Configuring RADIUS: Layer 3 Solutions

Chapter 6
Configuring Security Solutions Configuring RADIUS
Layer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions such as passthrough VPNs (virtual private networks). The Cisco UWN solution supports local and RADIUS MAC (media access control) filtering. This filtering is best suited to smaller client groups with a known list of 802.11 access card MAC addresses. The Cisco UWN solution supports local and RADIUS user/password authentication. This authentication is best suited to small to medium client groups.
Integrated Security Solutions

The integrated security solutions are as follows:
Cisco UWN solution operating system security is built around a 802.1X AAA (authorization, authentication and accounting) engine, which allows users to rapidly configure and enforce a variety of security policies across the Cisco UWN solution. The controllers and lightweight access points are equipped with system-wide authentication and authorization protocols across all ports and interfaces, maximizing system security. Operating system security policies are assigned to individual WLANs, and lightweight access points simultaneously broadcast all (up to 16) configured WLANs, which can eliminate the need for additional access points, which can increase interference and degrade system throughput. Operating system security uses the RRM function to continually monitor the air space for interference and security breaches and to notify the user when they are detected. Operating system security works with industry-standard authorization, authentication, and accounting (AAA) servers.
Configuring RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
AuthenticationThe process of verifying users when they attempt to log into the controller. Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server.
Note
When multiple databases are configured, you can use the controller GUI or CLI to specify the sequence in which the backend databases should be tried.
AccountingThe process of recording user actions and changes. Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
Cisco Wireless LAN Controller Configuration Guide OL-21524-01
6-3
Chapter 6 Configuring RADIUS
Configuring Security Solutions
RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices. You can configure up to 17 RADIUS authentication and accounting servers each. For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.
Note
If multiple RADIUS servers are configured for redundancy, the user database must be identical in all the servers for the backup to work properly. The primary RADIUS server (the server with the lowest server index) is assumed to be the most preferable server for the controller. If the primary server becomes unresponsive, the controller switches to the next active backup server (the server with the next lowest server index). The controller continues to use this backup server forever, unless you configure the controller to fall back to the primary RADIUS server when it recovers and becomes responsive or to a more preferable server from the available backup servers. You must configure RADIUS on both your CiscoSecure Access Control Server (ACS) and your controller. You can configure the controller through either the GUI or the CLI.
Configuring RADIUS on the ACS

To configure RADIUS on the ACS, follow these steps:
Note
RADIUS is supported on CiscoSecure ACS version 3.2 and later releases. The figures and instructions in this section pertain to ACS version 4.1 and may vary for other versions. See the CiscoSecure ACS documentation for the version that you are running. Choose Network Configuration on the ACS main page. Choose Add Entry under AAA Clients to add your controller to the server. The Add AAA Client page appears (see Figure 6-1).
Step 1 Step 2
Cisco Wireless LAN Controller Configuration Guide
6-4
OL-21524-01
Chapter 6
Figure 6-1
Add AAA Client Page on CiscoSecure ACS
Step 3 Step 4 Step 5
In the AAA Client Hostname text box, enter the name of your controller. In the AAA Client IP Address text box, enter the IP address of your controller. In the Shared Secret text box, enter the shared secret key to be used for authentication between the server and the controller.
Note Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15
The shared secret key must be the same on both the server and the controller.
From the Authenticate Using drop-down list, choose RADIUS (Cisco Aironet). Click Submit + Apply to save your changes. Choose Interface Configuration on the ACS main page. Choose RADIUS (Cisco Aironet). The RADIUS (Cisco Aironet) page appears. Under User Group, select the Cisco-Aironet-Session-Timeout check box. Click Submit to save your changes. On the ACS main page, from the left navigation pane, choose System Configuration. Choose Logging. When the Logging Configuration page appears, enable all of the events that you want to be logged and save your changes. On the ACS main page, from the left navigation pane, choose Group Setup.
6-5
Step 16
Choose a previously created group from the Group drop-down list.
Note
This step assumes that you have already assigned users to groups on the ACS according to the roles to which they will be assigned.
Click Edit Settings. The Group Setup page appears. Under Cisco Aironet Attributes, select the Cisco-Aironet-Session-Timeout check box and enter a session timeout value in the edit box. Specify read-only or read-write access to controllers through RADIUS authentication, by setting the Service-Type attribute (006) to Callback NAS Prompt for read-only access or to Administrative for read-write privileges. If you do not set this attribute, the authentication process completes successfully (without an authorization error on the controller), but you might be prompted to authenticate again.
Note
If you set the Service-Type attribute on the ACS, make sure to select the Management check box on the RADIUS Authentication Servers page of the controller GUI. See Step 17 in the next section for more information.
Note
The RADIUS Authentication Attributes Sent by the Access Point section on page 6-16 lists the RADIUS attributes that are sent by a lightweight access point to a client in access-request and access-accept packets.
Step 20
Click Submit to save your changes.
Using the GUI to Configure RADIUS

To configure RADIUS using the controller GUI, follow these steps:
Step 1 Step 2
Choose Security > AAA > RADIUS. Perform one of the following:

If you want to configure a RADIUS server for authentication, choose Authentication. If you want to configure a RADIUS server for accounting, choose Accounting.
Note
The pages used to configure authentication and accounting contain mostly the same text boxes. Therefore, these instructions walk through the configuration only once, using the Authentication pages as examples. You would follow the same steps to configure multiple services and/or multiple servers.
The RADIUS Authentication (or Accounting) Servers page appears (see Figure 6-2).
6-6
OL-21524-01
Chapter 6
Figure 6-2
RADIUS Authentication Servers Page
This page lists any RADIUS servers that have already been configured.
Step 3
If you want to delete an existing server, hover your cursor over the blue drop-down arrow for that server and choose Remove. If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down arrow for that server and choose Ping.
From the Call Station ID Type drop-down list, choose IP Address, System MAC Address, or AP MAC Address to specify whether the IP address, system MAC address, or AP MAC address of the originator will be sent to the RADIUS server in the Access-Request message. Enable RADIUS-to-controller key transport using AES key wrap protection by selecting the Use AES Key Wrap check box. The default value is unselected. This feature is required for FIPS customers. Click Apply to commit your changes. Perform one of the following:

To edit an existing RADIUS server, click the server index number for that server. The RADIUS Authentication (or Accounting) Servers > Edit page appears. To add a RADIUS server, click New. The RADIUS Authentication (or Accounting) Servers > New page appears (see Figure 6-3).
6-7
Figure 6-3
RADIUS Authentication Servers > New Page
Step 7
If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured RADIUS servers providing the same service. You can configure up to 17 servers. If the controller cannot reach the first server, it tries the second one in the list, then the third one if necessary, and so on. If you are adding a new server, enter the IP address of the RADIUS server in the Server IP Address text box. From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret key to be used between the controller and the RADIUS server. The default value is ASCII. In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for authentication between the controller and the server.
Note Step 11
The shared secret key must be the same on both the server and the controller.
If you are configuring a new RADIUS authentication server and want to enable AES key wrap, which makes the shared secret between the controller and the RADIUS server more secure, follow these steps:
Note
AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant RADIUS authentication server.
a. b. c. d.
Select the Key Wrap check box. From the Key Wrap Format drop-down list, choose ASCII or HEX to specify the format of the AES key wrap keys: Key Encryption Key (KEK) and Message Authentication Code Key (MACK). In the Key Encryption Key (KEK) text box, enter the 16-byte KEK. In the Message Authentication Code Key (MACK) text box, enter the 20-byte KEK.
6-8
OL-21524-01
Chapter 6
Step 12
If you are adding a new server, enter the RADIUS servers UDP port number for the interface protocols in the Port Number text box. The valid range is 1 to 65535, and the default value is 1812 for authentication and 1813 for accounting. From the Server Status text box, choose Enabled to enable this RADIUS server or choose Disabled to disable it. The default value is Enabled. If you are configuring a new RADIUS authentication server, choose Enabled from the Support for RFC 3576 drop-down list to enable RFC 3576, which is an extension to the RADIUS protocol that allows dynamic changes to a user session, or choose Disabled to disable this feature. The default value is Enabled. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change-of-authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters. In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Step 13 Step 14
Step 15
Note
We recommend that you increase the timeout value if you experience repeated reauthentication attempts or the controller falls back to the backup server when the primary server is active and reachable.
Step 16
Select the Network User check box to enable network user authentication (or accounting), or unselect it to disable this feature. The default value is selected. If you enable this feature, this entry is considered the RADIUS authentication (or accounting) server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users. If you are configuring a RADIUS authentication server, select the Management check box to enable management authentication, or unselect it to disable this feature. The default value is selected. If you enable this feature, this entry is considered the RADIUS authentication server for management users, and authentication requests go to the RADIUS server. Select the IPSec check box to enable the IP security mechanism, or unselect it to disable this feature. The default value is unselected.
Step 17
Step 18
Note Step 19
The IPsec option appears only if a crypto card is installed in the controller.
If you enabled IPsec in Step 18, follow these steps to configure additional IPsec parameters:
a.
From the IPSec drop-down list, choose one of the following options as the authentication protocol to be used for IP security: HMAC MD5 or HMAC SHA1. The default value is HMAC SHA1. A message authentication code (MAC) is used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is based on cryptographic hash functions. It can be used in combination with any iterated cryptographic hash function. HMAC MD5 and HMAC SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.
b.
From the IPSec Encryption drop-down list, choose one of the following options to specify the IP security encryption mechanism:

DESData Encryption Standard that is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DESData Encryption Standard that applies three keys in succession. This is the default value.
6-9
AES CBSAdvanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits to encrypt data blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode.
c.
From the IKE Phase 1 drop-down list, choose one of the following options to specify the Internet Key Exchange (IKE) protocol: Aggressive or Main. The default value is Aggressive. IKE Phase 1 is used to negotiate how IKE should be protected. Aggressive mode passes more information in fewer packets with the benefit of slightly faster connection establishment at the cost of transmitting the identities of the security gateways in the clear.
d. e.
In the Lifetime text box, enter a value (in seconds) to specify the timeout interval for the session. The valid range is 1800 to 57600 seconds, and the default value is 1800 seconds. From the IKE Diffie Hellman Group drop-down list, choose one of the following options to specify the IKE Diffie Hellman group: Group 1 (768 bits), Group 2 (1024 bits), or Group 5 (1536 bits). The default value is Group 1 (768 bits). Diffie-Hellman techniques are used by two devices to generate a symmetric key through which they can publicly exchange values and generate the same symmetric key. Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.
Step 20 Step 21 Step 22 Step 23
Click Apply to commit your changes. Click Save Configuration to save your changes. Repeat the previous steps if you want to configure any additional services on the same server or any additional RADIUS servers. Specify the RADIUS server fallback behavior, as follows:
a.
Choose Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters page (see Figure 6-4).
RADIUS > Fallback Parameters Page
Figure 6-4
b.
From the Fallback Mode drop-down list, choose one of the following options:

OffDisables RADIUS server fallback. This is the default value. PassiveCauses the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent. ActiveCauses the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all
6-10
OL-21524-01
Chapter 6
active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.
c.
If you enabled Active fallback mode in Step b, enter the name to be sent in the inactive server probes in the Username text box. You can enter up to 16 alphanumeric characters. The default value is cisco-probe. If you enabled Active fallback mode in Step b, enter the probe interval value (in seconds) in the Interval in Sec text box. The interval serves as inactive time in passive mode and probe interval in active mode. The valid range is 180 to 3600 seconds, and the default value is 300 seconds.
d.
Step 24
Specify the order of authentication when multiple databases are configured by choosing Security > Priority Order > Management User. The Priority Order > Management User page appears (see Figure 6-5).
Figure 6-5 Priority Order > Management User Page
Step 25
In the Order Used for Authentication text box, specify which servers have priority when the controller attempts to authenticate management users. Use the > and < buttons to move servers between the Not Used and Order Used for Authentication text boxes. After the desired servers appear in the Order Used for Authentication text box, use the Up and Down buttons to move the priority server to the top of the list. By default, the local database is always queried first. If the username is not found, the controller switches to the RADIUS server if configured for RADIUS or to the TACACS+ server if configured for TACACS+. The default setting is local and then RADIUS.
Step 26 Step 27
Click Apply to commit your changes. Click Save Configuration to save your changes.
Using the CLI to Configure RADIUS

To configure RADIUS using the controller CLI, follow these steps:
Note
See the Using the GUI to Configure RADIUS section on page 6-6 for the valid ranges and default values of the parameters used in the CLI commands.
6-11
Step 1
Specify whether the IP address, system MAC address, or AP MAC address of the originator will be sent to the RADIUS server in the Access-Request message by entering this command: config radius callStationIdType {ip_address, mac_address, ap_mac_address, ap_macaddr_ssid} Specify the delimiter to be used in the MAC addresses that are sent to the RADIUS authentication or accounting server in Access-Request messages by entering this command: config radius {auth | acct} mac-delimiter {colon | hyphen | single-hyphen | none} where

Step 2
colon sets the delimiter to a colon (the format is xx:xx:xx:xx:xx:xx). hyphen sets the delimiter to a hyphen (the format is xx-xx-xx-xx-xx-xx). This is the default value. single-hyphen sets the delimiter to a single hyphen (the format is xxxxxx-xxxxxx). none disables delimiters (the format is xxxxxxxxxxxx). config radius auth add index server_ip_address port# {ascii | hex} shared_secretAdds a RADIUS authentication server. config radius auth keywrap {enable | disable}Enables AES key wrap, which makes the shared secret between the controller and the RADIUS server more secure. AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant RADIUS authentication server. config radius auth keywrap add {ascii | hex} kek mack indexConfigures the AES key wrap attributes where
kek specifies the 16-byte Key Encryption Key (KEK). mack specifies the 20-byte Message Authentication Code Key (MACK). index specifies the index of the RADIUS authentication server on which to configure the AES
Step 3
Configure a RADIUS authentication server by entering these commands:

key wrap.
config radius auth rfc3576 {enable | disable} indexEnables or disables RFC 3576, which is an extension to the RADIUS protocol that allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change-of-authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters. config radius auth retransmit-timeout index timeoutConfigures the retransmission timeout value for a RADIUS authentication server. config radius auth network index {enable | disable}Enables or disables network user authentication. If you enable this feature, this entry is considered the RADIUS authentication server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users. config radius auth management index {enable | disable}Enables or disables management authentication. If you enable this feature, this entry is considered the RADIUS authentication server for management users, and authentication requests go to the RADIUS server. config radius auth ipsec {enable | disable} indexEnables or disables the IP security mechanism. config radius auth ipsec authentication {hmac-md5 | hmac-sha1} indexConfigures the authentication protocol to be used for IP security.
6-12
OL-21524-01
Chapter 6
Step 4
config radius auth ipsec encryption {3des | aes | des | none} indexConfigures the IP security encryption mechanism. config radius auth ipsec ike dh-group {group-1 | group-2 | group-5} indexConfigures the IKE Diffie Hellman group. config radius auth ipsec ike lifetime interval indexConfigures the timeout interval for the session. config radius auth ipsec ike phase1{aggressive | main} indexConfigures the Internet Key Exchange (IKE) protocol. config radius auth {enable | disable} indexEnables or disables a RADIUS authentication server. config radius auth delete indexDeletes a previously added RADIUS authentication server. config radius acct add index server_ip_address port# {ascii | hex} shared_secretAdds a RADIUS accounting server. config radius acct server-timeout index timeoutConfigures the retransmission timeout value for a RADIUS accounting server. config radius acct network index {enable | disable}Enables or disables network user accounting. If you enable this feature, this entry is considered the RADIUS accounting server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users. config radius acct ipsec {enable | disable} indexEnables or disables the IP security mechanism. config radius acct ipsec authentication {hmac-md5 | hmac-sha1} indexConfigures the authentication protocol to be used for IP security. config radius acct ipsec encryption {3des | aes | des | none} indexConfigures the IP security encryption mechanism. config radius acct ipsec ike dh-group {group-1 | group-2 | group-5} indexConfigures the IKE Diffie Hellman group. config radius acct ipsec ike lifetime interval indexConfigures the timeout interval for the session. config radius acct ipsec ike phase1{aggressive | main} indexConfigures the Internet Key Exchange (IKE) protocol. config radius acct {enable | disable} indexEnables or disables a RADIUS accounting server. config radius acct delete indexDeletes a previously added RADIUS accounting server.
Configure a RADIUS accounting server by entering these commands:

Step 5
Configure the RADIUS server fallback behavior by entering this command: config radius fallback-test mode {off | passive | active} where

off disables RADIUS server fallback. passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent. active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active
6-13
RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.
Step 6
If you enabled Active mode in Step 5, enter these commands to configure additional fallback parameters:

config radius fallback-test username usernameSpecifies the name to be sent in the inactive server probes. You can enter up to 16 alphanumeric characters for the username parameter. config radius fallback-test interval intervalSpecifies the probe interval value (in seconds).
Step 7
Save your changes by entering this command: save config Configure the order of authentication when multiple databases are configured by entering this command: config aaa auth mgmt AAA_server_type AAA_server_type where AAA_server_type is local, radius, or tacacs. To see the current management authentication server order, enter this command: show aaa auth Information similar to the following appears:
Management authentication server order: 1......................................... local 2...................................... radius
Step 8
Step 9
See RADIUS statistics by entering these commands:

show radius summaryShows a summary of RADIUS servers and statistics. show radius auth statisticsShows the RADIUS authentication server statistics. show radius acct statisticsShows the RADIUS accounting server statistics. show radius rfc3576 statisticsShows a summary of the RADIUS RFC-3576 server.
Information similar to the following appears for the show radius auth statistics command:
Authentication Servers: Server Index..................................... Server Address................................... Msg Round Trip Time.............................. First Requests................................... Retry Requests................................... Accept Responses................................. Reject Responses................................. Challenge Responses.............................. Malformed Msgs................................... Bad Authenticator Msgs........................... Pending Requests................................. Timeout Requests................................. Unknowntype Msgs................................. Other Drops................................... 0 1 10.91.104.76 0 (msec) 1 0 0 0 0 0 0 0 0 0
Information similar to the following appears for the show radius acct statistics command:
Accounting Servers: Server Index..................................... Server Address................................... Msg Round Trip Time.............................. First Requests................................... Retry Requests................................... 1 10.10.10.1 0 (msec) 1 0
6-14
OL-21524-01
Chapter 6
Accounting Responses............................. Malformed Msgs................................... Bad Authenticator Msgs........................... Pending Requests................................. Timeout Requests................................. Unknowntype Msgs................................. Other Drops......................................
0 0 0 0 0 0 0
Information similar to the following appears for the show radius rfc3576 statistics command:
RFC-3576 Servers: Server Index..................................... Server Address................................... Disconnect-Requests.............................. COA-Requests..................................... Retransmitted Requests........................... Malformed Requests............................... Bad Authenticator Requests....................... Other Drops...................................... Sent Disconnect-Ack.............................. Sent Disconnect-Nak.............................. Sent CoA-Ack..................................... Sent CoA-Nak.................................. 0 1 10.91.104.76 0 0 0 0 0 0 0 0 0
Step 10
See active security associations by entering these commands:

show ike {brief | detailed} ip_or_mac_addrShows a brief or detailed summary of active IKE security associations. show ipsec {brief | detailed} ip_or_mac_addrShows a brief or detailed summary of active IPSec security associations.
Step 11
Clear the statistics for one or more RADIUS servers by entering this command: clear stats radius {auth | acct} {index | all} Make sure that the controller can reach the RADIUS server by entering this command: ping server_ip_address
Step 12
6-15
RADIUS Authentication Attributes Sent by the Access Point

Table 6-1 through Table 6-5 identify the RADIUS authentication attributes sent by a lightweight access point to a client in access-request and access-accept packets.
Table 6-1 Authentication Attributes Sent in Access-Request Packets
Attribute ID 1 2 3 4 5 6 12 30 31 32 33 60 61 79 243
Description User-Name Password CHAP-Password NAS-IP-Address NAS-Port Service-Type1 Framed-MTU Called-Station-ID (MAC address) Calling-Station-ID (MAC address) NAS-Identifier Proxy-State CHAP-Challenge NAS-Port-Type EAP-Message TPLUS-Role
1. To specify read-only or read-write access to controllers through RADIUS authentication, you must set the Service-Type attribute (6) on the RADIUS server to Callback NAS Prompt for read-only access or to Administrative for read-write privileges. See Step 19 in the Configuring RADIUS on the ACS section for more information.
Table 6-2
Authentication Attributes Honored in Access-Accept Packets (Cisco)
Attribute ID 1 2 3 4 5 6
Description Cisco-LEAP-Session-Key Cisco-Keywrap-Msg-Auth-Code Cisco-Keywrap-NonCE Cisco-Keywrap-Key Cisco-URL-Redirect Cisco-URL-Redirect-ACL
Note
These Cisco-specific attributes are not supported: Auth-Algo-Type and SSID.
6-16
OL-21524-01
Chapter 6
Table 6-3
Authentication Attributes Honored in Access-Accept Packets (Standard)
Attribute ID 6 8 25 26 27 29 40 64 79 81
Description Service-Type1 Framed-IP-Address Class Vendor-Specific Timeout Termination-Action Acct-Status-Type Tunnel-Type EAP-Message Tunnel-Group-ID
1. To specify read-only or read-write access to controllers through RADIUS authentication, you must set the Service-Type attribute (6) on the RADIUS server to Callback NAS Prompt for read-only access or to Administrative for read-write privileges. See Step 19 in the Configuring RADIUS on the ACS section for more information.
Note
Message authentication is not supported.
Table 6-4
Authentication Attributes Honored in Access-Accept Packets (Microsoft)
Attribute ID 11 16 17 25 26
Description MS-CHAP-Challenge MS-MPPE-Send-Key MS-MPPE-Receive-Key MS-MSCHAP2-Response MS-MSCHAP2-Success
6-17
Table 6-5
Authentication Attributes Honored in Access-Accept Packets (Airespace)
Attribute ID 1 2 3 4 5 6 7 8 9 10 11
Description VAP-ID QoS-Level DSCP 8021P-Type VLAN-Interface-Name ACL-Name Data-Bandwidth-Average-Contract Real-Time-Bandwidth-Average-Contract Data-Bandwidth-Burst-Contract Real-Time-Bandwidth-Burst-Contract Guest-Role-Name
RADIUS Accounting Attributes

Table 6-6 identifies the RADIUS accounting attributes for accounting requests sent from a controller to the RADIUS server. Table 6-7 lists the different values for the Accounting-Status-Type attribute (40).
Table 6-6 Accounting Attributes for Accounting Requests
Attribute ID 1 4 5 8 25 30 31 32 40 41 42 43 44 45 46 47 48 49
Description User-Name NAS-IP-Address NAS-Port Framed-IP-Address Class Called-Station-ID (MAC address) Calling-Station-ID (MAC address) NAS-Identifier Accounting-Status-Type Accounting-Delay-Time (Stop and interim messages only) Accounting-Input-Octets (Stop and interim messages only) Accounting-Output-Octets (Stop and interim messages only) Accounting-Session-ID Accounting-Authentic Accounting-Session-Time (Stop and interim messages only) Accounting-Input-Packets (Stop and interim messages only) Accounting-Output-Packets (Stop and interim messages only) Accounting-Terminate-Cause (Stop messages only)
6-18
OL-21524-01
Chapter 6
Configuring Security Solutions Configuring TACACS+
Table 6-6
Accounting Attributes for Accounting Requests (continued)
Attribute ID 64 65 81
Table 6-7
Description Tunnel-Type Tunnel-Medium-Type Tunnel-Group-ID

Accounting-Status-Type Attribute Values
Attribute ID 1 2 3 7 8 9-14 15
Description Start Stop Interim-Update Accounting-On Accounting-Off Reserved for Tunneling Accounting Reserved for Failed
Configuring TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a client/server protocol that provides centralized security for users attempting to gain management access to a controller. It serves as a backend database similar to local and RADIUS. However, local and RADIUS provide only authentication support and limited authorization support while TACACS+ provides three services:
AuthenticationThe process of verifying users when they attempt to log into the controller. Users must enter a valid username and password in order for the controller to authenticate users to the TACACS+ server. The authentication and authorization services are tied to one another. For example, if authentication is performed using the local or RADIUS database, then authorization would use the permissions associated with the user in the local or RADIUS database (which are read-only, read-write, and lobby-admin) and not use TACACS+. Similarly, when authentication is performed using TACACS+, authorization is tied to TACACS+.
Note
When multiple databases are configured, you can use the controller GUI or CLI to specify the sequence in which the backend databases should be tried.
AuthorizationThe process of determining the actions that users are allowed to take on the controller based on their level of access. For TACACS+, authorization is based on privilege (or role) rather than specific actions. The available roles correspond to the seven menu options on the controller GUI: MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, and COMMANDS. An additional role, LOBBY, is available for users who require only lobby ambassador privileges. The roles to which users are assigned are configured on the TACACS+ server. Users can be authorized for one or more roles. The minimum authorization is MONITOR only, and the maximum is ALL, which authorizes the user to execute the functionality associated with all seven menu options. For example, a user who is assigned the role of SECURITY can make changes to any items appearing on the
6-19
Chapter 7 WLAN Overview
Configuring WLANs
WLAN Overview
The Cisco UWN solution can control up to 512 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID. All controllers publish up to 16 WLANs to each connected access point, but you can create up to 512 WLANs and then selectively publish these WLANs (using access point groups) to different access points to better manage your wireless network.
Note
Cisco 2106, 2112, and 2125 Controllers support only up to 16 WLANs.
Note
All OfficeExtend access points should be in the same access point group, and that group should contain no more than 15 WLANs. A controller with OfficeExtend access points in an access point group publishes only up to 15 WLANs to each connected OfficeExtend access point because it reserves one WLAN for the personal SSID. You can associate up to 16 WLANs with each access point group and assign specific access points to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group. See the Creating Access Point Groups section on page 7-52 for more information on access point groups.
Note
Controller software releases prior to 5.2 support up to only 16 WLANs. Cisco does not support downgrading the controller from software release 5.2 or later releases to a previous release as inconsistencies might occur for WLANs and wired guest LANs. As a result, you would need to reconfigure your WLAN, mobility anchor, and wired LAN configurations.
Note
We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.
Configuring WLANs

7-2
OL-21524-01
Chapter 7
Configuring WLANs Configuring WLANs
Creating WLANs
This section provides instructions for creating up to 512 WLANs using either the controller GUI or CLI. You can configure WLANs with different service set identifiers (SSIDs) or with the same SSID. An SSID identifies the specific wireless network that you want the controller to access. Creating WLANs with the same SSID enables you to assign different Layer 2 security policies within the same wireless LAN. To distinguish among WLANs with the same SSID, you must create a unique profile name for each WLAN. WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in beacon and probe responses. These are the available Layer 2 security policies:

None (open WLAN) Static WEP or 802.1X
Note
Because static WEP and 802.1X are both advertised by the same bit in beacon and probe responses, they cannot be differentiated by clients. Therefore, they cannot both be used by multiple WLANs with the same SSID.
CKIP WPA/WPA2
Note
Although WPA and WPA2 cannot both be used by multiple WLANs with the same SSID, two WLANs with the same SSID could be configured with WPA/TKIP with PSK and WPA/TKIP with 802.1X, respectively, or with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.
7-3
Chapter 7 Configuring WLANs
Configuring WLANs
Using the GUI to Create WLANs

To create WLANs using the GUI, follow these steps:
Step 1
Choose WLANs to open the WLANs page (see Figure 7-1).

Figure 7-1 WLANs Page
This page lists all of the WLANs currently configured on the controller. For each WLAN, you can see its WLAN ID, profile name, type, SSID, status, and security policies. The total number of WLANs appears in the upper right-hand corner of the page. If the list of WLANs spans multiple pages, you can access these pages by clicking the page number links.
Note
If you want to delete a WLAN, hover your cursor over the blue drop-down arrow for that WLAN and choose Remove, or select the check box to the left of the WLAN, choose Remove Selected from the drop-down list, and click Go. A message appears asking you to confirm your decision. If you proceed, the WLAN is removed from any access point group to which it is assigned and from the access points radio.
Step 2
Create a new WLAN by choosing Create New from the drop-down list and clicking Go. The WLANs > New page appears (see Figure 7-2).
Figure 7-2 WLANs > New Page
7-4
OL-21524-01
Chapter 7
Note
When you upgrade to controller software release 5.2 or later releases, the controller creates the default-group access point group and automatically populates it with the first 16 WLANs (WLANs with IDs 1 through 16, or fewer if 16 WLANs are not configured). This default group cannot be modified (you cannot add WLANs to it nor delete WLANs from it). It is dynamically updated whenever the first 16 WLANs are added or deleted. If an access point does not belong to an access point group, it is assigned to the default group and uses the WLANs in that group. If an access point joins the controller with an undefined access point group name, the access point keeps its group name but uses the WLANs in the default-group access point group. From the Type drop-down list, choose WLAN to create a WLAN.
Step 3
Note
If you want to create a guest LAN for wired guest users, choose Guest LAN and follow the instructions in the Configuring Wired Guest Access section on page 11-27.
In the Profile Name text box, enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN. The profile name must be unique. In the WLAN SSID text box, enter up to 32 alphanumeric characters for the SSID to be assigned to this WLAN. From the WLAN ID drop-down list, choose the ID number for this WLAN. Click Apply to commit your changes. The WLANs > Edit page appears (see Figure 7-3).
Note
You can also open the WLANs > Edit page from the WLANs page by clicking the ID number of the WLAN that you want to edit.
WLANs > Edit Page
Figure 7-3
Step 8 Step 9
Use the parameters on the General, Security, QoS, and Advanced tabs to configure this WLAN. See the sections in the rest of this chapter for instructions on configuring specific features for WLANs. On the General tab, select the Status check box to enable this WLAN. Be sure to leave it unselected until you have finished making configuration changes to the WLAN.
7-5
Configuring WLANs
Note
You can also enable or disable WLANs from the WLANs page by selecting the check boxes to the left of the WLANs that you want to enable or disable, choosing Enable Selected or Disable Selected from the drop-down list, and clicking Go.
Step 10 Step 11
Click Apply to commit your changes. Click Save Configuration to save your changes.
Using the CLI to Create WLANs

Use these commands to create WLANs using the CLI:
View the list of existing WLANs and to see whether they are enabled or disabled by entering this command: show wlan summary Create a new WLAN by entering this command: config wlan create wlan_id {profile_name | foreign_ap} ssid
Note
If you do not specify an ssid, the profile_name parameter is used for both the profile name and the SSID.
Note
When WLAN 1 is created in the configuration wizard, it is created in enabled mode. Disable it until you have finished configuring it. When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.
Note
If you want to create a guest LAN for wired guest users, follow the instructions in the Configuring Wired Guest Access section on page 11-27.
Disable a WLAN (for example, before making any modifications to a WLAN) by entering this command: config wlan disable {wlan_id | foreign_ap | all} where

wlan_id is a WLAN ID between 1 and 512. foreign_ap is a third-party access point. all is all WLANs.
Note
If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.
7-6
OL-21524-01
Chapter 7
Enable a WLAN (for example, after you have finished making configuration changes to the WLAN) by entering this command: config wlan enable {wlan_id | foreign_ap | all}
Note
If the command fails, an error message appears (for example, Request failed for wlan 10 Static WEP key size does not match 802.1X WEP key size).
Delete a WLAN by entering this command: config wlan delete {wlan_id | foreign_ap}
Note
An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access points radio.
Searching WLANs
You can search for specific WLANs in the list of up to 512 WLANs on the WLANs page. This feature is especially useful if your WLANs span multiple pages, preventing you from viewing them all at once. To search for WLANs using the controller GUI, follow these steps
Step 1
On the WLANs page, click Change Filter. The Search WLANs dialog box appears (see Figure 7-4).
Figure 7-4 Search WLANs Dialog Box
Step 2
Perform one of the following:

To search for WLANs based on profile name, select the Profile Name check box and enter the desired profile name in the edit box. To search for WLANs based on SSID, select the SSID check box and enter the desired SSID in the edit box. To search for WLANs based on their status, select the Status check box and choose Enabled or Disabled from the drop-down list.
Step 3
Click Find. Only the WLANs that match your search criteria appear on the WLANs page, and the Current Filter field at the top of the page specifies the search criteria used to generate the list (for example, None, Profile Name:user1, SSID:test1, Status:disabled).
7-7
Configuring WLANs
Note
To clear any configured search criteria and display the entire list of WLANs, click Clear Filter.
7-8
OL-21524-01
Configuring WLANs
Note
Step 2
Step 3
Configuring Layer 2 Security

This section describes how to assign Layer 2 security settings to WLANs.
Static WEP Keys

Controllers can control static WEP keys across access points. Use these commands to configure static WEP for WLANs:
Disable the 802.1X encryption by entering this command: config wlan security 802.1X disable wlan_id Configure 40/64-bit or 104/128-bit WEP keys by entering this command: config wlan security static-wep-key encryption wlan_id {40 | 104} {hex | ascii} key key_index
Use the 40 or 104 option to specify 40/64-bit or 104/128-bit encryption. The default setting is
104/128.
Use the hex or ascii option to specify the character format for the WEP key. Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F) or five printable ASCII
characters for 40-bit/64-bit WEP keys or enter 26 hexadecimal or 13 ASCII characters for 104-bit/128-bit keys.
Enter a key index (sometimes called a key slot). The default value is 0, which corresponds to a
key index of 1; the valid values are 0 to 3 (key index of 1 to 4).
7-22
OL-21524-01
Chapter 7
Dynamic 802.1X Keys and Authorization

Controllers can control 802.1X dynamic WEP keys using Extensible Authentication Protocol (EAP) across access points and support 802.1X dynamic key settings for WLANs.
Note
To use LEAP with lightweight access points and wireless clients, make sure to choose Cisco-Aironet as the RADIUS server type when configuring the CiscoSecure Access Control Server (ACS).
Check the security settings of each WLAN by entering this command: show wlan wlan_id The default security setting for new WLANs is 802.1X with dynamic keys enabled. To maintain robust Layer 2 security, leave 802.1X configured on your WLANs.
Disable or enable the 802.1X authentication by entering this command: config wlan security 802.1X {enable | disable} wlan_id After you enable 802.1X authentication, the controller sends EAP authentication packets between the wireless client and the authentication server. This command allows all EAP-type packets to be sent to and from the controller.
Change the 802.1X encryption level for a WLAN by entering this command: config wlan security 802.1X encryption wlan_id [0 | 40 | 104]
Use the 0 option to specify no 802.1X encryption. Use the 40 option to specify 40/64-bit encryption. Use the 104 option to specify 104/128-bit encryption. (This is the default encryption setting.)
Configuring a WLAN for Both Static and Dynamic WEP

You can configure up to four WLANs to support static WEP keys, and you can also configure dynamic WEP on any of these static-WEP WLANs. Follow these guidelines when configuring a WLAN for both static and dynamic WEP:

The static WEP key and the dynamic WEP key must be the same length. When you configure both static and dynamic WEP as the Layer 2 security policy, no other security policies can be specified. That is, you cannot configure web authentication. However, when you configure either static or dynamic WEP as the Layer 2 security policy, you can configure web authentication.
WPA1 and WPA2

Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is compatible with the IEEE 802.11i standard but was implemented prior to the standards ratification; WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard. By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However, these options are also available:
7-23
Configuring WLANs
802.1XThe standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported. PSKWhen you choose PSK (also known as WPA preshared key or WPA passphrase), you need to configure a preshared key (or a passphrase). This key is used as the pairwise master key (PMK) between the clients and the authentication server. CCKMCisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables clients to roam from one access point to another without going through the controller, typically in under 150 milliseconds (ms). CCKM reduces the time required by the client to mutually authenticate with the new access point and derive a new session key during reassociation. CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a CCXv4-compliant feature. If CCKM is selected, only CCKM clients are supported.
Note
The 4.2 or later release of controller software supports CCX versions 1 through 5. CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. The controller stores the CCX version of the client in its client database and uses it to limit client functionality. Clients must support CCXv4 or v5 in order to use CCKM. See the Configuring Cisco Client Extensions section on page 7-47 for more information on CCX.
802.1X+CCKMDuring normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/ 802.1X+CCKM information elements in their beacons and probe responses. When you enable WPA1 and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect data traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2. TKIP is the default value for WPA1, and AES is the default value for WPA2. You can configure WPA1+WPA2 through either the GUI or the CLI.
Using the GUI to Configure WPA1+WPA2

To configure a WLAN for WPA1+WPA2 using the controller GUI, follow these steps:
Choose WLANs to open the WLANs page. Click the ID number of the desired WLAN to open the WLANs > Edit page. Choose the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page (see Figure 7-11).
7-24
OL-21524-01
Chapter 7
Figure 7-11
WLANs > Edit (Security > Layer 2) Page
Step 4 Step 5
Choose WPA+WPA2 from the Layer 2 Security drop-down list. Under WPA+WPA2 Parameters, select the WPA Policy check box to enable WPA1, select the WPA2 Policy check box to enable WPA2, or select both check boxes to enable both WPA1 and WPA2.
Note
The default value is disabled for both WPA1 and WPA2. If you leave both WPA1 and WPA2 disabled, the access points advertise in their beacons and probe responses information elements only for the authentication key management method you choose in Step 7.
Select the AES check box to enable AES data encryption or the TKIP check box to enable TKIP data encryption for WPA1, WPA2, or both. The default values are TKIP for WPA1 and AES for WPA2. Choose one of the following key management methods from the Auth Key Mgmt drop-down list: 802.1X, CCKM, PSK, or 802.1X+CCKM. If you chose PSK in Step 7, choose ASCII or HEX from the PSK Format drop-down list and then enter a preshared key in the blank text box. WPA preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters. Click Apply to commit your changes. Click Save Configuration to save your changes.
Step 9 Step 10
Using the CLI to Configure WPA1+WPA2

To configure a WLAN for WPA1+WPA2 using the controller CLI, follow these steps:
Step 1
Disable the WLAN by entering this command: config wlan disable wlan_id Enable or disable WPA for the WLAN by entering this command: config wlan security wpa {enable | disable} wlan_id Enable or disable WPA1 for the WLAN by entering this command:
Step 2
Step 3
7-25
Configuring WLANs
config wlan security wpa wpa1 {enable | disable} wlan_id

Step 4
Enable or disable WPA2 for the WLAN by entering this command: config wlan security wpa wpa2 {enable | disable} wlan_id Enable or disable AES or TKIP data encryption for WPA1 or WPA2 by entering one of these this commands:

Step 5
config wlan security wpa wpa1 ciphers {aes | tkip} {enable | disable} wlan_id config wlan security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id
The default values are TKIP for WPA1 and AES for WPA2.
Step 6
Enable or disable 802.1X, PSK, or CCKM authenticated key management by entering this command: config wlan security wpa akm {802.1X | psk | cckm} {enable | disable} wlan_id The default value is 802.1X. If you enabled PSK in Step 6, enter this command to specify a preshared key: config wlan security wpa akm psk set-key {ascii | hex} psk-key wlan_id WPA preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters. If you enabled WPA2 with 802.1X authenticated key management or WPA1 or WPA2 with CCKM authenticated key management, the PMK cache lifetime timer is used to trigger reauthentication with the client when necessary. The timer is based on the timeout value received from the AAA server or the WLAN session timeout setting. To see the amount of time remaining before the timer expires, enter this command: show pmk-cache all Information similar to the following appears:
PMK-CCKM Cache Type -----CCKM Entry Station Lifetime ------------------- -------00:07:0e:b9:3a:1b 150 VLAN Override -----------------IP Override --------------0.0.0.0
Step 7
Step 8
If you enabled WPA2 with 802.1X authenticated key management, the controller supports opportunistic PMKID caching but not sticky (or non-opportunistic) PMKID caching. In sticky PMKID caching, the client stores multiple PMKIDs. This approach is not practical because it requires full authentication for each new access point and is not guaranteed to work in all conditions. In contrast, opportunistic PMKID caching stores only one PMKID per client and is not subject to the limitations of sticky PMK caching.
Step 9
Enable the WLAN by entering this command: config wlan enable wlan_id Save your settings by entering this command: save config
Step 10
7-26
OL-21524-01
Chapter 7
CKIP
Cisco Key Integrity Protocol (CKIP) is a Cisco-proprietary security protocol for encrypting 802.11 media. CKIP improves 802.11 security in infrastructure mode using key permutation, a message integrity check (MIC), and a message sequence number. Software release 4.0 or later releases support CKIP with a static key. For this feature to operate correctly, you must enable Aironet information elements (IEs) for the WLAN. A lightweight access point advertises support for CKIP in beacon and probe response packets by adding an Aironet IE and setting one or both of the CKIP negotiation bits (key permutation and multi-modular hash message integrity check [MMH MIC]). Key permutation is a data encryption technique that uses the basic encryption key and the current initialization vector (IV) to create a new key. MMH MIC prevents bit-flip attacks on encrypted packets by using a hash function to compute message integrity code. The CKIP settings specified in a WLAN are mandatory for any client attempting to associate. If the WLAN is configured for both CKIP key permutation and MMH MIC, the client must support both. If the WLAN is configured for only one of these features, the client must support only the CKIP feature. CKIP requires that 5-byte and 13-byte encryption keys be expanded to 16-byte keys. The algorithm to perform key expansion occurs at the access point. The key is appended to itself repeatedly until the length reaches 16 bytes. All lightweight access points support CKIP. You can configure CKIP through either the GUI or the CLI.
Using the GUI to Configure CKIP

To configure a WLAN for CKIP using the controller GUI, follow these steps:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose WLANs to open the WLANs page. Click the ID number of the desired WLAN to open the WLANs > Edit page. Choose the Advanced tab. Select the Aironet IE check box to enable Aironet IEs for this WLAN and click Apply. Choose the General tab. Unselect the Status check box, if selected, to disable this WLAN and click Apply. Choose the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page (see Figure 7-12).
7-27
Configuring WLANs
Figure 7-12
WLANs > Edit (Security > Layer 2) Page
Choose CKIP from the Layer 2 Security drop-down list. Under CKIP Parameters, choose the length of the CKIP encryption key from the Key Size drop-down list.The range is Not Set, 40 bits, or 104 bits and the default is Not Set. Choose the number to be assigned to this key from the Key Index drop-down list. You can configure up to four keys. From the Key Format drop-down list, choose ASCII or HEX and then enter an encryption key in the Encryption Key text box. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters. Select the MMH Mode check box to enable MMH MIC data protection for this WLAN. The default value is disabled (or unselected). Select the Key Permutation check box to enable this form of CKIP data protection. The default value is disabled (or unselected). Click Apply to commit your changes. Choose the General tab. Select the Status check box to enable this WLAN. Click Apply to commit your changes. Click Save Configuration to save your changes.
Using the CLI to Configure CKIP

To configure a WLAN for CKIP using the controller CLI, follow these steps:
Step 1
Disable the WLAN by entering this command: config wlan disable wlan_id Enable Aironet IEs for this WLAN by entering this command: config wlan ccx aironet-ie enable wlan_id Enable or disable CKIP for the WLAN by entering this command:
Step 2
Step 3
7-28
OL-21524-01
Chapter 7
config wlan security ckip {enable | disable} wlan_id

Step 4
Specify a CKIP encryption key for the WLAN by entering this command: config wlan security ckip akm psk set-key wlan_id {40 | 104} {hex | ascii} key key_index Enable or disable CKIP MMH MIC for the WLAN by entering this command: config wlan security ckip mmh-mic {enable | disable} wlan_id Enable or disable CKIP key permutation for the WLAN by entering this command: config wlan security ckip kp {enable | disable} wlan_id Enable the WLAN by entering this command: config wlan enable wlan_id Save your settings by entering this command: save config
Step 5
Step 6
Step 7
Step 8
Configuring a Session Timeout

Using the controller GUI or CLI, you can configure a session timeout for wireless clients on a WLAN. The session timeout is the maximum time for a client session to remain active before requiring reauthorization.
Using the GUI to Configure a Session Timeout

To configure a session timeout for wireless clients on a WLAN using the controller GUI, follow these steps:
Step 1 Step 2 Step 3 Step 4 Step 5
Choose WLANs to open the WLANs page. Click the ID number of the WLAN for which you want to assign a session timeout. When the WLANs > Edit page appears, choose the Advanced tab. The WLANs > Edit (Advanced) page appears. Select the Enable Session Timeout check box to configure a session timeout for this WLAN. Otherwise, unselect the check box. The default value is selected. In the Session Timeout text box, enter a value between 300 and 86400 seconds to specify the duration of the client session. The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types. A value of 0 is equivalent to no timeout. Click Apply to commit your changes. Click Save Configuration to save your changes.
Step 6 Step 7
Using the CLI to Configure a Session Timeout

To configure a session timeout for wireless clients on a WLAN using the controller CLI, follow these steps:
7-29
Configuring WLANs
Step 1
Configure a session timeout for wireless clients on a WLAN by entering this command: config wlan session-timeout wlan_id timeout The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types. A value of 0 is equivalent to no timeout.
Step 2
Save your changes by entering this command: save config See the current session timeout value for a WLAN by entering this command: show wlan wlan_id Information similar to the following appears:
WLAN Identifier.................................. 9 Profile Name..................................... test12 Network Name (SSID)........................... test12 ... Number of Active Clients......................... 0 Exclusionlist Timeout............................ 60 seconds Session Timeout............................... 1800 seconds ...
Step 3
Configuring Layer 3 Security

This section describes how to configure Layer 3 security settings for a WLAN on the controller.
Note
Layer 2 Tunnel Protocol (L2TP) and IPsec are not supported on controllers that run software release 4.0 or later releases. The Layer 3 securities are not supported when Client IP Address is disabled on a WLAN.
VPN Passthrough Not Required

The controller supports VPN passthrough or the passing through of packets that originate from VPN clients. An example of VPN passthrough is your laptop trying to connect to the VPN server at your corporate office.
Note
The VPN Passthrough option is not available on Cisco 5500 Series and Cisco 2100 Series Controllers. However, you can replicate this functionality on a Cisco 5500 or 2100 Series Controller by creating an open WLAN using an ACL.
Using the GUI to Configure VPN Passthrough

To configure a WLAN for VPN passthrough using the controller GUI, follow these steps:
Step 1
Choose WLANs to open the WLANs page.
7-30
OL-21524-01
Chapter 7
Step 2 Step 3
Click the ID number of the WLAN for which you want to configure VPN passthrough. The WLANs > Edit page appears. Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page (see Figure 7-13).
Figure 7-13 WLANs > Edit (Security > Layer 3) Page
From the Layer 3 Security drop-down list, choose VPN Pass-Through. In the VPN Gateway Address text box, enter the IP address of the gateway router that is terminating the VPN tunnels initiated by the client and passed through the controller. Click Apply to commit your changes. Click Save Configuration to save your settings.
Using the CLI to Configure VPN Passthrough

Configure a WLAN for VPN passthrough using the controller CLI by entering this command:
config wlan security passthru {enable | disable} wlan_id gateway For gateway, enter the IP address of the router that is terminating the VPN tunnel.
Verify that the passthrough is enabled by entering this command:
show wlan
Web Authentication
WLANs can use web authentication only if VPN passthrough is not enabled on the controller. Web authentication is simple to set up and use and can be used with SSL to improve the overall security of the WLAN.
Note
Web authentication is supported only with these Layer 2 security policies: open authentication, open authentication+WEP, and WPA-PSK. It is not supported for use with 802.1X.
Note
The controller supports web authentication redirects only to HTTP (HTTP over TCP) servers. It does not support web authentication redirects to HTTPS (HTTP over SSL) servers.
7-31
Configuring WLANs
Note
If the CPU ACLs are configured to block HTTP / HTTPS traffic, after the successful web login authentication, there could be a failure in the redirection page.
Note
Before enabling web authentication, make sure that all proxy servers are configured for ports other than port 53.
Note
When you enable web authentication for a WLAN, a message appears indicating that the controller forwards DNS traffic to and from wireless clients prior to authentication. We recommend that you have a firewall or intrusion detection system (IDS) behind your guest VLAN to regulate DNS traffic and to prevent and detect any DNS tunneling attacks.
Note
If the web authentication is enabled on the WLAN and you also have the CPU ACL rules, the client based web authentication rules takes higher precedence as long as the client is unauthenticated (in webAuth_Reqd state). Once the client goes to RUN state, the CPU ACL rules get applied. Therefore, if the CPU ACL rules are enabled in the controller, an allow rule for the virtual interface IP is required (in any direction) with the following conditions:

When the CPU ACL does not have an allow ACL rule for both directions. When there exists an allow ALL rule, but there also exists a DENY rule for port 443 or 80 of higher precedence.
The allow rule for the virtual IP should be for TCP protocol and port 80 (if secureweb is disabled) or port 443 (if secureweb is enabled). This is required to allow clients access to the virtual interface IP address, post successful authentication when the CPU ACL rules are in place.
Note
When clients connect to a WebAuth SSID with preauthorization ACL configured to allow VPN users, the clients will get disconnected from the SSID every few minutes. Webauth SSIDs must not connect without authenticating on the web page.
Using the GUI to Configure Web Authentication

To configure a WLAN for web authentication using the controller GUI, follow these steps:
Choose WLANs to open the WLANs page. Click the ID number of the WLAN for which you want to configure web authentication. The WLANs > Edit page appears. Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page. Select the Web Policy check box. Make sure that the Authentication option is selected. Click Apply to commit your changes. Click Save Configuration to save your settings.
7-32
OL-21524-01
Chapter 7
Step 8
See Chapter 11, Managing User Accounts, for more information on using web authentication.
Using the CLI to Configure Web Authentication

To configure a WLAN for web authentication using the controller CLI, follow these steps:
Step 1
Enable or disable web authentication on a particular WLAN by entering this command: config wlan security web-auth {enable | disable} wlan_id Release the guest user IP address when the web authentication policy timer expires and prevent the guest user from acquiring an IP address for 3 minutes by entering this command: config wlan webauth-exclude wlan_id {enable | disable} The default value is disabled. This command is applicable when you configure the internal DHCP scope on the controller. By default, when the web authentication timer expires for a guest user, the user can immediately reassociate to the same IP address before another guest user can acquire it. If there are many guest users or limited IP addresses in the DHCP pool, some guest users might not be able to acquire an IP address. When you enable this feature on the guest WLAN, the guest users IP address is released when the web authentication policy timer expires and the guest user is excluded from acquiring an IP address for 3 minutes. The IP address is available for another guest user to use. After 3 minutes, the excluded guest user can reassociate and acquire an IP address, if available.
Step 2
Step 3
See the status of web authentication by entering this command: show wlan wlan_id Information similar to the following appears:
WLAN Identifier.................................. Profile Name..................................... Network Name (SSID).............................. Status........................................... MAC Filtering.................................... Broadcast SSID................................... AAA Policy Override.............................. Network Admission Control 1 cjtalwar cjtalwar Disabled Disabled Enabled Disabled
NAC-State...................................... Disabled Quarantine VLAN................................ 0 Number of Active Clients......................... 0 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds CHD per WLAN.................................. Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ management WLAN ACL......................................... unconfigured DHCP Server...................................... Default DHCP Address Assignment Required.............. Disabled ... Web Based Authentication......................... Disabled Web-Passthrough............................... Disabled ...
Step 4
For more information on using web authentication, see the Chapter 11, Managing User Accounts.
7-33

Configuring RADIUS: Layer 3 Solutions

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Configuring RADIUS: Layer 3 Solutions

Загружено:

Авторское право:

Доступные форматы

Chapter 6

Configuring Security Solutions Configuring RADIUS

Integrated Security Solutions

Cisco Wireless LAN Controller Configuration Guide OL-21524-01

Chapter 6 Configuring RADIUS

Configuring Security Solutions

Configuring RADIUS on the ACS

Cisco Wireless LAN Controller Configuration Guide

Configuring Security Solutions Configuring RADIUS

Add AAA Client Page on CiscoSecure ACS

Step 3 Step 4 Step 5

Cisco Wireless LAN Controller Configuration Guide OL-21524-01

Chapter 6 Configuring RADIUS

Configuring Security Solutions

Choose a previously created group from the Group drop-down list.

Step 17 Step 18 Step 19

Click Submit to save your changes.

Using the GUI to Configure RADIUS

Cisco Wireless LAN Controller Configuration Guide

Configuring Security Solutions Configuring RADIUS

RADIUS Authentication Servers Page

Step 4 Step 5 Step 6

Cisco Wireless LAN Controller Configuration Guide OL-21524-01

Chapter 6 Configuring RADIUS

Configuring Security Solutions

RADIUS Authentication Servers > New Page

Step 8 Step 9 Step 10

Cisco Wireless LAN Controller Configuration Guide

Configuring Security Solutions Configuring RADIUS

Cisco Wireless LAN Controller Configuration Guide OL-21524-01

Chapter 6 Configuring RADIUS

Configuring Security Solutions

Step 20 Step 21 Step 22 Step 23

Cisco Wireless LAN Controller Configuration Guide

Configuring Security Solutions Configuring RADIUS

Using the CLI to Configure RADIUS

Cisco Wireless LAN Controller Configuration Guide OL-21524-01

Chapter 6 Configuring RADIUS

Configuring Security Solutions

Configure a RADIUS authentication server by entering these commands:

Cisco Wireless LAN Controller Configuration Guide

Configuring Security Solutions Configuring RADIUS

Configure a RADIUS accounting server by entering these commands:

Cisco Wireless LAN Controller Configuration Guide OL-21524-01

Chapter 6 Configuring RADIUS

Configuring Security Solutions

See RADIUS statistics by entering these commands:

Cisco Wireless LAN Controller Configuration Guide

Configuring Security Solutions Configuring RADIUS

See active security associations by entering these commands:

Cisco Wireless LAN Controller Configuration Guide OL-21524-01

Chapter 6 Configuring RADIUS

Configuring Security Solutions

RADIUS Authentication Attributes Sent by the Access Point

Authentication Attributes Honored in Access-Accept Packets (Cisco)

Description Cisco-LEAP-Session-Key Cisco-Keywrap-Msg-Auth-Code Cisco-Keywrap-NonCE Cisco-Keywrap-Key Cisco-URL-Redirect Cisco-URL-Redirect-ACL

These Cisco-specific attributes are not supported: Auth-Algo-Type and SSID.

Cisco Wireless LAN Controller Configuration Guide

Configuring Security Solutions Configuring RADIUS

Authentication Attributes Honored in Access-Accept Packets (Standard)

Message authentication is not supported.

Authentication Attributes Honored in Access-Accept Packets (Microsoft)