ASK THE EXPERT - WIRELESS SECURITY by dbn14335

VIEWS: 251 PAGES: 21

									ASK THE EXPERT - WIRELESS SECURITY


This thread is locked       ciscomoderator 2,300 posts since
Jun 29, 2000
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an
opportunity to learn how to address your Wireless Security concerns with Cisco expert
Sangita Patel. Sangita is a Mobility Solutions Manager at Cisco. As a Solutions Manager,
Sangita is responsible for the marketing strategy of Cisco Mobility Solutions with an
emphasis on articulating the business value of wireless security as well as the unified wired
and wireless approach to enterprise-wide mobility. She has over 15 years of networking
industry experience. Prior to joining Cisco, Sangita served as a Product Manager at
Symbol Technologies / Motorola and was responsible for some of their flagship Wireless
LAN infrastructure and management portfolio. Sangita holds a B.S. in Computer Science
from San Jose State University and M.S. in Engineering Management from Santa Clara
University.



Remember to use the rating system to let Sangita know if you have received an adequate
response.



Sangita might not be able to answer each question due to the volume expected during this
event. Our moderators will post many of the unanswered questions in other discussion
forums shortly after the event. This event lasts through September 25, 2009. Visit this forum
often to view responses to your questions and the questions of other community members.



         wendellm1 2 posts since
Jun 19, 2008 1. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 12, 2009 10:59 AM

I was wondering how to setup a network between to separate buildings on the same
property, yet both have their own DSL circuit from AT&T. No underground conduit is
available to connect the two buildings. I would like to use (2) Cisco WRVS4400N Gigabit
Security Routers to do this, because both buildings want wireless networking plus wired
networking available. The main building already has a small "home" network created
between (8) PC and their OS is Win XP Pro.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            1
ASK THE EXPERT - WIRELESS SECURITY


Sure would appreciate the help!



Thanks!



         leolaohoo 4,800 posts since
Jun 22, 2008 2. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 12, 2009 7:30 PM

Configure bridging.



         wendellm1 2 posts since
Jun 19, 2008 3. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 13, 2009 11:37 AM

Thanks for the response.



Yes, I figured the ADSL lines coming in both modems would need to be bridged to the
Cisco WRVS4400 routers on both sides, I'm just not sure what to do from there. How will
computers from the second building access the file server and join the one network located
in the main building? Is there more of a step-by-step instruction manual I can get for these
routers or the procedure I'm trying to setup between both buildings?



Sure appreciate the feedback!



Thanks!



         leolaohoo 4,800 posts since
Jun 22, 2008 4. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 13, 2009 4:45 PM

I meant configure two Access Points as Bridges.



Wireless Bridges Point-to-Point Link Configuration Example




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            2
ASK THE EXPERT - WIRELESS SECURITY


http://www.cisco.com/en/US/tech/tk722/tk809/
technologies_configuration_example09186a008058f53e.shtml



Access Point as a Workgroup Bridge Configuration Example

http://www.cisco.com/en/US/products/hw/wireless/ps430/
products_configuration_example09186a00805b9b87.shtml



Hope this helps.



         sangipat 23 posts since
Dec 6, 2008 5. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 8:17 AM

Sales Engineer should be able to help design and point you to the right configuration
documents.



         sangipat 23 posts since
Dec 6, 2008 6. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 3:40 PM

Great to see everyone helping out.



         sangipat 23 posts since
Dec 6, 2008 7. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 3:28 PM

This is certainly one option. Best to design our with an SE.



         rod.flores83 1 posts since
Sep 14, 2009 8. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 14, 2009 1:36 PM

Hello everyone;

I'm trying to configure cisco aironet 1250N, but I can not get a rate faster than 54mbps,
which is passing, I have a linksys WMP300N wireless card, someone could help me?




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            3
ASK THE EXPERT - WIRELESS SECURITY




         leolaohoo 4,800 posts since
Jun 22, 2008 9. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 14, 2009 4:29 PM

Make sure you have Open encryption or WEP enabled.



         sangipat 23 posts since
Dec 6, 2008 10. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 8:15 AM

Best to follow client security recommendations to properly secure the network including
clients.



         sangipat 23 posts since
Dec 6, 2008 11. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 15, 2009 5:24 PM

Hi Rod - so there could be few things happening. I will try and provide some information but
if this doesn't help you might want to contact TAC and do further troubleshooting. Assuming
your controller is at 4.2.x or later maker sure that have configured the radios for bonded
channel configuration. n order for your clients to be able to realize 11n rates, necessary
WLANs need to be enabled for WMM (either 'allowed' or 'required', depending on your
needs and client support).



Also, you should have AES cryptography on all encrypted links. You should haveo have
WPA2 AES enabled (with either PSK or back-end AAA) or that WLAN won't work at all for
11n rates. You can go for a mixture (WPA with TKIP or AES and WPA2 with TKIP), just so
long as you have WPA2 with AES enabled.



The easiest way to make sure that your clients are connected at these rates (after you make
sure your WLAN config set per recommendation) is to check the client records in the WLC
GUI or via WCS.




         sangipat 23 posts since
Dec 6, 2008 12. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 1:22 PM




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            4
ASK THE EXPERT - WIRELESS SECURITY


Hi thanks for the post. Overall this is more a general deployment topic and you would be
best suited to work with a Sales Engineer and do a design session so that you can design
optimal network for the applications you are deploying.



         leolaohoo 4,800 posts since
Jun 22, 2008 13. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 12, 2009 7:36 PM

Thanks for the opportunity to open this topic. A significant number of the forum experts
are unhappy as to the implications and solutions to the recently announced vulnerability of
OTAP that was first discovered by Jerome Henry and made public by AirMagnet.



According to some, even when OTAP is disabled (by default) the details of the WLC's IP and
MAC address are still being advertised in the open.



Hope to hear from you soon, Sangita.



         sangipat 23 posts since
Dec 6, 2008 14. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 3:24 PM

Hi thanks for the message. Yes the OTAP vulnerability is known and is going to be
completely disabled in a 6.0.x patch. Having said that there are ways to apply best practices
for your WLAN to help minimize security risk.



Below are good references on understanding OTAP and detecting Rogues.



Useful References for customers:



1.   IntelliShield alert

2.   Tech Note - â##Understanding OTAPâ##

3.   Whitepaper - â##Rogue Detection under Unified Wireless Networksâ##



Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            5
ASK THE EXPERT - WIRELESS SECURITY


4.   PSIRT HOT Page

5. Safeguard with LSC - Locally Significant Certificates on Wireless LAN Controllers
Configuration Example




         leolaohoo 4,800 posts since
Jun 22, 2008 15. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 1:28 AM

Thanks for this. Do you know when is the 6.0.X patch scheduled for release?



         sangipat 23 posts since
Dec 6, 2008 16. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 8:14 AM

The patch release is coming soon though I do not have a specific release date. Again there
is very little risk if OTAP is not being used and rogue detection and other wireless security
best practices are in place.



         leolaohoo 4,800 posts since
Jun 22, 2008 17. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 5:19 PM

Hi Sangita,



Thanks for your response. Me and my team members agree with your response, however,
we must respond to the Paranoid Team (aka IT Security). And they haven't taken their
hourly dose of Prozac. This is why I'm asking for the release date of the 6.0.X just to calm
them down.



         sangipat 23 posts since
Dec 6, 2008 18. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 18, 2009 9:25 AM

I can understand the paranoia. Our team is currently working on the patch and testing so it
should be coming soon.



        leolaohoo 4,800 posts since




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            6
ASK THE EXPERT - WIRELESS SECURITY


Jun 22, 2008 19. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 18, 2009 5:50 PM

Hi Sangita,



Thanks for the response. +5



         ramlalr1@telkom.co.za 1 posts since
Sep 15, 2009 20. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 15, 2009 12:14 AM

Hi Sangita. Can you please help me or point me in the correct direction. I want to find
out more about Cisco's Virtual Service Provider Model - what it is, how it works, how to
implement it, etc. Please help.



Thank you.



         sangipat 23 posts since
Dec 6, 2008 21. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 7:50 AM

Hello there. So VSP is more a SMB and a Service Provider solution and I am not best
suited to answer you questions as I am in the Enterprise Wireless group. I would suggest
contact your local Cisco rep. You can find the Cisco offices by visiting Cisco Website at
http://www.cisco.com/web/EA/index.html



         x1petvah62 3 posts since
Jun 4, 2009 22. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 15, 2009 5:18 AM

Hi! I'm trying to find information about LDAPS support for WLC 5.2 and how to configure
LDAPS (Port 636) on WLC/WISM 5.2. LDAP works just fine but when I configure LDAPS,
actually just by configure Portnumber 636, it doesn't work. What more needs to be
configured?

Regards Peter



         sangipat 23 posts since
Dec 6, 2008 23. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 3:20 PM




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            7
ASK THE EXPERT - WIRELESS SECURITY


Hi thanks for the posting. Your posting seems to be about very specific scenario and
may not be best resolved on this forum. This should be worked through with the support
organization. (http://www.cisco.com/cisco/web/support/index.html)



         brian.kachel@quintiles.com 61 posts since
Mar 15, 2006 24. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 15, 2009 5:59 AM

Can you clarify the use of validating the certificate for PEAP?

My original understanding was that a certificate was REQUIRED in order to properly
authenticate against an ACS Radius server. However, after many Iphone and other
handheld devices have proven, only 802.1x AD credentials are required to get on a Wlan
secured by PEAP.



I believe I understand that windows machines that are validating the certificate are more
securely PEAPing than those that are not by encrypting the original handshake - but is there
a way to enforce the use of a certificate to authenticate with PEAP?




         cjoseph23 32 posts since
Apr 9, 2008 25. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 7:56 AM

I am trying to install a certificate on my WiSM controller (Running 6.0) so that my Guest
clients do not get the certificate error while redirected to the 1.1.1.1 login page.



I added DNS Host Name under the controller -> interfaces ->virtual so that the redirect will
go to a more meaningful name. i.e. wirelessguest.company.com



Added an A record in my DNS server for wirelessguest.company.com to resolve to 1.1.1.1
(not sure if this is needed or not.)



I used the following document to generate the certificate on my CA server and am going to
upload this afternoon.



Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            8
ASK THE EXPERT - WIRELESS SECURITY




http://www.cisco.com/en/US/products/ps6366/
products_configuration_example09186a0080a77592.shtml



Is there anything I am missing? Will this certificate work for my purpose or do I have to
purchase a cert from Verisign or RapidSSL? I am really try to avoid purchasing a cert but if
that is the only option then I will.




         brian.kachel@quintiles.com 61 posts since
Mar 15, 2006 26. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 8:01 AM

In order to resolve this error on a guest wlan, you can disable the https management on both
your local and anchor controllers, reboot them - and the certificate warning will no longer
come up.

This is due to the clients not trusting the self signed cert on the WLC when they are
attempting to go to the virtual IP address.




         sangipat 23 posts since
Dec 6, 2008 27. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 8:12 AM

Brian thanks for providing input. Everyone should always follow the security best practices
and not take and short cuts unless aware of the risks.



         sangipat 23 posts since
Dec 6, 2008 28. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 1:20 PM

Hi, it seems that more troubleshooting is needed and would be best for you to work with our
Technical Support folks http://www.cisco.com/cisco/web/support/index.html. Thanks for your
post.



        Robert.N.Barrett 353 posts since




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            9
ASK THE EXPERT - WIRELESS SECURITY


Jan 1, 2009 29. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 20, 2009 5:49 AM

cjoesph23



If your clients automatically trust the certificate you generated (because they already trust
the CA that issued the certificate), then you should be in business.



If your clients do NOT trust the certificate, then you should either manually install the
certificate (without the private key) on all the clients, or you should generate/install a 3rd
Party certificate for your WLC that comes from a vendor that is already trusted by your
clients (and, if necessary, update the DNS Host Name entry on the virtual interface to match
the CN on the certificate).




         sangipat 23 posts since
Dec 6, 2008 30. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 1:24 PM

Hi thank for your message. This is not specific to Cisco but couple of sites that maybe
useful are:

http://support.microsoft.com/kb/814394



http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/77c991ca-
e2b4-4788-86f3-200b29ed8227




         brian.kachel@quintiles.com 61 posts since
Mar 15, 2006 31. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 8:13 AM

Thank you for your reply, but my question is rather specific to a Cisco environment.

I use Cisco controllers, Cisco AP's, Cisco Radius server all interconnected by a Cisco LAN
and managed by Cisco WCS.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           10
ASK THE EXPERT - WIRELESS SECURITY


The 2 links provided are very vague and do not offer much info around my specific question
about enforcing the use of certificates with PEAP via ACS or other.




         Robert.N.Barrett 353 posts since
Jan 1, 2009 32. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 19, 2009 11:19 AM

Brian,



Whether or not a RADIUS (ACS) server certificate is required is completely up to the
configuration of the wireless clients and has nothing to do with how many Cisco network
products are in the mix.



Most wireless clients/supplicants have an option to enable/disable whether the client checks
the RADIUS server certificate. There is nothing that the RADIUS/ACS server can do to
force the client to check the certificate. Therefore, for many clients, having a certificate
on the RADIUS server is not required and is something that can easily be skipped. It is,
however, a good practice to configure your clients to check for that certificate. It doesn't
really improve the security of your wireless network, but it does help ensure that your clients
are connecting to your SSID and not someone spoofing your SSID.




         sangipat 23 posts since
Dec 6, 2008 33. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 19, 2009 1:28 PM

Brian great explanation.



         sangipat 23 posts since
Dec 6, 2008 34. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 24, 2009 1:34 PM

See responses/suggestions provided by other folks on this forum. If your question is still not
answered you could repost your question in the WCS NetPro forum.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           11
ASK THE EXPERT - WIRELESS SECURITY




         bghobadi2 28 posts since
Dec 7, 2004 35. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 8:30 AM

Sangita,

I have deployed Unified Wireless Networks to many locations. I see hunderds of ADHoc
access points reported by the controllers.

1. I am not sure the security risks they pose.

2. I am not sure what is their negative impact on the networks' performance, stability, users
impact, and etc.

I would appriciate if you can direct me to some documents about the tops of my concern.



Thanks

Bo




         sangipat 23 posts since
Dec 6, 2008 36. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 3:16 PM

Bo, thanks for the message. Couple of things to look at based on your posting. WCS
Plus provides ability to look at the network and provide information as to the risk they
pose. There is also a built in help that will show details of the various threats. Additionally
there is the wIPS solution that can provide IDS/IPS solution. More information on WCS
& wIPS can be found at (WCS Modules: http://www.cisco.com/en/US/products/ps6305/
tsd_products_support_online_learning_modules_list.html & http://www.cisco.com/en/US/
products/ps9817/index.html)



         bobtodd01 9 posts since
Apr 26, 2005 37. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 3:01 PM

Hi,

We are running wcs 5.1.64.0 and wisms




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           12
ASK THE EXPERT - WIRELESS SECURITY


running 5.1.63.0. We are having problems with clients using eap-ttls supplicants.

When the clients roam they don't deauth and therefor no stop records are ever sent to the
radius server. They reauth but still have an active session on the radius server. The radius
server rejects authentications because we don't allow multiple concurrent sessions.



Our radius vendor has asked if the Nas (wisms) support radius accounting interim updates
which can sort of be used as keep-alives if no stop records have been sent.



I have searched cisco's web site and accounting interim updates seem to be supported on
some platforms but apparently not on wisms????



Can anybody confirm this?



Thanks

Bob Todd



         sangipat 23 posts since
Dec 6, 2008 38. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 8:10 AM

Hi Bob thanks for the posting. Generally the official releases are the same for both WLC and
WiSMs. Interim releases sometimes are meant more for specific platforms. Would advise to
go to release specifically for your platform if possible. You could also work with the support
organization. (http://www.cisco.com/cisco/web/support/index.html)



         bobtodd01 9 posts since
Apr 26, 2005 39. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 9:11 AM

Hi Sangipat,

I think you missed or I mis-described the problem.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           13
ASK THE EXPERT - WIRELESS SECURITY


I was asking if the Cisco wcs/wisms supported "radius accounting interim updates".



For example a search on Cisco shows that autonomous APs support this...

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftupdte.html



         Robert.N.Barrett 353 posts since
Jan 1, 2009 40. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 19, 2009 2:46 PM

Bob,



I did some quick poking around about the interim updates. The updates don't look to be a
standard part of a normal RADIUS authentication, but rather something that gets requested
during the initial authentication process. If I understand the process -- when your RADIUS
server authenticates someone, the access-accept packet coming from the RADIUS server
will include attributes that specify interim updates, and how often those updates should be
made. This appears to be done via RADIUS attributes 27 & 29. While I don't see anything
(at all!) listed in the WLC 5.1 manual, these attributes are specifically listed in the WLC 5.2
manual. I'd say you probably want to enable the feature on your RADIUS server and then
see if the status messages show up in the logs.



Table 5-3 Authentication Attributes Honored in Access-Accept Packets (Standard)

Attribute ID Description

6 Service-Type1

8 Framed-IP-Address

25 Class

26 Vendor-Specific

27 Timeout

29 Termination-Action




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           14
ASK THE EXPERT - WIRELESS SECURITY


40 Acct-Status-Type

64 Tunnel-Type

79 EAP-Message

81 Tunnel-Group-ID



Robert



         bobtodd01 9 posts since
Apr 26, 2005 41. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 21, 2009 7:35 AM

Hi Robert,

You are correct. Our radius server does request them and they are working. We finally
verified. I just couldn't find anything in the wism or wcs documentation.



Looks like the acount status type has

VALUE           Acct-Status-Type           Interim-Update           3



Thanks

Bob




         Robert.N.Barrett 353 posts since
Jan 1, 2009 42. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 19, 2009 2:25 PM

Bob,




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           15
ASK THE EXPERT - WIRELESS SECURITY


I am not familiar with radius accounting interim updates, but you should not experience any
roaming issues like what you describe if all of your WiSMs are in the same mobility group
(assuming the SSID is the same).



Robert



         bobtodd01 9 posts since
Apr 26, 2005 43. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 21, 2009 7:21 AM

Hi Robert,

All of our wisms are in the same mobility group. We have open cases with Cisco. Ther
problem is somewhat related to eap-ttls and a fix is coming in 7.0.



As we understand it... the problem is our radius server has an active connection. Roaming
occurs and local client re-auths. The radius server fails the authentication because because
there is already an active connection. If the clients sends a de-auth everything works.
Apparently client activity when roaming occurs is not defined in the 802.11 spec.



I think the mobility handoff works for other protocols, but the controller does not cache
credentials for eap-ttls to allow "everything" to wrok properly.



         charles.cabanlit 2 posts since
Sep 16, 2009 44. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 16, 2009 8:55 PM

Hi,

Setting up a Unified Wireless Network using a WLC and a Cisco AP 1250; the logs are
showing the following error:

"Tue Aug 11 16:25:43 2009 Impersonation of AP with Base Radio MAC 00:18:74:c5:87:b1
using source address of 00:20:e0:cc:f1:56 has been detected by the AP with MAC Address:
00:18:74:c5:87:b0 on its 802.11b/g radio whose slot ID is 0"




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           16
ASK THE EXPERT - WIRELESS SECURITY


we found a known bug for WLC :

Bug CSCsz56454 -> Controller logs are sometimes flooded with messages about access
points impersonating legitimate access points.



The problem is that the MAC address mentioned in the logs is a client and not an AP, but
somehow the AP is seeing the client as an AP and reporting the error above.



Do you have any input on why this is so?



Thank you

Regards,

Charles



         sangipat 23 posts since
Dec 6, 2008 45. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 17, 2009 8:05 AM

Hi Charles, thanks for the posting. Your posting seems to be about very specific scenario
and may be best resolved by working through it with the support organization. (http://
www.cisco.com/cisco/web/support/index.html)



         charles.cabanlit 2 posts since
Sep 16, 2009 46. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 23, 2009 7:13 PM

Hi sangipat,

I went to the link provided but there are alot of information in the site - would you be able to
point me on where I could post this question?



Thank you.

Regards,



Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           17
ASK THE EXPERT - WIRELESS SECURITY


Charles



         MATS KARLSSON 5 posts since
Mar 3, 2003 47. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 18, 2009 6:53 AM

Is it possible in a wireless Guest WLAN configuration, to let the account for the Lobbyadmin
to be authorized locally in the WLC (ver. 5.2.157.0) and to let other management users be
authorized on an external Radius server?



In other words, can I separate these two types of management users so they have different
authentication servers.




         sangipat 23 posts since
Dec 6, 2008 48. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 18, 2009 9:24 AM

Hi thanks for the posting. Guest access and security is very important. There is flexibility
depending on the components you have and how you network is designed. Two very useful
documents that cover specifically the Guest WLAN are http://www.cisco.com/en/US/docs/
solutions/Enterprise/Mobility/emob30dg/emob30dg-Book.html and http://www.cisco.com/en/
US/docs/solutions/Enterprise/Network_Virtualization/GuestAcc.pdf



          Lucien Avramov 1,414 posts since
Feb 7, 2008 49. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 20, 2009 10:12 AM

Yes this is possible:



go to Administration -> AAA -> AAA mode and checkbox the enable fallback and choose the
second option: auth failure or no server response.



         MATS KARLSSON 5 posts since
Mar 3, 2003 50. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 20, 2009 10:34 AM

Thanks, I see that now . . BUT it is on the WCS. Is it also possible to do the same on the
WLC ?



Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           18
ASK THE EXPERT - WIRELESS SECURITY


(I would love to have that opption in the WLC.)

As I use my WCS for many customer networks and the system it selv is not directly
acceseble from customer network. I would prefer to let each coutomer lobbyadmin to access
there own WLC with a local account and our operators (as we sell this as a service) to use
radius accounts.



         sangipat 23 posts since
Dec 6, 2008 51. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 24, 2009 1:52 PM

Typically anything that can be done in WCS from a command perspective to the WLC can
be done either via CLI or through WLC UI but that will only apply to one specific WLC and
you will have to repeat it across all the WLC.



         sangipat 23 posts since
Dec 6, 2008 52. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 24, 2009 1:49 PM

Great point.



         godwin1977 3 posts since
Sep 23, 2009 53. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 23, 2009 12:41 PM

I want to configure wireless connectivity such in such a way that when users logon by own
credential they should have Microsoft Outlook + share network drive and other domain policy
must be assign. The user can access resources as if the user is using workstation in local
LAN. The goal of the design is the achieve the same way by wireless connectivity.



I am having difficulty with my design because via wireless connection, the user cannot log in
using their credentials because the wireless connectivity cannot bind with the domain server,
therefore the user's profile cannot be created via wireless unless the user first logs in via
wired and after log in via wireless . I have even used CSSC utility in my implementation and
still no success.

Any suggestions will be appreciated



         Robert.N.Barrett 353 posts since
Jan 1, 2009 54. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 23, 2009 7:38 PM




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           19
ASK THE EXPERT - WIRELESS SECURITY



Switch to machine authentication so that the computer is connected to the wireless network
(and the domain) before the user logs on.



http://support.microsoft.com/kb/929847




         insccisco 361 posts since
Mar 18, 2006 55. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 23, 2009 10:59 PM

Hi,



I have 4 Aironet devices cisco AIR-AP1131AG-A-K9. One of them is actually a cisco AIR-
AP1131G-A-K9.



2 are acting as APs and 2 as repeaters (they're not physically wired to the network). The 2
APs are connected to a 871 router.



All is fine however wireless laptops, especially the mac-pro laptops, can't receive an IP
address from the repeaters. When they connect via the APs, they do get an IP address and
all is well.



Why are the 2 repeaters not properly passing dhcp requests to the router when the wireless
laptops connect to these repeaters?



I already tried the ip-helper address but that didnt help.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           20
ASK THE EXPERT - WIRELESS SECURITY


Is the problem the fact that one of the units (in particular, one of the repeaters) is a cisco
AIR-AP1131G-A-K9 and not a cisco AIR-AP1131AG-A-K9????




thank you



         sangipat 23 posts since
Dec 6, 2008 56. Re: ASK THE EXPERT - WIRELESS SECURITY Sep 24, 2009 1:56 PM

Thank you for your question. This conversation is more suited to initial setup. Can you
please repost your question in that NetPro forum




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           21

								
To top