CWLAT Cisco Wireless LAN Advanced Topics Volume Version 1.0 Student Guide Text Part Number: xx-xxxx-xx Copyright © 2006, Cisco Systems, Inc All rights reserved Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey Ukraine • United Kingdom • United States ã Venezuela ã Vietnam ã Zimbabwe Copyright â 2006, Cisco Systems, Inc All rights reserved CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0201R) Table of Contents Volume WLAN Management 4-1 Managing the WLAN from the WLAN Controller 4-3 Overview 4-3 Sniffer AP Mode 4-4 Logging Options 4-13 Aggressive Load Balancing 4-25 Statistics 4-29 Lesson Self-Check 4-38 Summary .4-40 Managing the Cisco Unified Wireless Network using Cisco WCS 4-41 Overview 4-41 Monitor Tab 4-42 Location Tracking 4-66 Calibration .4-71 Cisco WCS Upgrade .4-78 Lesson Self-Check 4-87 Summary .4-89 Managing the Cisco WLAN Controller 4-91 Overview 4-91 Controller and Access Point Information .4-92 Upgrading the Cisco WLAN Controller 4-95 Uploading Files on the Cisco WLAN Controller 4-99 Clearing the Cisco WLAN Controller 4-100 Lesson Self-Check 4-104 Summary .4-106 Managing CiscoWorks WLSE Management with Autonomous Access Points 4-107 Overview .4-107 Managing Devices 4-109 Duplicate IP Address 4-113 Device Description 4-118 Faults 4-125 Reports 4-140 Configurations .4-146 Upgrading CiscoWorks WLSE Software .4-161 CiscoWorks WLSE Redundancy 4-162 Lesson Self-Check 4-179 Summary .4-182 Copyright © 2006, Cisco Systems, Inc Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Wireless Network Troubleshooting .5-1 Troubleshooting the Cisco Advanced Feature Set Wireless Network .5-3 Overview 5-3 Troubleshooting Methods 5-5 Troubleshooting the Wireless Client 5-14 Troubleshooting Link Aggregation (4402/4404) 5-31 Troubleshooting Mobility Anchors 5-34 Troubleshooting Dynamic Frequency Selection 5-45 Troubleshooting the Enhanced Security Module 5-47 Lesson Self-Check 5-50 Summary 5-52 Troubleshooting the CiscoWorks Wireless LAN Solution Engine 5-53 Overview 5-53 Inventory 5-54 Faults 5-55 Configuration and Firmware 5-57 System Level Diagnostics 5-62 Lesson Self-Check 5-75 Summary 5-77 Cisco WLAN Security .6-1 Describing Cisco WLAN Security Standards .6-3 Overview 6-3 Reasons for Wireless LAN Security 6-4 WLAN Security Standards 6-9 Lesson Self-Check 6-15 Summary 6-17 Describing WLAN Security Threats and Mitigations 6-19 Overview 6-19 WLAN Security Vulnerabilities and Threats 6-20 WLAN Security Best Practices 6-33 Lesson Self-Check 6-41 Summary 6-43 Describing Authentication and Encryption 6-45 Overview 6-45 802.1X Overview 6-46 EAP-Cisco Wireless (LEAP) 6-50 EAP-FAST 6-52 EAP-TLS 6-58 EAP-PEAP 6-60 WPA and 802.11i Encryption 6-62 WPA2/802.11i 6-69 Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Lesson Self-Check 6-77 Summary .6-79 Securing the WLAN 6-81 Overview 6-81 RADIUS Server Scalability and Availability 6-82 CiscoWorks WLSE Wireless Intrusion Detection System .6-84 Wireless Protection Policies on the WLAN Controller 6-92 Rogue Access Points and Ad-Hoc Clients 6-96 Intrusion Detection Management 6-110 Client Exclusion Policies .6-115 Lesson Self-Check 6-125 Summary .6-127 Copyright © 2006, Cisco Systems, Inc Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Module WLAN Management Overview This module describes how to manage managed devices with a controller, lightweight access points or CiscoWorks WLSE Module Objectives Upon completing this module, you will be able to install and administer WLAN management devices This ability includes being able to meet these objectives: „ Use the Cisco WLAN Controller to manage the WLAN consisting of WLAN controllers and lightweight access points „ Manage WLAN controllers and lightweight access points using the Cisco WCS „ Manage the Cisco WLAN controller „ Determine the necessary processes to manage the wireless LAN with CiscoWorks WLSE 4-2 Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Lesson Managing the WLAN from the WLAN Controller Overview This lesson will look at managing the WLAN from the Cisco WLAN Controller Objectives Upon completing this lesson, you will be able to use the Cisco WLAN Controller to manage the WLAN consisting of WLAN controllers and lightweight access points This ability includes being able to meet these objectives: „ Describe the steps to enable Sniffer AP mode on the Cisco WLAN controller „ Describe the logging options available on the Cisco WLAN controller „ Describe the steps to enable aggressive load balancing on the Cisco WLAN controller „ Describe the statistics available on the Cisco WLAN controller Sniffer AP Mode This topic will describe the steps to enable Sniffer AP mode on the Cisco WLAN controller Sniffer AP Mode The ability to provide remote AiroPeek capabilities via deployed access points No laptop with AiroPeek required at the remote site Available for both 802.11a and 802.11b/g Can run multiple access points in Sniffer AP Mode Requires WildPackets® AiroPeek 2.05 release and special dll files: ã socket.dll ã socketres.dll â 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m4-6 When an access point is set to Sniffer AP Mode, the access point goes into promiscuous mode and all traffic collected will be forwarded to a PC running WildPackets® AiroPeek Traffic from the access point will be tunneled back to the WLAN controller and then forwarded to a PC running AiroPeek Note 4-4 Sniffer feature can be enabled only if you are running AiroPeek, which is a third-party network analyzer software that supports decoding of data packets Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Security > Wireless Protection Policies > Client Exclusion Policies © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-36 Use SECURITY > Wireless Protection Policies, select Client Exclusion Policies to access this page This page allows you to set client exclusion policies 6-118 „ Excessive 802.11a Association Failures: Enabled check box „ Excessive 802.11a Authentication Failures: Enabled check box „ Excessive 802.11x Authentication Failures: Enabled check box „ Network Access Control Failures: Enabled check box „ Excessive 802.11 Web Authentication Failures: Enabled check box „ IP Theft Or Reuse: Enabled check box Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc WLANs > Edit Client Exclusion is applied per WLAN • Only the Client Exclusion Policies globally applied will be enforced © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-37 For existing WLANs, use WLANs > Edit to navigate to this page When automatic adding to the Exclusion List (disabling) is enabled, set the timeout in seconds for disabled client machines Client machines are disabled by MAC address and their status can be observed on the Clients > Detail page A timeout setting of indicates that administrative control is required to re-enable the client Note Setting the client exclusion timer to means the client will be disabled and must be manually removed from the exclusion list Copyright © 2006, Cisco Systems, Inc Cisco WLAN Security 6-119 View Excluded Clients WLAN Controller © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-38 On the WLAN controller GUI, use MONITOR > Summary to navigate to this page The summary page provides a top level description of your controller, access points, clients, WLANs, and rogues Rogues are unauthorized devices (access points, clients) which are connected to your network The controller image is displayed at the top of the summary page and gives information about the controller model number and the number of access points supported by the controller This page is refreshed every 30 seconds When using the CLI to display a summary of all clients on the manual exclusion list (blacklisted) from associating with this Cisco Wireless LAN controller, use the show exclusionlist command A list containing each manually Excluded MAC address is displayed The SNMP trap log will also show excluded clients 6-120 Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc View Excluded Clients WLAN Controller © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-39 To see the same information from the Cisco WCS, use Monitor > Devices > Clients to access this section By default, Monitor Clients Summary page is displayed Use Monitor > Devices > Clients to access this page This page displays information about access point clients Under the Most Recent Excluded Clients heading you will see the following: „ User Name: User-defined user name „ IP Address: IP Address of Excluded client „ MAC Address: MAC address of the Excluded client „ Excluded Time: Time the client is Excluded (blacklisted) Copyright © 2006, Cisco Systems, Inc Cisco WLAN Security 6-121 Security > Wireless Protection Polices > AP Authentication Policy The ability to use NTP time stamp to ensure against data transmission playback by an Cisco lightweight access point not in the administrative domain • All data transmitted between Cisco lightweight access point is checked against the time stamp • Requires controller to use NTP for date and time • RF-Network Name must match to authenticate management frames for a group of lightweight access points © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-40 Access point authentication policy is the ability to use an NTP time stamp to protect against data transmission playback by a Cisco lightweight access point that is not in the administrative domain All data transmitted between the Cisco lightweight access point is checked against the time stamp The controller must use an NTP for its date and time The RF-network name is used to authentication management frames for a group of lightweight access points Access points without the proper RF-network name cannot authenticate management frames 6-122 Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Security > Wireless Protection Polices > AP Authentication Policy © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-41 Use SECURITY > Wireless Protection Policies, select AP Authentication to access this page This page allows you to set access point authentication policies The authentication policy parameters are listed „ RF Network Name: Not an editable field The RF Network name entered in the general parameters window (Refer to General) is displayed here Note RF-Network Name defines the mobility group to which the policy will be applied „ Enable AP Neighbor Authentication: Enable this check box to enable the access point authentication feature When this feature is enabled, the access points sending RRM neighbor packets with different RF Network Names are reported as rogues „ Alarm Trigger Threshold: Set the number of hits to be ignored from a foreign access point before an alarm is raised The valid range is from to 255 The default value is 255 Copyright © 2006, Cisco Systems, Inc Cisco WLAN Security 6-123 Monitor > Clients > Remove If a client is removed without disabling, they will be able to reassociate © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-42 Use MONITOR > Wireless > Clients, select Detail to navigate to this page This page displays the details of the select client's session, and allows you to enable or disable Mirror Mode for this client Information is displayed for both the client and its associated access point Use the Remove link to disconnect the client Note 6-124 If a client is removed without being disabled, it will be able to reassociate Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Lesson Self-Check Use the questions here to review what you learned in this module The correct answers and solutions are found in the Lesson Self-Check Answer Key Q1) Which of the following devices serves as a AAA server and provides LEAP, EAPFAST and MAC authentication? (Choose one.) (Source: Radius Server Scalability and Availability.) A) B) C) D) Q2) An autonomous access point configured to function as a dedicated sensor reports the information it hears to which of the following? (Choose one.) (Source: WLSE Wireless Intrusion Detection System) A) B) C) D) Q3) Intrusion detection on the WLAN controller involves the use of signature comparison Packet matching and alarm generation are performed on which of the following? (Choose one.) (Source: Intrusion Detection Management ) A) B) C) D) Q6) Contain Rogue Alert Unknown Known Internal Acknowledge External How many rogue access points can a containing access point contain? (Choose one.) (Source: Rogue Access Points and Ad-hoc Clients) A) B) C) D) Q5) CiscoWorks WLSE Cisco WCS WDS WLAN Controller Trusted access point policy is the ability monitor third-party access points You must change the rogue status of the third-party access point from Alert Unknown to ? (Choose one.) (Source: Wireless Protection Policies) A) B) C) D) Q4) Lightweight access points Autonomous access points WLAN Controller CiscoWorks WLSE Lightweight access point WLAN controller Cisco WCS Location Device When using Client Exclusion Policies, a client will be excluded on the _ consecutive 802.1X authentication attempts? (Choose one.) (Source: Client Exclusion Policies) A) B) C) D) 2nd 3rd 4th 5th Copyright © 2006, Cisco Systems, Inc Cisco WLAN Security 6-125 Lesson Self-Check Answer Key 6-126 Q1) B Q2) C Q3) C Q4) B Q5) A Q6) C Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Summary This topic summarizes the key points discussed in this lesson Summary This lesson described securing the WLAN The topics included determining the number and placement of RADIUS servers in an enterprise class WLAN environment and the use of the CiscoWorks WLSE Wireless Intrusion Detection System to better secure your autonomous access point WLAN In addition, this lesson discussed the steps to enable wireless protection policies on the WLAN controller, the steps to manage rogue access points and Ad-hoc clients with the WLAN controller, the steps to enable Intrusion Detection Management on the WLAN controller and the steps to enable client exclusion policies on the WLAN controller © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-44 This lesson described securing the WLAN The topics included determining the number and placement of RADIUS servers in an enterprise class WLAN environment and the use of the CiscoWorks WLSE Wireless Intrusion Detection System to better secure your autonomous access point WLAN In addition, this lesson discussed the steps to enable wireless protection policies on the WLAN controller, the steps to manage rogue access points and Ad-hoc clients with the WLAN controller, the steps to enable Intrusion Detection Management on the WLAN controller and the steps to enable client exclusion policies on the WLAN controller Copyright © 2006, Cisco Systems, Inc Cisco WLAN Security 6-127 6-128 Cisco Wireless LAN Advanced Topics (CWLAT) v1.0 Copyright © 2006, Cisco Systems, Inc Module Summary This topic summarizes the key points that were discussed in this module Module Summary In this module we discussed how to administer security so that the network is safe from attack We also discussed the need for WLAN security, Wi-Fi WPA/WPA2 security certification and the 802.11 security standards We discussed WLAN security threats and mitigations and how authentication and encryption are used to secure the WLAN as well as how 802.11i and WPA and key management mitigate the threats to WLANs © 2006 Cisco Systems, Inc All rights reserved CWLAT v1.0—m6-1 In this module we discussed how to administer security so that the network is safe from attack We also discussed the need for WLAN security, Wi-Fi WPA/WPA2 security certification and the 802.11 security standards We discussed WLAN security threats and mitigations and how authentication and encryption are used to secure the WLAN as well as how 802.11i and WPA and key management mitigate the threats to WLANs Copyright © 2006, Cisco Systems, Inc Advanced WLAN Security 6-129 Module Self-Check Use the questions here to review what you learned in this Module The correct answers and solutions are found in the Module Self-Check Answer Key Q1) Which of the following is the Wi-Fi Alliance's interoperable implementation of the ratified 80211i standard? (Choose one.) (Source: WLAN Security Standards) A) B) C) D) Q2) Which of the following are considered Man in the Middle attacks? (Choose two.) (Source: WLAN Security Vulnerabilities and Threats) A) B) C) D) Q3) Phase Phase Phase Phase Intrusion detection on the WLAN controller involves the use of signature comparison Packet matching and alarm generation are performed on which of the following? (Choose one.) (Source: Intrusion Detection Management ) A) B) C) D) 6-130 Bit Fliping Replay Off-line dictionary WEP Crack When using EAP-FAST, which of the following phases is used for dynamic PAC provisioning? (Choose one.) (Source EAP-FAST) A) B) C) D) Q4) WEP WPA WPA2 Wi-Fi Lightweight access point WLAN controller Cisco WCS Location Device Cisco Wireless LAN Advanced Topics (CWLAT) Copyright © 2006, Cisco Systems, Inc Module Self-Check Answer Key Q1) C Q2) A,B Q3) A Q4) A Copyright © 2006, Cisco Systems, Inc Advanced WLAN Security 6-131 6-132 Cisco Wireless LAN Advanced Topics (CWLAT) Copyright © 2006, Cisco Systems, Inc ... Cleared" field Copyright © 20 0 6, Cisco Systems, Inc WLAN Management 4- 31 Monitor > Wireless > 8 02 .11 a or 8 02 .11 b/g Radios > Detail Details are available for either 8 02 .11 a or 8 02 .11 b/g radios This screen... Copyright © 20 0 6, Cisco Systems, Inc WLAN Management 4-33 Monitor > Wireless > 8 02 .11 a or 8 02 .11 b/g Radios > Detail - Text View © 20 0 6 Cisco Systems, Inc All rights reserved CWLAT v1 .0? ??m4- 30 This... also be viewed in a Text View © 20 0 6 Cisco Systems, Inc All rights reserved CWLAT v1 .0? ??m4 -29 Use MONITOR > Wireless > 8 02 .11 a Radios or MONITOR > Wireless > 8 02 .11 b Radios and then select Detail