Wednesday, December 23, 2009

Helpful images

Cisco Compatible Extensions Security Features Example

From ccie(w)

Four-Way Handshake

From ccie(w)

Proactive Key Caching Architecture

From ccie(w)

WEP Encapsulation Process

From ccie(w)


From ccie(w)


From ccie(w)

Unified Wireless Rogue AP Detection

From ccie(w)

Tuesday, December 22, 2009

Management Frame Protection (MFP) & WPS settings

WPS is casually mentioned in and around enabling MFP and MFP settings, but I found a link to a list of error messages that seem to indicate what it is/does: LINK 
  • wireless protection policy (WPS)
    • List of "show wps" commands: LINK 
Seems that you can't enable  ap-authentication until MFP is disabled:
  • MFP must be disabled before AP neighbor authentication is enabled.
And when you enable ap-authentication, NTP must be enabled on all switches in a multi-switch environment:
  • Please enable NTP on all switches in a multi-switch environment.
    I found a nice thread on the Cisco Learning Network about MFP Settings 

    and then I found a totally sweet blog about Wireless LAN Security Best Practices and other assorted wireless stuff by Herbert Haas some of it is a bit dated, but some of it is still applicable: LINK

    Then I found the Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example document:

    Found this too - the Lightweight Access Point (LAP) Authorization in a Cisco Unified Wireless Network Configuration Example: LINK

    Configuring Filters

    I've never personally setup a wireless filter for a client for any reason - I've never had to micromanage a wireless network to that degree - well now I've got to - ok, so here are my notes that I found interesting while reading the "configuring filters" section of the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12.3(7)JA LINK

    • Using the CLI, you can configure up to 2,048 MAC addresses for filtering. Using the web-browser interface, however, you can configure only up to 43 MAC addresses for filtering.
    • Avoid using both the CLI and the web-browser interfaces to configure the wireless device. If you configure the wireless device using the CLI, the web-browser interface might display an inaccurate interpretation of the configuration. However, the inaccuracy does not necessarily mean that the wireless device is misconfigured. For example, if you configure ACLs using the CLI, the web-browser interface might display this message: "Filter 700 was configured on interface Dot11Radio0 using CLI. It must be cleared via CLI to ensure proper operation of the web interface." If you see this message you should use the CLI to delete the ACLs and use the web-browser interface to reconfigure them.
    • MAC address filters are powerful, and you can lock yourself out of the access point if you make a mistake setting up the filters. If you accidentally lock yourself out of your access point, use the CLI to disable the filters.
    • To make sure the filter operates properly, use lower case for all the letters in the MAC addresses that you enter. 
    • Client devices with blocked MAC addresses cannot send or receive data through the access point, but they might remain in the Association Table as unauthenticated client devices. Client devices with blocked MAC addresses disappear from the Association Table when the access point stops monitoring them, when the access point reboots, or when the clients associate to another access point.  
    • If you plan to block traffic to all IP addresses except those you specify as allowed, put the address of your own PC in the list of allowed addresses to avoid losing connectivity to the access point.  
    For specific Ethertype filters - refer to this Appendix of Protocol Filters from the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12.3(7)JA: LINK

    Video of my wireless lab hardware

    How to broadcast multiple SSIDs on a Cisco autonomous access point

    Today I helped a customer implement a new SSID/VLAN on their network - and it was a trip back in time - as I've not laid eyes on a WLSE to configure autonomous access points in well over three years.

    I didn't realize that by default an autonomous access point won't broadcast two ssids on a single dot11radio interface.  Thank goodness for the internet - I found the solution and here are the two links I used for the proper configuration of dual broadcasting ssids: 

    A basic config example for broadcasting more than one SSID on a Cisco autonomous AP:
    (your AP must be running 12.3.8-JEC(GD) IOS firmware or newer to use these commands)

    dot11 ssid TEST1
    mbssid guest-mode

    dot11 ssid TEST2
    mbssid guest-mode

    Then you have to enable mbssid globally on your radio-interface:

    ssid TEST1
    ssid TEST2

    Monday, December 21, 2009



    dot11 ssid WPA2LEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa version 2

    int dot11radio1
    ssid WAP2LEAP
    encryption mode ciphers tkip
    dot11 ssid WPA2PEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa version 2

    int dot11radio1
    ssid WAP2PEAP
    encryption mode ciphers aes-ccm
    dot11 ssid WPALEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa

    int dot11radio1
    ssid WPALEAP
    encryption mode ciphers tkip
    dot11 ssid WPAPEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa

    int dot11radio1
    ssid WPAPEAP
    encryption mode ciphers aes-ccm

    Thursday, December 10, 2009

    Configuring WDS with RADIUS server

    It has been *forever* since I've had to configure WDS - and as expected - it took me some time to get it configured properly, even with the Wireless Domain Services Configuration document from Cisco.

    I tried to configure both APs to be WDS infrastructure aps and thought I had to change the encryption types on the  SSIDs because of this document here: Configuring WDS, Fast Secure Roaming, and Radio Management

    I followed the configuration guide and used the GUI to intially configure WDS, then referred back to the CLI to observe which commands were entered as a result.

    Added configuration information for WDS infrastructure authentication of APs:

    aaa group server radius wlccp_server
     server auth-port 1812 acct-port 1813
    aaa group server radius wlccp_client
     server auth-port 1812 acct-port 1813
    aaa authentication login method_wlccp_server group wlccp_server
    aaa authentication login method_wlccp_client group wlccp_client
    wlccp ap username wlccpuser password 0 wlccppassword

    wlccp authentication-server infrastructure method_wlccp_server
    wlccp authentication-server client any method_wlccp_client
      ssid WPA
    wlccp wds priority 200 interface BVI1


    Wednesday, December 9, 2009

    CCIE Wireless Lab Exam Topics (Blueprint) (as of 12/9/09)

    Exam Sections and Sub-task Objectives   
    1    Implement network infrastructure to support WLANs
    1.01    Implement Catalyst configuration (VLANs, VTP, STP, Trunk, Portchannel,LB..)
    1.02    Implement network connectivity in WLC
    1.03    Implement network connectivity in LAP (local mode, hreap + local switching)
    1.04    Implement network connectivity in AP (multiple vlans, vs single vlan)
    1.05    Configure client to connect/authenticate to SSIDs
    1.06    Implement DNS, DHCP, NTP
    1.07    Implement QoS to support voice services over the switching infrastructure
    1.08    Implement basic IP routing
    1.09    Troubleshoot network infrastructure to support Wireless

    2    Implement Autonomous Infrastructure
    2.01    Configure WDS
    2.02    Implement local radius
    2.03    Implement SSID/MBSSID as needed: Security policies and Bridging groups
    2.03    (a) Security policies
    2.03    (b) Bridging groups
    2.04    Implement radio roles
    2.05    Implement antenna settings
    2.06    Implement association filters
    2.07    Implement and control management access
    2.08    Implement MFP
    2.09    Implement multicast settings
    2.1    Implement QOS
    2.11    Implement peer to peer blocking
    2.12    Troubleshoot bridge connectivity problems
    2.13    Convert Autonomous to LWAP

    3    Implement Unified Infrastructure
    3.01    Implement Interface settings
    3.02    Implement mobility groups
    3.03    Implement WLANs
    3.04    Implement multicast settings
    3.05    Implement and control management access
    3.06    Implement controller redundancy/fallback
    3.07    Implement discovery mechanisms
    3.08    Implement AutoRF to adapt to site requirements
    3.09    Check and validate current channel/power settings
    3.1    Validate trap generation, notifications in WCS/WLC

    4    Implement Unified Controllers and AP's
    4.01    Implement peer to peer blocking
    4.02    "Implement Security
    4.02    (a) WPS settings
    4.02    (b) MFP/AP authentication
    4.02    (c) AP authorization"
    4.03    Implement QOS
    4.04    Implement local EAP authentication (against local user list, and external LDAP)
    4.05    Implement L3 security policies (Webauth, pass-through)
    4.06    Implement wired and wireless Guest
    4.07    Implement L2 security policies (802.11i, static dynamic WEP, mac filtering, etc..)
    4.08    Implement Local DHCP services for clients
    4.09    Implement AAA (WLC to Radius/LDAP)
    4.1    Troubleshoot client connectivity problems

    5    Implement Unified WCS and Location
    5.01    Implement controllers to WCS
    5.02    Create and deploy template, template groups
    5.03    Prepare building/floor map
    5.04    Create floor coverage proposal
    5.05    Implement location server
    5.06    Tune location services given needs (tag tracking, notifications, timers)
    5.07    Validate client connectivity/troubleshoot client via WCS/WLC
    5.08    Validate location information in WCS/WLC
    5.09    Validate security events with WCS/WLC
    5.1    Validate location information in WCS/WLC
    5.11    Validate trap generation, notifications in WCS/WLC
    5.12    Validate client connectivity/troubleshoot client via WCS/WLC

    6    Implement Voice over Wireless
    6.01    Implement support for 7920/7921 deployments, for both Unified and Autonomous
    6.02    Implement QoS settings:
    6.02    (a) Voice/Video
    6.02    (b) EDCA
    6.03    Audit voice deployment

    Tuesday, December 8, 2009

    AP as Local Authenticator (RADIUS)

    I'm digging into my trouble spots as the lab date gets closer.  There are many configurations I've never implemented through the course of work I've done as a wireless engineer.. now it is time to get into unfamiliar territory, no matter how simple it is.

    Section 4.09 - Implement AAA (WLC to Radius/LDAP)
    To start this off - there have been many configurations I've done where I've pointed a WLC to a RADIUS server & given each a shared secret, but I've never setup an AP to be its own RADIUS server, or pointed an autonomous AP at a RADIUS server.  I tackled these configurations this week.

    Pointing an AP to itself for RADIUS authentication was pretty straight forward once I used the right IP address for the RADIUS server.. 

    debug radius auth
    debug radius local-server

    These two commands are what made it clear that something was really wrong, and explained why the RADIUS auth was timing out.

    *Mar  3 22:15:01.564: RADIUS: no sg in radius-timers: ctx 0x139F050 sg 0x0000
    *Mar  3 22:15:01.564: RADIUS: Fail-over to (,1646) for id 1645/2

    The AP's IP address was - and I'd mistakenly entered - should have been obvious, but I missed the error initially.

    They key entries in the AP config were (in this order):

    ip dhcp excluded-address
    ip dhcp pool DHCP_POOL

    aaa new-model
    aaa group server radius rad_eap
     server auth-port 1812 acct-port 1813

    radius-server host auth-port 1812 acct-port 1813 key 0 radiuskey
    radius-server vsa send accounting

    radius-server local
      nas key 0 radiuskey
      group admins
        ssid WPA
      user jsmith password 0 jsmithpassword group admins

    aaa new-model
    aaa authentication login eap_methods group rad_eap

    dot11 ssid WPA
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa
       infrastructure-ssid optional

    References for the configuration were found on Cisco's site:
     LEAP Authentication on a Local RADIUS Server 

    Configuring an Access Point as a Local Authenticator
    How to configure different security options on a Cisco AP

    Wednesday, December 2, 2009

    Packet Captures!

    I'm sure this is all rehash - but here are links to others' great work done in capturing wireless packets & explaining each step.  No reason to reinvent the wheel.

    Tutorial: How to crack WEP on a Wireless Distribution System (WDS)?

    sample TKIP parameters (pg 1183):

    Wifi / Wireless LAN captures / 802.11