322 CCNA Wireless Official Exam Certification Guide SSC Groups In the SSC, connections are logically grouped with a name. You can create your own groups,aswellasmoveconnectionsbetweengroups.Youcanalsoaddbasicwirelesscon- nections (PSK-based), but not secured or wired connections. Note: The user interface of SSC talks about profiles. For administrators, the Secure Ser- vices Client Administration Utility (SSCAU) talks about networks. A network can be a wireless connection, a home type like the ones created with the SSC, or an enterprise type, based on individual authentication instead of a common passphrase. A network can also be a wired connection. The significance of this is that all profiles are networks, but at the same time a network can be more than just an SSC profile. SSCAU Overview With the SSCAU, you can create new configuration profiles. The profile is saved as an XML file and then can be deployed to devices in the network. You also can modify exist- ing configuration profiles. Furthermore, you can process existing configuration profiles to verify the profile’s policy logic, encrypt the credentials, and sign the file. There are two ways to deploy the generated profiles: ■ To existing clients ■ Via an MSI that will also install the SSC The Cisco Client Extension Program The Cisco Client Extension (CCX) program is no-cost licensing of technology for use in WLAN adapters and devices. This allows for the following: ■ Independent testing to ensure interoperability with the Cisco infrastructure’s latest innovation ■ Marketing of compliant products by Cisco and product suppliers under the “Cisco Compatible” brand CCX for Wi-Fi RFID Tags allows vendors to have a common set of features. More informa- tion on the Cisco Compatible Extension Program can be found at http://www.cisco.com/ web/partners/pr46/pr147/partners_pgm_concept_home.html. 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 322 Chapter 16: Wireless Clients 323 Table 16-4 Key Topics for Chapter 16 Key Topic Item Description Page Number Table 16-2 Comparison between WZC and ADU 307 Figure 16-12 Three options when installing the ADU 308 Figure 16-19 Profile management in ADU 312 Figure 16-20 Security options 313 Figure 16-21 WPA/WPA2/CCKM 314 Figure 16-22 WPA/WPA2 passphrase 314 Table 16-3 Security options comparison 314 Figure 16-24 Advanced statistics 316 Figure 16-26 CSSU display in dBm 318 Figure 16-28 ACAU interface 319 Exam Preparation Tasks Review All the Key Topics Review the most important topics from this chapter, denoted with the Key Topic icon. Table 16-4 lists these key topics and the page number where each one can be found. Complete the Tables and Lists from Memory Print a copy of Appendix B, “Memory Tables” (found on the CD) or at least the section for this chapter, and complete the tables and lists from memory. Appendix C, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work. Definition of Key Terms Define the following key terms from this chapter, and check your answers in the glossary: WZC, SSID, AirPort Extreme, NetworkManager, iwconfig, WPA, WPA2, ADU, ACAU, 802.1x, CSSU, CSSC, SSCAU, CCX 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 323 Cisco Published 640-721 IUWNE Exam Topics Covered in This Part Describe WLAN fundamentals ■ Describe 802.11 authentication and encryption methods (Open, Shared, 802.1X, EAP, TKIP, AES) Implement basic WLAN Security ■ Describe the general framework of wireless security and security components (authentication, encryption, MFP, IPS) ■ Describe and configure authentication methods (Guest, PSK, 802.1X, WPA/WPA2 with EAP-TLS, EAP-FAST, PEAP, LEAP) ■ Describe and configure encryption methods (WPA/WPA2 with TKIP, AES) ■ Describe and configure the different sources of authentication (PSK, EAP-local or - external, Radius) Operate basic WCS ■ Describe key features of WCS and Navigator (versions and licensing) ■ Install/upgrade WCS and configure basic administration parameters (ports, O/S ver- sion, strong passwords, service vs. application) ■ Configure controllers and APs (using the Configuration tab not templates) ■ Configure and use maps in the WCS (add campus, building, floor, maps, position AP) ■ Use the WCS monitor tab and alarm summary to verify the WLAN operations Conduct basic WLAN Maintenance and Troubleshooting ■ Identify basic WLAN troubleshooting methods for controllers, access points, and clients methodologies ■ Describe basic RF deployment considerations related to site survey design of data or VoWLAN applications, Common RF interference sources such as devices, build- ing material, AP location Basic RF site survey design related to channel reuse, signal strength, cell overlap ■ Describe the use of WLC show, debug and logging ■ Describe the use of the WCS client troubleshooting tool ■ Transfer WLC config and O/S using maintenance tools and commands ■ Describe and differentiate WLC WLAN management access methods (console port, CLI, telnet, ssh, http, https, wired versus wireless management) 19_1587202115_part3.qxd 9/29/08 2:45 PM Page 324 Chapter 17 Securing the Wireless Network Chapter 18 Enterprise Wireless Management with the WCS and the Location Appliance Chapter 19 Maintaining Wireless Networks Chapter 20 Troubleshooting Wireless Networks Part III: WLAN Maintenance and Administration 19_1587202115_part3.qxd 9/29/08 2:45 PM Page 325 This chapter covers the following subjects: Threats to Wireless Networks: Discusses threats to wireless networks. Simple Authentications: Looks at basic wireless security. Centralized Authentication: Shows how centralized authentication works using various EAP methods. Authentication and Encryption: Describes WPA and WPA2. 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 326 CHAPTER 17 Securing the Wireless Network Table 17-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Threats to Wireless Networks 1–4 Simple Authentications 5–7 Centralized Authentication 8–12 Authentication and Encryption 13–14 It’s usually obvious that wireless networks can be less secure than wired networks. This calls for a great deal of thought when you deploy a wireless network. What security do you need? What security measures can you perform? What are the security capabilities of your equipment? Should you authenticate users when they access the network? Should you encrypt traffic over the wireless space? As you can see, there are many options to think about. But let’s break this into small parts. First, who are your users? The answer will be different for networks that allow guest access versus those that don’t. Second, how hid- den do you need to make your users’ traffic? Again, this answer will differ depending on the users. If you are offering guest access, encryption probably is not a big concern. If all or even a portion of your users are internal, encryption probably is a concern. In this chapter, you will learn about various methods of securing a wireless network. Some meth- ods provide a way to identify the user. Others offer a way to hide user data. Still other methods do both. You should take the “Do I Know This Already?” quiz first. If you score 80 percent or higher, you might want to skip to the section “Exam Preparation Tasks.” If you score be- low 80 percent, you should review the entire chapter. Refer to Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes,” to confirm your answers. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz helps you determine your level of knowledge of this chapter’s topics before you begin. Table 17-1 details the major topics discussed in this chapter and their corresponding quiz questions. 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 327 328 CCNA Wireless Official Exam Certification Guide 1. Threats to wireless networks include which of the following? (Choose all that apply.) a. Rogue APs b. Client misassociation c. Unauthorized port access d. Stateful inspection 2. Which of the following can be used to prevent misassociation attacks? (Choose all that apply.) a. Client MFP b. Spoofing c. Infrastructure MFP d. Rogue-AP containment 3. Client MFP allows clients to perform what function? a. Detect invalid clients b. Detect invalid APs c. Detect invalid controllers d. Detect invalid SSIDs 4. To perform Client MFP, what version of CCX is required? a. v1.x b. v2.x c. v5.x d. v6.x 5. WEP uses which of the following encryption algorithms? a. AES b. TKIP c. MD5 d. RC4 6. What key size should be selected to perform 128-bit WEP with a Windows client? a. 40-bit b. 104-bit c. 128-bit d. 192-bit 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 328 Chapter 17: Securing the Wireless Network 329 7. How many bits does an IV add to a WEP key? a. 24 bits b. 48 bits c. 188 bits d. 8 bits 8. In centralized authentication, a certificate is used based on information from a trusted third party. What information is not included in a certificate? a. Username b. Public key c. Validity dates d. Session keys 9. Central authentication uses which IEEE specification? a. 802.11a b. 802.1q c. 802.1d d. 802.1x 10. Which protocol is used for the authentication server? a. RADIUS b. Active Directory c. LDAP d. TACAC S+ 11. Which EAP method uses certificates on both the client and the server? a. EAP-FAST b. EAP-MD5 c. EAP-TLS d. PEAP 12. Which EAP method uses a PAC instead of certificates? a. EAP-FAST b. EAP-MD5 c. EAP-TLS d. PEAP 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 329 330 CCNA Wireless Official Exam Certification Guide 13. Which protocol requires the use of TKIP, but can optionally use AES? a. WPA2 b. GTK c. MS-CHAPv2 d. WPA 14. Which protocol mandates that AES must be supported but not TKIP? a. WPA2 b. GTK c. MS-CHAPv2 d. WPA 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 330 Chapter 17: Securing the Wireless Network 331 Foundation Topics Threats to Wireless Networks Throughout this book, you have learned about the many threats to wireless networks. If you really wanted to simplify the threats, you could think of it like this: You want legiti- mate clients to connect to legitimate APs and access corporate resources. Some attacks are formed from the perspective of an AP trying to gain information from clients. Other attacks are from the perspective of getting illegitimate clients onto the network to use corporate resources at no charge or to actually steal data or cause harm to the network. These threats include the following: ■ Ad hoc networks ■ Rogue APs ■ Client misassociation ■ Wireless attacks Ad Hoc Networks An ad hoc network is a wireless network formed between two clients. The security risk in- volves bypassing corporate security policies. An attacker could form an ad hoc network with a trusted client, steal information, and even use it as a means of attacking the corpo- rate network by bridging to the secure wired LAN. Rogue APs A rogue AP is not part of the corporate infrastructure. It could be an AP that’s been brought in from home or an AP that’s in a neighboring network. A rogue AP is not always bad. It could be an AP that’s part of the corporate domain yet still operating in au- tonomous mode. Part of an administrator’s job is determining if the AP is supposed to be there. Fortunately, you don’t have to do all the work yourself. A few functions of the AP’s software can detect rogue APs and even indicate if they are on your network. Something to consider when looking for rogue APs is what happens to clients that can connect to those rogue APs. If a client connects to a rogue AP, it should be considered a rogue client. The reason is that rogue APs typically are installed with default configura- tions, meaning that any client that connects bypasses any corporate security policy. So you do not know if the client is a corporate user or an attacker. Client Misassociation When a client connects to an AP, operating system utilities normally allow the client to save the SSID. In the future, when that SSID is seen again, the client can create a connec- tion automatically. There is a possibility that clients will be unaware of the connection. If the SSID is being spoofed, the client could connect to a potentially unsafe network. Con- sider the following scenario. An attacker learns the SSID of your corporate network. Us- ing this information, he sends beacons advertising your SSID. A wireless station in the 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 331 . questions. 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 327 328 CCNA Wireless Official Exam Certification Guide 1. Threats to wireless networks include which of the following? (Choose all that. 322 CCNA Wireless Official Exam Certification Guide SSC Groups In the SSC, connections are logically grouped with a name EAP-MD5 c. EAP-TLS d. PEAP 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 329 330 CCNA Wireless Official Exam Certification Guide 13. Which protocol requires the use of TKIP, but can optionally use AES? a.