-08-2004 11:31 AM

Hello,

I'm running WLSE 2.5. My first problem was that I found it frustrating to understand what the Security Policies were supposed to do. The documentation doesn't explain what they do just how to turn them on/off. Based on my testing, I now know which MIBs/OIDs are checked for each Policy. I can correlate this directly with configs on the APs.

The Policies that are giving me problems are the "EAP Enforced" and "EAP per SSID Enforced". These Policies both seem to check the following OIDs under the CISCO-DOT11-IF-MIB:

.1.3.6.1.4.1.9.9.272.1.1.1.7.1.1 -> cd11IfAuxSsidAuthAlgEnable

.1.3.6.1.4.1.9.9.272.1.1.1.7.1.2 -> cd11IfAuxSsidAuthAlgRequireEap

I'm doing testing with Cisco Airnet 1220s running IOS version 12.2(13)JA. The 2nd OID has 3 possible values: open, shared & eap. Each of these has a true or false entry. No matter what config I tried, the eap entry always had a value of false. You would think this value would change to true when EAP is on/required. I guess this could be a problem with the AP and not WLSE.

The EAP Enforced fault seems to only be supported if 1 SSID is configured. However, faults will continue to generate with multiple SSIDs but just on the first configured SSID. This doesn't seem right.

"EAP per SSID Enforced" checks the same MIBs as "EAP Enforced". The MIB is automatically exanded for multiple SSIDs. I've seen some very weird results here. For example, I tried the following config:

encryption vlan 1 key 1 size 40bit 7 1823F25A0AB8 transmit-key

encryption vlan 1 mode wep mandatory

encryption vlan 2 mode ciphers ckip-cmic

ssid TEST1SSID

vlan 1

authentication shared

ssid TEST2SSID

vlan 2

authentication network-eap eap_methods

With this config, WLSE generated a Security Policy Fault on both SSIDs. Why? The second is correct.

If I invert the config on both of these SSIDs, no fault is generated at all. It's almost like only the first SSID is being checked.

Basically I've found that if the 1st SSID is using EAP, no fault gets generated regardless of how the 2nd SSID is configured. If the first SSID isn't using EAP and the 2nd SSID is, a fault generates for the 1st SSID only. If neither SSID is using EAP, 2 faults are generated, one for each SSID.

I was wondering if anybody else has successfully used these Policies? Are you confortable that they will report faults correctly? Can you depend on them?

Thanks,

Serge

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card