Labbook Cwna PDF

Wireless Networking
Video CBT
LAB SERIES
Wireless Networking
CWNA Study Package
Video CBT Lab 20

Managing Wireless Networks
for the Blue Crab Food Co.
Wireless Network Implementation &

Administration for Blue Crab Food Co.
(In preparation for the Certified Wireless
Network Administrator (CWNA) Exams)
Fast Track CBT Video Lab 20
Labs 1 - 8
Page 1 of 139
Train Signal, Inc., 2002-2005
Page 2 of 139
About the Author

David Davis has been in the IT industry for 12 years. He currently manages a group of
systems/network administrators for a privately owned retail company and authors IT-related
material in his spare time. He has written over fifty articles, eight practice tests and coauthored one book. His certifications include: IBM Certified Professional-AIX Support,
MCSE+Internet, Sun Certified Solaris Admin (SCSA), Certified Information Systems
Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Wireless Network
Administrator (CWNA), Cisco CCNA, CCDA, CCNP, and CCIE #9369.
Train Signal, Inc.
400 West Dundee Road
Suite #106
Buffalo Grove, IL 60089
Phone (888) 229-5055 or (847) 229-8780
Fax (847) 229-8760
www.trainsignal.com
Copyright and other Intellectual Property Information
Train Signal, Inc., 2002-2005. All rights are reserved. No part of this publication,
including written work, videos and on-screen demonstrations (together called the
Information or THE INFORMATION) may be reproduced or distributed in any form
or by any means without the prior written permission of the copyright holder.
Products and company names, including but not limited to, Microsoft, Novell and Cisco, are
the trademarks, registered trademarks and service marks of their respective owners.
Page 3 of 139
Disclaimer and Limitation of Liability

Although the publishers and authors of the Information have made every effort to ensure
that the information within it was correct at the time of publication, the publishers and the
authors do not assume and hereby disclaim any liability to any party for any loss or damage
caused by errors, omissions, or misleading information.
TRAIN SIGNAL, INC. PROVIDES THE INFORMATION "AS-IS." NEITHER TRAIN
SIGNAL, INC. NOR ANY OF ITS SUPPLIERS MAKES ANY WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED. TRAIN SIGNAL, INC. AND ITS SUPPLIERS
SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION
OF THE INFORMATION WILL BE UNINTERRUPTED, ERROR-FREE, VIRUSFREE, OR THAT THE INFORMATION WILL MEET ANY PARTICULAR
CRITERIA OF PERFORMANCE OR QUALITY. YOU ASSUME THE ENTIRE RISK
OF SELECTION, INSTALLATION AND USE OF THE INFORMATION.
IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT
LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL
TRAIN SIGNAL, INC. OR ANY OF ITS SUPPLIERS BE LIABLE TO YOU OR ANY
OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING WITHOUT
LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,
COMPUTER MALFUNCTION, OR ANY OTHER KIND OF DAMAGE, EVEN IF
TRAIN SIGNAL, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. IN NO EVENT SHALL TRAIN SIGNAL, INC. BE LIABLE FOR
DAMAGES IN EXCESS OF TRAIN SIGNAL, INC.'S LIST PRICE FOR THE
INFORMATION.
To the extent that this Limitation is inconsistent with the locality where You use the
Software, the Limitation shall be deemed to be modified consistent with such local law.
Choice of Law:
You agree that any and all claims, suits or other disputes arising from your use of the
Information shall be determined in accordance with the laws of the State of Illinois, in the
event Train Signal, Inc. is made a party thereto. You agree to submit to the jurisdiction of
the state and federal courts in Cook County, Illinois for all actions, whether in contract or in
tort, arising from your use or purchase of the Information.
Page 4 of 139
TABLE OF CONTENTS
INTRODUCTION............................................................................................................... 7
LAB SETUP...................................................................................................................... 9
SETTING UP THE LAB................................................................................................... 10
COMPUTER 1........................................................................................................... 13
COMPUTER 2........................................................................................................... 13
COMPUTER 3........................................................................................................... 13
LAB SCENARIO........................................................................................................ 18
LAB 1.............................................................................................................................. 19
CREATING A WIRELESS AD-HOC NETWORK ON WINDOWS CLIENTS .................. 20
SECURING YOUR AD-HOC NETWORK ....................................................................... 33
CONFIGURING WINDOWS CLIENTS SHARE FILES OVER THE AD-HOC NETWORK
.................................................................................................................................. 37
LAB 2.............................................................................................................................. 45
CONNECTING TO THE INTEGRATED WIRELESS ROUTER ...................................... 47
CONFIGURING MANAGEMENT BASICS AND CUSTOMIZING CONFIGURATION.... 50
TESTING CLIENT COMMUNICATIONS TO THE INTERNET ....................................... 55
CONFIGURING BASIC WIRELESS SECURITY ............................................................ 58
LAB 3.............................................................................................................................. 61
USING THE LINKSYS AVAILABLE TOOL TO DO A BASIC SITE SURVEY ................. 62
CONFIGURING WIRELESS CHANNELS ...................................................................... 65
CONFIGURING SERVICE SET IDENTIFIER (SSID) ..................................................... 67
DISABLING SSID BROADCAST .................................................................................... 68
LAB 4.............................................................................................................................. 71
CONFIGURING INBOUND ADDRESS TRANSLATION FOR THE WEB/EMAIL SERVER
.................................................................................................................................. 73
CONFIGURING INTERNET ACCESS RESTRICTIONS ................................................ 78
CONFIGURING WIRELESS MAC FILTERING .............................................................. 84
LAB 5.............................................................................................................................. 87
CONFIGURING WPA PRE-SHARED KEY AUTHENTICATION .................................... 88
CONFIGURING AND TESTING WPA-PSK ON CLIENT1.............................................. 89
ENABLING WPA2 PRE-SHARED KEY AUTHENTICATION (802.11I PERSONAL
MODE) ...................................................................................................................... 93
CONFIGURING AND TESTING WPA2 PRE-SHARED KEY AUTHENTICATION
(802.11I PERSONAL MODE) ON CLIENT1 ............................................................. 94
LAB 6.............................................................................................................................. 97
INSTALLING A RADIUS SERVER IN WINDOWS.......................................................... 98
INSTALLING WINDOWS DNS AND IAS .................................................................. 98
INSTALLING WINDOWS AD .................................................................................. 100
Page 5 of 139
INSTALLING CERTIFICATE SERVICES................................................................ 103

CONFIGURING WINDOWS INTERNET AUTHENTICATION SERVICE (IAS) ............ 105
REGISTERING THE IAS SERVER WITH AD......................................................... 105
ADDING A NEW IAS RADIUS CLIENT .................................................................. 106
IAS POLICIES ......................................................................................................... 108
CREATING A USER ............................................................................................... 110
USING RADIUS WITH WPA2 SECURITY.................................................................... 113
CONFIGURING AND TESTING YOUR CLIENT .......................................................... 114
LAB 7............................................................................................................................ 117
BACKING UP AND RESTORING CONFIGURATION FILES ....................................... 118
UPGRADING FIRMWARE............................................................................................ 121
MODIFYING DHCP SETTINGS.................................................................................... 125
LAB 8............................................................................................................................ 129
TESTING THROUGHPUT OF YOUR WLAN ............................................................... 130
TROUBLESHOOTING INTERNET CONNECTIVITY ................................................... 134
TROUBLESHOOTING WIRELESS CONNECTIVITY................................................... 137
Page 6 of 139
Introduction
Welcome to Train Signal!
This series of labs on Wireless Networking is designed to give you detailed, hands-on
experience working with Wireless Technologies. Train Signals Audio-Visual Lab courses are
targeted towards the serious learner, those who want to know more than just the answers to
the test questions. We have gone to great lengths to make this series appealing to both those
who are seeking the Certified Wireless Network Administrator (CWNA) certification and to
those who want an excellent overall knowledge of Wireless technologies.
Each of our courses puts you in the drivers seat, working for different fictitious companies,
deploying complex configurations and then modifying them as your company grows. They
are not designed to be a cookbook lab, where you follow the steps of the recipe until
you have completed the lab and have learned nothing. Instead, we recommend that you
perform each step and then analyze the results of your actions in detail.
To complete these labs yourself, you will need three computers equipped as described in the
Lab Setup section. You also need to have a foundation in Windows XP/2003 and TCP/IP
concepts. You should be comfortable with installing the Windows operating system and
getting it up and running. Basic networking skills will be very helpful. These labs will start
from a default installation of Windows XP/2003 with wireless adaptor and wireless accesspoint/router. From there, we will run you through the basic configurations and settings that
you must use for the labs to be successful. It is very important that you follow these
guidelines exactly, in order to get the best results from this course.
The course also includes a CD-ROM that features an audio-visual walk-through of all of the
labs in the course. In the walk-through, you will be shown all of the details from start to
finish on each step, for every lab in the course. During the instruction, you will also benefit
from live training that discusses the current topic in great detail, making you aware of many
of the associated fine points.
Thanks for choosing Train Signal!
Scott Skinger
Owner
Train Signal, Inc.
Page 7 of 139
Page 8 of 139
Lab Setup
Page 9 of 139
Setting up the Lab

1. Computer Equipment Needed
Item
Minimum
Recommended
Computers
(2) Pentium 2 266 MHz

A USB port is required for the
wireless adaptors
(3) Pentium II 400MHz or greater

3RD system is a RADIUS server
A USB port is required for the
wireless adaptors
Memory
128 MB
256 MB
Hard Drive
4 GB
6 GB or larger
NIC
1 per computer
(wireless NICs are used)
1 per computer
(wireless NICs are used for the
workstations, the server will use a
wired NIC)
Networking
Linksys WRT54G 802.11b/g

integrated wireless access point
using firmware 4.00.7 or greater
Linksys WRT54G 802.11b/g

integrated wireless access point
using firmware 4.00.7 or greater
Linksys WUSB54G USB

Linksys WUSB54G USB 802.11b/g
802.11b/g adaptor (These can be
adaptor (These can be used in place
used in place of the wireless NICs) of the wireless NICs)
Dedicated
Internet
Connection
Not required for all labs but you

will be unable to test some Internet
connectivity.
High-Speed Internet connection (i.e.

DSL, Cable, T1, etc). One public IP
address.
Software
Windows XP Pro
Windows XP Pro
Windows Server 2003
Page 10 of 139
You are strongly urged to acquire all of the recommended equipment in the list above. It
can all be easily purchased from eBay or another source, for around $500 (less if you already
have some of the equipment). This same equipment is used over and over again in all of
Train Signals labs and will also work great in all sorts of other network configurations that
you may want to set up in the future. It will be an excellent investment in your education.
Call or email us at: support@trainsignal.com if you need help locating networking
equipment. Two other products that you may also want to look into are a KVM (KeyboardVideo-Mouse) switch and a disk-imaging product, such as Norton Ghost. The KVM switch
will allow you to run all of your computers using a single keyboard/monitor/mouse set. A
button allows you to quickly control which PC you are managing. Disk imaging software
will save you a tremendous amount of time when it comes to reinstalling operating systems
for future labs. Many vendors offer trial versions or personal versions of their products that
are very inexpensive.
2. Computer Configuration Overview
Computer
Number
Computer Name
CLIENT1
CLIENT2
SERVER1
IP Address
Any IP given via

routers DHCP
Any IP given via

routers DHCP
IP 192.168.1.10
Subnet 255.255.255.0
Default Gateway
192.168.1.1 will be
assigned via routers
DHCP
192.168.1.1 will be
assigned via routers
DHCP
192.168.1.1
OS
Windows XP Pro
Windows XP Pro
Server 2003
Additional
Configurations
Page 11 of 139
SP2 or later and

SP2 or later and
Microsoft Windows Microsoft Windows
XP update
XP update
KB893357
KB893357
SP1 or later
***Important Note***
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND is not connected to a business network.
Train Signal Inc., is not responsible for any damages. Refer to the full disclaimer and limitation of
liability, which appears at the beginning of this document and on our Website at:
http://www.trainsignal.com/legalinfo.html
Page 12 of 139
3. Detailed Lab Configuration

Computer 1
Computer 1 will be named Client1 and the operating system on this computer will be
Windows XP Pro. You should also install Service Pack 2 or later to avoid any unforeseen
problems Also, Microsoft Windows XP update KB893357 needs to be applied for the
WPA2 lab to work correctly. To install KB893357 you can go to http://www.microsoft.com
and search for KB893357. You will be able to download and install the hotfix.
Cleint1 will have one wireless NIC with a dynamic IP address obtained from the routers
DHCP server. The Linksys DHCP IP address range, by default, is 192.168.1.100 - .149 with
a subnet mask of 255.255.255.0. The default gateway, obtained through DHCP, should be
192.168.1.1, which is the IP address for the Router/AP. The DNS server will also be
obtained from your Router/AP. At this time leave all IP settings on the workstations to be
Obtained Automatically. These clients are in a workgroup named WORKGROUP. See
figure 1, page 17.
Computer 2
Computer 2 will be named Client2 and the operating system on this computer will be
Windows XP Pro. You should also install Service Pack 2 or later to avoid any unforeseen
problems. Also, Microsoft Windows XP update KB893357 needs to be applied for the
WPA2 lab to work correctly.
Client2 will have one wireless NIC with a dynamic IP address obtained from the routers
DHCP server. The routers DHCP IP address range, by default, is 192.168.1.100 - .149 with
a subnet mask of 255.255.255.0. The default gateway, obtained through DHCP, should be
192.168.1.1, which is the IP address for the Router/AP. The DNS server will also be
obtained from your Router/AP. At this time leave all IP settings on the workstations to be
Obtained Automatically. These clients are in a workgroup named WORKGROUP. See
figure 1, page 17.
Computer 3
Computer 3 will be named Server1 and the operating system on this computer will be
Windows Server 2003. Computer 3 will be in a workgroup called WORKGROUP. The
wired NIC in Server1 will have a static IP address of 192.168.1.10 and a subnet mask of
255.255.255.0. The default gateway and DNS settings should be set to the private IP of the
Router. By default on Linksys Routers this is 192.168.1.1 but it may vary if you have a
different manufacturers router. See figure 1, page 17.
Page 13 of 139
4. Installing Client Wireless Adaptors And Drivers

You will need to install the wireless network interface on each client. For the purposes of
this lab, the Lab Setup recommends a Linksys WUSB54G USB 802.11b/g adaptor. One
benefit to a USB adaptor is that all you need to do to install it is to connect it to the USB
port on your PC. If you are using the recommended wireless USB adaptor, you will take the
USB cable from the box, connect the Type B male end to the wireless adaptor and the
Type A male end to the PC. Note that the ends are different but that each end will only fit
on its proper device.
You will use Windows network settings throughout this lab and not the manufacturers
settings. The only exception is the basic site survey which will be performed in Lab 3.
After performing the physical installation of the USB wireless adaptor on both clients, load
the drivers on Client 1. When you connect the new USB wireless adaptor, Windows XP will
tell you that new hardware has been found and will ask you to provide a driver. The
manufacturer may recommend that you install their CD that contains the drivers first. If you
do that, you wont get asked for one. You have chosen just to connect the USB adaptor and
will therefore get prompted. Here is the prompt. As you already have the driver CD inserted
into the drive, you will choose Install from a specific location.
Page 14 of 139
Windows will prompt you for the location and you can tell it specifically where to find the
new WLAN drivers.
Page 15 of 139
After telling the system where to find the drivers, it will copy them over and your installation
is done!
Repeat the steps from step #1 to load the drivers on CLIENT2 (see steps above).
Note: Once the drivers are installed, do not change any settings on the adaptors or wireless
configuration.
Page 16 of 139
(figure 1)
***Important Note***
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND that is not connected to a business network.
Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of
liability which appears at the beginning of this document and on our Web site at:
www.trainsignal.com
Page 17 of 139
Lab Scenario
Blue Crab Food Co., (www.bluecrabfood.com) is a seafood distribution company. They
process and package seafood at their main office in Nags Head, North Carolina. They are
opening a packaging plant about two miles away, near Whalebone, NC.
Blue Crab Food Co., has always been a low-tech company. However, they have set forth on
an initiative to modernize all their plants. They will install PCs on every desk and across the
plant floor. They will also need to connect all their processing plants to the server at the
main office. The main office was built for Blue Crab back in the early 1900s and has many
rooms and thick concrete walls. Blue Crab will need over 100 cable drops for the new
devices. For these reasons, Blue Crabs CIO has decided that a wireless network
infrastructure would be a better choice over a wired infrastructure. In addition, the CIO has
chosen to connect the new packaging plant, in Whalebone, via a wireless network link. This
will definitely save the company the monthly recurring cost that a T1 circuit would incur.
Fortunately, the new packaging plant has a direct line of sight that should accommodate the
wireless connection well.
Blue Crab Food Co., has hired you, on a contract basis, to implement the new wireless LAN
at the main office and the wireless link connection that will connect the new location. The
CIO, Jim, also mentions that there is an opportunity for you to become a full time network
administrator with the company, if the project goes well.
As a contractor, you will be solely responsible for implementing the new Blue Crab wireless
network. In this series of labs you will start with a small wireless LAN with only one access
point (AP) and one client. You will grow that wireless LAN into multiple APs, add a wireless
bridge link, add levels of security, configure management options, test performance, learn
wireless troubleshooting and much more.
Before starting any of the labs you should ensure that you have set up your network
according to the Lab Setup section which can be found earlier in this lab.
Page 18 of 139
Lab 1
Creating an Ad-Hoc Wireless LAN
You will learn how to:
Create a wireless ad-hoc network on Windows clients
Secure your ad-hoc network
Configure Windows clients share files over the ad-hoc network
Page 19 of 139
Lab Scenario
You have ordered the wireless equipment for the Blue Crab Food network but it has not yet
arrived. In the meantime, you want to experiment with some wireless settings between two
Windows XP client machines. This will better acquaint you with the settings. Also, you want
to see how an ad-hoc network is configured in case you need to implement it later at Blue
Crab. By doing these exercises, you will be better prepared for the future wireless
configuration options when the equipment arrives. You have borrowed two users desktop
machines for your tests. You will call them CLIENT1 and CLIENT2.
Prior to beginning Lab 1, you should have already installed your wireless adaptor and drivers,
per the Lab Setup instructions.
Creating a wireless ad-hoc network on Windows clients

Lets get started creating our ad-hoc network on Client 1. Initially, you wont use any
authentication or encryption until you verify that it works.
1. Begin the configuration of the wireless adaptor by going to Start Connect To
Wireless Network Connection. If Connect To is not available on your menu then you
must right click Start menu Properties Customize. On the Advanced tab in the
Start Menu make sure to check My Network Places. Click OK twice and you should
see Connect To on the menu now. Another way to access the wireless connect is by
clicking on the new wireless device icon on the bottom left of the taskbar.
Page 20 of 139
2. You will see the screen below that will ask you to choose a wireless network. As you can
see in this screen you may see other wireless networks that are not yours.
3. Click on the Change advanced settings icon on the left of this window.
Page 21 of 139
4. Go to the Wireless Networks tab. This is where you will do most of your wireless
network configuration.
Page 22 of 139
5. Now, click Add on the Preferred networks section as this is where you will create your
ad-hoc network. You will see the window below. In this window you will create the
SSID (Service Set Identifier) that will uniquely identify your wireless ad-hoc network.
Lets choose BLUECRAB-ADHOC.
Also, to make sure you dont have any trouble making your first connection, you will
disable all authentication and encryption. So select Open for Network Authentication
and Disabled for Data encryption. Check the This is a computer-to-computer (ad
hoc) network; wireless access points are not used box. When you are done, click
OK. Windows may prompt you with a warning that the network is not encrypted but
just click Continue Anyway.
Page 23 of 139
6. When you return to the Wireless Networks screen, click on the Advanced button near
the bottom. Normally, you would use the default settings under the advanced wireless
button as they prefer infrastructure wireless networks (networks with an access point).
However, for the purposes of this lab, you will change those settings so that you only use
ad-hoc networks (computer-to-computer). You will therefore need to check
Automatically connect to non-preferred networks.
Page 24 of 139
7. Click Close to return to the Wireless Networks screen and you will see that your new
preferred ad-hoc network has been added. Click OK to save and apply these settings.
You have now created the ad-hoc network on CLIENT1.
Page 25 of 139
8. You will now configure CLIENT2 to communicate only with computer-to-computer

ad-hoc networks and to automatically connect to non preferred wireless networks.
Open the wireless adaptors advanced configuration on CLIENT2.
Page 26 of 139
9. Click on the Advanced button and configure the same settings as CLIENT1. This is
where you will set the wireless adaptor to only communicate with ad-hoc networks and
to Automatically connect to non-preferred networks.
10. Click Close to close the window and click OK on the remaining window to save and
apply your settings.
You have now completed the configuration required for CLIENT2.

Page 27 of 139
11. CLIENT1 will immediately connect to the net ad-hoc network and will acquire an IP
address.
12. CLIENT2 gets an automatic private IP address (APIPA) and is connected.
Page 28 of 139
13. CLIENT2 has obtained an automatic private IP address in the 169.254.x.x range. Double
click on the wireless adaptor on the bottom right of the taskbar to see the adaptors
properties. Click on the Support tab to see its IP address (as shown below)
14. Back on CLIENT1, if you refresh the network list, you will see that the new
BLUECRAB-ADHOC network has appeared and that the client has automatically
connected to it!
Page 29 of 139
15. You may also see a balloon popup that tells you that it has successfully connected to this
new network.
16. CLIENT1 has obtained an automatic private IP address in the 169.254.x.x range. Double
click on the wireless adaptor on the bottom right of the taskbar to see the adaptors
properties. Click on the Support tab to see its IP address (as shown below).
Page 30 of 139
17. We will now disable the Windows Firewall. Right click on the wireless connection in
the system tray and click on Change Windows Firewall settings.
18. To make sure that everything works at this time we will now disable the firewall
completely. On the Windows Firewall screen in the General tab check Off. Note that
this is not the most secure option, but it will allow you to complete the lab without
issues.
Page 31 of 139
19. Now, its time to test this new network! Lets verify first that CLIENT1 can ping
CLIENT2 and that CLIENT2 can ping CLIENT1. From CLIENT1 run CMD and
ping the IP of CLIENT2. Note that your IP address will differ from the one in the
screen below.
20. From CLIENT2 run CMD and ping the IP of CLIENT1. Note that your IP address
will differ from the one in the screen below.
Your ad-hoc network is now tested and working!
Page 32 of 139
Securing your ad-hoc network

You know that there are always security concerns with wireless networks. Therefore, any
network that you implement must have authentication and encryption to protect the data
from eavesdropping and modification. Next, lets secure this ad-hoc network with WEP
(wired equivalent privacy) using a shared key.
1. On CLIENT1, change the security settings from Open-Disabled to Shared-WEP in
the Properties section for the BLUECRAB-ADHOC network. Begin the configuration
of the wireless adaptor by going to Start Connect To Wireless Network
Connection. You can also click on the new wireless device icon on the bottom left of
the taskbar. Next click on the Change advanced settings icon on the left of this
window.
Page 33 of 139
2. Go to the Wireless Networks tab.
3. Now, click on the BLUECRAB-ADHOC network and click Properties in the

Preferred networks section. Set the Network Authentication drop box to Shared and the
Data Encryption drop box to WEP. You will set the key to 1234567890 as a minimum
of 10 hexadecimal characters are required.
Page 34 of 139
4. Once you have added security, go over to CLIENT2 and you will see that the network
still shows as connected. It will also say that it is secure. This is strange as it shouldnt be
connected on CLIENT2 as you have not put in the new key. However, if you attempt to
ping CLIENT1 now, you will find that there is no longer any communication.
5. Even if you disconnect the network on CLIENT2, it will automatically reconnect, not
prompt for a password, but still have no communications. To prevent the auto
reconnect and to get it to prompt you for a password, go into modify the wireless
settings on CLIENT2. Uncheck the Automatically connect to non-preferred
networks box, as shown in the picture below. Click Close and OK to save settings.
Page 35 of 139
6. The client will now automatically disconnect from the ad-hoc network. Go back into the
list of available wireless networks and double click on the BLUECRAB-ADHOC
network. You will now be prompted for the key. Enter your key - 1234567890.
7. You are now securely connected to the BLUECRAB-ADHOC network using SharedWEP authentication and encryption.
Page 36 of 139
8. If you ping from CLIENT2 to CLIENT1, the ping now works:
Configuring Windows clients share files over the ad-hoc network

To test your new ad-hoc wireless network, you will transfer a file over it using Windows file
sharing. The following steps will take you through the configuration and testing process.
1. Go to Network Neighborhood on CLIENT 2.
Page 37 of 139
2. Click on Set up a home or small office network.
3. You will see the following Network Setup Wizard.
Page 38 of 139
4. Click Next. Note that if you have any unplugged or disabled Internet connections you
will want to ignore them when prompted. Select Other and then click Next.
5. Select This computer belongs to a network that does not have an Internet
connection and click Next.
Page 39 of 139
6. Enter the computers name as Client2 and click Next.
7. Call your workgroup WORKGROUP and click Next. The real Blue Crab Food Co.,
will, of course, have a Windows active directory domain. Again, this is only for testing
the Windows file sharing capability of your network.
Page 40 of 139
8. Click the radio dial to Turn on file and print sharing.
9. After some processing, the wizard will ask if you want to create a network setup disk
which will be used to distribute this configuration. You will select Just finish the
wizard; I dont need to run the wizard on other computers and click Next.
Page 41 of 139
10. After some processing, the Network Setup Wizard will be complete. Click Finish.
11. After the network is set up you will have to enable the guest account to allow Windows
browsing by the remote system. I generally recommend putting a password on it but this
is not necessary for your testing purposes here. When you are all done with your tests,
you will disable the guest account as this is a security risk and is not needed in a
Windows AD network.
Right click on My Computer and click Manage. Click Local Users and Groups and
double click to expand users. Double click on the Guest account and you will see the
following window.
Page 42 of 139
12. Uncheck the Account is disabled checkbox for the Guest account. Click OK to save
these changes and to close your windows.
Next, move over to Client1 and repeat the process in Step #1.
After running the Network Setup Wizard on both systems, lets go into Client1 - Start
Menu My Network Places View workgroup computers and see which
computers are in the workgroup you have created.
13. Youll see that both systems are listed in the workgroup this is a good sign!
Page 43 of 139
14. After clicking on CLIENT2 from CLIENT1 you can see that you are able to see file
shares across the network.
Your new wireless ad-hoc network works! You can ping and share Windows files, all
without an access point, a hub or wires!
Note: When you are done with Lab 1, please go back and do the following on BOTH
clients:
Disable the Guest account.

Configure your advanced wireless preferences to:
1. Not connect automatically to un-preferred networks and;
2. Access any available wireless network (access point preferred).
Remove the preferred network called BLUECRAB-ADHOC and save the change by
selecting OK.
Reboot both systems (or at least disable and enable the wireless adaptor).
Page 44 of 139
Lab 2
Basic Wireless Router & Client Setup
Connect to the integrated wireless router
Configure management basics and customize configuration
Test client communications to the Internet
Configure basic wireless security
Page 45 of 139
Lab Scenario
Now that the new access-points have arrived, you need to setup a basic wireless LAN
(WLAN) and single client. In this lab, you will begin implementing your wireless network by
configuring an access point in infrastructure mode. A WLAN that uses an access point as a
central communications hub between clients is termed as being in infrastructure mode.
This wireless access point (AP) will be the first of many APs you will setup and will serve as
a model for the future access points at Blue Crab Food Co.
The access-point you have selected is an integrated router, switch, wireless AP and firewall.
This integrated device will be connecting to the new cable Internet connection you ordered.
You already have a Motorola cable modem in place. It has an Ethernet jack on the back of it.
For now, you have a dynamic IP address and a 3MB download speed.
While you know that this integrated device should, in theory, work fine in this capacity out
of the box, you do want to go through it and configure all the management options that
need to be configured. These options will help to secure the integrated device and to secure
the wireless LAN.
For this lab, the recommended router/AP in the Lab Setup works best, but most any
router/AP will be able to perform these labs. The recommended router/AP also includes a
router, 4 port switch and firewall. For the clients, the wireless adaptors specified in the Lab
Setup are recommended but most any wireless adaptor will work fine for these labs.
In this lab, the clients will be using the wireless adaptor that was installed in Lab 1.
***Note***
Every manufacturers access point varies in how it must be configured. For the purposes of
these labs, the Lab Setup recommends a standard Linksys home access point because they
are easy to obtain and cover all the basic features you need to know. In the real world, most
businesses would choose to spend much more and to get more features.
Page 46 of 139
Connecting to the integrated wireless router

After connecting the wireless router to the cable modem (using the port labeled Internet)
and powering on both devices, you begin the lab on your single wireless client. Note how
you are able to fully configure your access point without ever hooking a cable up to your
client!
1. On your Windows XP CLIENT1, go to Start Connect To Wireless Network
Connection X. Click on View Wireless Networks to view the list. Without even
reading the manual, it is pretty obvious that your new Linksys access point is available as
you can see its default SSID, linksys.
Page 47 of 139
2. Double click on it to connect. You will have to agree to connect to an unsecured

network after which you will be connected and will be given an IP address.
3. To configure your new wireless router, open your web browser and point it to the
default IP address of the linksys device, http://192.168.1.1. If you look at your IP
address configuration, this is also your default gateway.
Page 48 of 139
4. You will be prompted to enter a username and password. All you really need to enter is a
password of admin. The username can be left blank. The password of admin and a
blank username is a well-known Linksys attribute. There are websites that list all the
default passwords for devices such as this. For security reasons, you will be changing
this, and other options, later in this lab.
Once authenticated, you will see the following basic setup screen for your new device.
That was easy, wasnt it? Now, knowing that this was so very easy for us, you now want
to make things very difficult for unwanted visitors to our new network device. You will
do that by changing the defaults and customizing the device.
Page 49 of 139
Configuring management basics and customizing configuration

From the basic setup screen, you can learn a lot about your new device and its default
settings. For example, you can see from here that it is attempting to obtain its IP address
from the Internet via DHCP, it is handing out IP addresses to clients on its wireless and
wired LAN via DHCP, it thinks that it is in the Pacific time zone (maybe it is or maybe it
isnt) and its firmware version is 4.
Lets customize and add some security to the Blue Crab Food access point/router by
modifying the following features (note that these are features you would want to modify on
any access point/router in use):
Router name, host name, and time zone.

Password, remote access method and disable uPnP.
Enable logging.
After you change these settings, you will then backup your configuration.
Page 50 of 139
1. To change the router name, host name, and time zone, you can enter these settings from
the main setup screen you have looked at already. Set the router name and host name to
Crab1 as this will be the first wireless access point/router on the network. Set the time
zone to Eastern Time, as this is where North Carolina and the Blue Crab Food Co., are
located. In the screen below, you will see the changes for the network:
Page 51 of 139
2. To set the administrator password, remote access method, and to disable uPnP, go to the
Administration tab. It brings us to the default page called Management. You will
change the administrative password to bluecrab so that not everyone knows it (in the
real world, you should change it to a word that is not in the dictionary and that contains
some special characters with upper and lower case).
At this time you will also change the web administration page to only be available via
HTTPS, not just HTTP. To do this check the HTTPS box and uncheck the HTTP
box. Finally, disable universal plug and play by clicking the Disable button next to
UPnP as this can be a security risk. You can now see the changes in the following screen:
Page 52 of 139
3. After changing these settings, click Save Settings. You will be asked to authenticate
again. Make sure that you use the new password that you just set. Next, you will be
asked to accept the certificate from the Linksys device. If you are not prompted for
this then you need to make sure to update your routers firmware. Some firmware
versions prior to 4.0 had issues with HTTPS - up-to-date firmware can be downloaded
from the Linksys website. This shows that you are being redirected to the secure HTTPS
management site. After that, you will be asked to authenticate again.
Page 53 of 139
4. You should now be back at the main management page for the Linksys device but your
URL will now read HTTPS instead of HTTP and the lock icon will be shown on the
bottom of your web browser. This indicates that you are at a secure site. Lastly, you will
enable logging so that all incoming and outgoing traffic is logged. Staying on the same
default Management page, click on the sub tab Log and then click Enable and then
Save Settings.
5. Here is what the incoming log after a visit to a website looks like.
Page 54 of 139
Testing client communications to the Internet

Before you go any further, lets verify that you have Internet access through the router. You
are already connected wirelessly and can talk to the wireless router. Now you will verify that
the router has a WAN (Internet, in this case) IP address.
1. Go to the Status tab and look at the Router status section.
As you can see from this screenshot, the router has obtained an Internet IP address. You
know this because its IP address is 67.x.x.x (not in the private RFC1918 or APIPA
range) and it is using DHCP. Therefore, it must have obtained this public IP address
from the cable ISP. Other important things of note are the subnet mask, the default
gateway and the DNS servers. These DNS servers will be given to your wireless and
wired clients with their DHCP information.
Page 55 of 139
2. Another good test of Internet connectivity is a ping from the router. This model of
wireless router has built in ping and traceroute functions. Go to the Administration tab
and the Diagnostics section. From here, do a ping to www.trainsignal.com. Here is an
example.
The successful ping indicates that things are looking good!
Page 56 of 139
3. Lastly, use your PC to attempt connection to the Internet through the router. Open your
web browser and go to www.trainsignal.com, like this:
It works!
Page 57 of 139
Configuring basic wireless security

Everyone has heard of issues surrounding wireless security so you always want to take every
security precaution you can with wireless. However, when configuring a new network, you
dont want to configure every security option possible on the first go around. Instead, you
want to start with no security (on a test network) and then slowly layer the security on. In
between each layer, you would test to make sure that everything still functions properly.
So far, your wireless network has absolutely no security. This is the default. Now, lets layer
on one layer of basic security WEP (wired equivalent privacy). With WEP, you have a
basic layer of authentication and encryption. However, it is common knowledge that WEP is
easy to crack. Still, most people wont spend the time to crack your WEP encryption just like
most people wont break into a door with a lock on it- even though most locked doors are
easy to break in to.
1. To configure WEP security, go to the Wireless tab and click on the Wireless Security
section. You are just going to configure 64-bit WEP encryption with a key of
1234567890 for testing purposes. In the real world you would, of course, want a much
longer and more complex key. Also, you would probably not use WEP and would
instead use WPA2 or 802.11i. Here is how your configuration should look for our
purposes here:
Page 58 of 139
2. Once you click Save Settings, you will loose your wireless connectivity to the accesspoint so be prepared for this. You will have to go into your Windows wireless settings by
double clicking the wireless network icon in the system tray and entering the new
WEP key to reconnect.
Once you are reconnected, you should be able to go back to the Internet and verify
connectivity. Basic WEP encryption is complete and so is Lab 2!
Page 59 of 139
Page 60 of 139
Lab 3
Configure Basic Wireless Settings
Do a basic site survey
Configure wireless channels
Configure the SSID
Disable SSID broadcast
Page 61 of 139
Lab Scenario
You are setting up the first Blue Crab Food Co., wireless network. One of the first things
you should configure on every wireless access point is the service set identifier (SSID). This
is the name that identifies the wireless network you are advertising. You dont want to leave
it at the default as that would be a security concern. Also, for security reasons, you want to
disable its broadcast. This isnt a fool proof way of protecting your network as anyone who
is really trying will be able to see the network but it does protect it from the casual observer.
Even though this is the first wireless access point in the building that does not mean that
there arent other wireless APs outside that could be causing interference. You want to
configure the channel on your new AP so that its signal is not subject to this kind of
interference. To do this, you will use the basic site survey tool found on the Linksys driver
CD.
Using the Linksys available tool to do a basic site survey

Were now going to install the Linksys Wireless LAN configuration tool that came with your
USB WLAN adaptor and to do a basic site survey to see what is around. This should be
done to get to know the wireless environment on which you are working. This tool is great
for basic site surveys but you may want to use a more advanced tool for site surveys on a
production network. This can be done on either one or both of the two client computers.
1. When you insert the CD that came with your Linksys USB adaptor, you will see the
following popup screen. Close this screen by clicking Exit.
Page 62 of 139
2. Instead of using this tool, you should go to Start Run, click Browse and browse to
D:\Utility and run setup.exe. This will install the Linksys Wireless management utility
which you will use to do a basic site survey. Please note that:
You must either use this utility or Windows to configure your wireless settings
and connect to wireless networks. You cannot use both.
When installing this utility, it may take over your wireless configuration and
you may have to reconnect to the wireless LAN again with the WEP encryption
you used in Lab 2.
The reason you want to use this utility, for this lab, instead of the Windows
drivers is that the Linksys utility has a basic site survey tool built in.
3. Once installed, the utility will appear on the bottom right of your TaskBar. The icon will
look like the example below (circled in RED). You can double click on this icon to run
the Wireless Network Monitor.
You can also access the tool by going to Start All Programs Linksys Wireless-G
USB Network Adaptor Wireless Network Monitor.
3. Once running, the Network Monitor will show you the current status of your wireless
connection.
Page 63 of 139
4. If you arent already connected in this picture, you can go to the Site Survey screen, find
the Linksys SSID, click Connect, and enter your WEP key from Lab 2. Once in the
wireless network monitor, click on Site Survey and you will see the following screen.
In this screen, youll notice that there are 3 access points available (your screen will look
different). See that there are two APs on channel 6 and one on channel 11. In the video you
learned that you should only use APs on channels 1, 6, and 11 to prevent wireless
interference. In your case, you should move your new Linksys AP to channel 1 to prevent
interference with neighboring APs.
Page 64 of 139
Configuring wireless channels

Now that you know that your AP is running on the same channel as another AP youll need
to change your channel to channel 1. Heres how to do it.
1. Under your APs web configuration management screen, go to the Wireless tab. You
will be taken to the Basic Wireless Settings section. By clicking on the dropdown menu
in the Wireless Channel section, you will see the various channels on which the AP can
operate. You want to select Channel 1 (2.412Ghz) as it is the only channel that is not in
use out of the three channels you can choose from and still not have interference (i.e. 1,
6 and 11). Select Channel 1 and click Save Settings.
Page 65 of 139
2. You will see, on your site survey tool, that your channel has now changed to channel 1
and should no longer be receiving interference from other APs.
Page 66 of 139
Configuring Service Set Identifier (SSID)

1. To change the SSID, open the web configuration for your wireless router. In your
case, that means going to https://192.168.1.1. (as you previously enabled only HTTPS).
Once inside the web management interface, click on the Wireless tab. You will now see
the following screen. Notice that I have already entered the new SSID (Wireless
Network Name) you should now enter it as BC1 for Blue Crab 1. This SSID does
change the SSID from the default but it isnt too telling.
2. After changing the name of your SSID, click Save Settings and you will get Settings are
Successful. After changing your SSID and clicking OK, you will get disconnected and
will have to reconnect. Do this with the same Linksys utility. To see the results of your
SSID change, go to the Linksys Site Survey utility and click Refresh. Notice that the
name of the SSID has changed from Linksys to BC1.
Page 67 of 139
Disabling SSID broadcast

To hide our wireless network from the casual observer, you will now disable SSID
broadcast.
1. Go to your wireless routers web based management screen and click on the Wireless
tab. Under the Basic Wireless Settings section, you will see Wireless SSID
Broadcast. Click the Disable button and then Save Settings.
Page 68 of 139
2. After disabling SSID broadcast, you will see that the Linksys Network Monitor still sees
the wireless router, even after doing a refresh. If you change over to using Windows to
configure your wireless settings, Windows will not see the BC1 wireless router. Also, if
you uninstall and reinstall the Linksys network monitor, it will no longer see the BC1
wireless router. You will have to create a profile to be able to connect to the BC1
wireless router. Here is the Linksys Network Monitor after an uninstall and reinstall.
Notice that the BC1 wireless router is no longer visible. This is because you have
disabled SSID broadcast. Although it might appear that this is a tremendous security
feature as you have hidden your WLAN from public view, it does not actually offer
much security at all. The SSID is broadcast over the WLAN in beacon frames. Thus, if
someone listened on the WLAN with the right program, they would easily see your SSID
and wireless network. Many times, disabling the SSID broadcast just creates more of a
headache for people who are trying to connect to the WLAN.
Page 69 of 139
Page 70 of 139
Lab 4
Inbound Address Translation, Firewalling, &
MAC Filtering
Configure inbound address translation for the web & future
email server
Configure Internet access restrictions using firewall features
Filter workstations that can access the network wirelessly
Page 71 of 139
Lab Scenario
Blue Crab Food Co., will have a local Internet web server. This web server will host their
small e-commerce site where they take credit card orders for seafood. For the web server,
you need to allow for inbound HTTP (hyper-text transfer protocol) to come into the web
server from the Internet. As they are selling their products over the Internet using credit
cards, you also need to allow for HTTPS (HTTP-Secure) so that they can encrypt these
credit card transactions.
At some point in the future, they will also have a local email server. The email server will
receive inbound company email and will send outgoing email. To allow for the email to
come in, you are going to have to permit SMTP (simple mail transfer protocol) on an
inbound basis.
Both the web and email servers will be configured as the same machine for now. We have
put in the request for the external Internet IP address provided to our router by Blue Crab
Foods ISP to be made static.
As you are configuring policies, dont forget that, besides needing to receive inbound traffic,
these devices will also need to be able to send outbound traffic (i.e. the response).
Additionally, you are continuing to shore up network security. One of the security policies
that the CIO has written dictates the following:
Clients in the DHCP range should only be allowed HTTP (port 80) basic web access
Monday through Friday. This will prevent users from using a number of other
applications that they should not be using. It may also help to prevent problems with
spyware and adware. On Saturdays and Sundays, no Internet access is allowed for
these devices.
Devices with static IP addresses should have full Internet access at all times. The
devices with static IP addresses should only be servers and printers.
Any clients who connect to the network wirelessly must be filtered by the MAC
address of their adaptor. While this does not prevent malicious MAC spoofing, it
does prevent the common person with a wireless adaptor from connecting to the
wireless LAN.
Based on these requirements, you will configure restrictions on Internet access and restrict
only two workstations, at this time, to access the network wirelessly.
Page 72 of 139
Configuring inbound address translation for the web/email server

1. Go to the web-based management interface of the wireless router. Open your web
browser, go to https://192.168.1.1 and login. Open the Applications & Gaming tab.
You will be on the Port Range Forward section.
To forward inbound web traffic to your web server, use the table below to fill out the
necessary port forwarding settings:
Application
HTTP
HTTPS
SMTP
Page 73 of 139
Port Range
80 to 80
443 to 443
25 to 25
Protocol
TCP
TCP
TCP
IP Address
192.168.1.10
192.168.1.10
192.168.1.10
2. After filling out these settings, check Enable and click Save Settings.
By adding these applications, the router will forward inbound Internet requests for web
traffic to the Blue Crab Food Cos web server. The web server already has access to send
traffic outbound to the Internet so that it can respond. This must be done as the router
is performing NAT and it does not know what to do with a request coming in on its
single Internet IP address (public network). There are a number of internal (private
network) computers (like the web server) and the router must know which system to
forward inbound ports to.
To test this configuration, you can load Microsoft IIS on Server1. Go to Start Menu
Control Panel Add/Remove Programs Add/Remove Windows
Components.
Double Click Application Servers and then check Internet
Information Services (IIS). You will need to have your Windows Server 2003 disc
handy as it will be needed to install some of the files required by IIS.
Page 74 of 139
3. Once installed, you will test to see if the web server is working by going to
http://localhost on the web server.
4. If you get an Under Construction response from localhost, go to a client, like client1,
and try the internal IP address of the web server (as shown in the following screen).
Note that Under Construction is the default page for IIS to load when it has just been
installed.
Page 75 of 139
5. If that works, get your external IP address from the web management of the wireless
router. This can be found on the status page.
Page 76 of 139
6. Now, ideally, you should go to a client that has another Internet connection to test web
services to your external IP address. However, you may also be able to access the
external IP of the web server using one of your internal clients.
Page 77 of 139
Configuring Internet access restrictions

If you remember from the start of this lab, the CIO had specified that he wanted users to
have the following Internet restrictions:
Clients in the DHCP range should only be allowed HTTP (port 80) basic web
access Monday through Friday. This will prevent users from using a number of
other applications that they should not be using. It may also help to prevent
problems with spyware and adware. On Saturdays and Sundays, no Internet
access is allowed for these devices.
1. To configure the Internet access restrictions, per the CIOs security policy, open the
wireless routers interface at https://192.168.1.1 and then click on the Access
Restrictions tab. You will be taken to the Internet Access section.
Configure the wireless router so that it fits the security policy requirements. However,
there is a catch here. The HTTP web browsing protocol is not very useful if you cannot
look up domain names. So, you will also have to allow for port 53, DNS. To do this, you
will have to make two policies. The Linksys firewall only allows for two port ranges to be
blocked per policy (these types of rules will vary if you are using another vendors
wireless router). So, you will now need to create Internet Access Policy 1. Call it
blockallbut53and80. Restrict it to the PCs in the wireless routers DHCP client range.
Page 78 of 139
2. Restrict these systems from using this service to only Monday-Friday. Create two new
blocked services that, when combined, block all ports except for DNS (port 53) and
HTTP (port 80) - so, insert upto52, TCP & UDP, 1-52 as shown in the following
screen.
3. Then insert 54to79, TCP & UDP, 54-79 as shown in the following screen.
Page 79 of 139
4. Note that these restrictions will only affect systems in the DHCP range. Thus, they will
not affect our server, located at 192.168.1.10.
Page 80 of 139
5. Now, create Internet Access Policy 2. Call this policy blockallabove80. Use the same
IP restrictions, same day restrictions and same time restrictions.
Create another new service called above80. This will block ports 81 through 65,535.
Insert above80, TCP & UDP, 81-65535 as shown in the following screen.
Page 81 of 139
6. Click Save Settings.
Page 82 of 139
7. To test your settings, you will need to open Client1s Internet Explorer. You should be
able to visit any regular HTTP website but should not be able to visit a HTTPS website.
Finally, we need to configure a policy to block all Internet access on the weekends. Make
sure you check the relevant boxes to DENY access to these systems. You will have to
specify the same range of IP addresses as in the other policies.
Page 83 of 139
Configuring wireless MAC filtering

Another piece of the CIOs security policy was to restrict wireless access to the network by
MAC address. To do this, you first need to know the MAC addresses of your clients.
The MAC addresses on Client1 and Client2 are:
Client1
Client2
00-0f-66-e7-50-d1
00-12-17-88-18-71
The MAC addresses on your wireless adaptors will be different. Make sure you substitute
the MAC addresses from your own wireless adaptors for the MAC addresses used in these
exercises.
1. To configure wireless MAC filtering and to restrict the wireless network to only our two
clients, go to the Wireless tab and click on the Wireless MAC Filter section. Click
Enable Wireless MAC Filtering. Once enabled, more choices will appear. Click to
Permit Only PCs listed to access the wireless network. Edit the list of MACs that
will be permitted and click Save Settings.
Page 84 of 139
2. Close the MAC Address Filter List window and click Save Settings on the original
Wireless MAC Filter window.
At this point, only the two specified client workstations will be able to access the
network wirelessly. As you add more workstations, you will have to statically configure
the wireless router to allow access for them. For a small network with a fairly static
number of workstations this is not too much trouble. For a large network or a network
with many temporary workstations, static MAC filtering simply isnt practical.
Page 85 of 139
Page 86 of 139
Lab 5
Configuring WPA & WPA2 Pre-shared Key
Authentication
Enable WPA pre-shared key authentication
Test WPA-PSK
Enable WPA2 pre-shared key authentication (802.11i personal
mode)
Test WPA2-PSK
Page 87 of 139
Lab Scenario
Successfully implementing and learning about security should be done in layers. The CIO of
Blue Crab Food, of course, wants security to be as strong as possible. We started with no
wireless security, added WEP, and, in this lab, we will configure WPA and WPA2. WPA is
Wi-Fi Protected Access. WPA was meant to be a temporary improvement over WEP prior
to WPA2 (also known as 802.11i) being released.
After configuring WPA, we will configure WPA2. In both of these situations, we will be
using pre-shared keys (passwords, if you will) for authentication. Later, we will use Windows
usernames and passwords for authentication.
Configuring WPA pre-shared key authentication

1. To configure WPA you firstly need to change from WEP to WPA Pre-shared Key (PSK)
on the wireless router. Access the routers interface at http://192.168.1.1 and login.
Open the Wireless tab and click on the Wireless Security section. Configure the
Security Mode for WPA Pre-shared key (in some firmware versions this option will be
know as WPA Personal). Select AES (advanced encryption standard). Enter the WPA
Shared Key as bluecrab. Click Save Settings.
Page 88 of 139
Configuring and testing WPA-PSK on Client1

1. On Client1, go to your wireless network icon on the bottom right of the taskbar and
double click. It will probably have a red X on it because it is currently disconnected from
the wireless network. This is because the wireless router now requires different
credentials.
2. If you are still using the Linksys Network Monitor to control wireless access right click
on the Linksys Network Monitor in the system tray and then click Use Windows XP
Wireless Configuration. As we are not allowing the broadcast of the wireless routers
SSID (BC1) it wont show up in the list of available wireless networks. Instead, you will
have to go to the advanced settings.
Page 89 of 139
3. After clicking on the Wireless Networks tab, make sure that BC1 is highlighted and
click Properties. The BC1 Preferred network was created back when we disabled the
SSID broadcast and enabled WEP encryption.
4. Before our WPA changes, the settings will look like this:
Page 90 of 139
5. Now change the Network Authentication to WPA-PSK and Data Encryption to AES.
Set the Key to bluecrab so that it matches the key we set on the wireless router.
6. Click OK on this screen and OK again on the previous screen. Your wireless client
should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer
have an X on it and, if you double click it, it should look like this.
Page 91 of 139
7. You should be able to access the Internet through the wireless router as a test, like this:
Page 92 of 139
Enabling WPA2 pre-shared key authentication (802.11i personal mode)

Now that we have stepped up to WPA security and tested it, lets move up to one of the
highest security authentication & encryption methods available - WPA2. WPA2 is also
known as 802.11i personal mode. It is known as personal mode because no central server
has to be involved to authenticate users. This is really a simple change on both the wireless
client and the wireless router.
1. On the wireless router interface, go to the Wireless tab and click on the Wireless
Security section. Change your security mode to WPA2 Pre-shared Key only (WPA2
Personal on some firmware versions). Leave everything else the same and click Save
Settings.
Now well move on to configuring and testing the WPA2 client.
Page 93 of 139
Configuring and testing WPA2 pre-shared key authentication (802.11i

personal mode) on Client1
Prior to doing this lab, make sure that your Windows XP client has the Windows XP update
KB893357. You can find it at the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=662BB74D-E7C1-48D695EE-1459234F4483&displaylang=en
This update allows you to use WPA2 as was noted in the Lab Setup. If you go to change
your authentication from WPA to WPA2 and do not have the WPA2 option, then you did
not apply the update.
1. On Client1, go to your wireless network icon on the bottom right of the taskbar and
double click. It is probably has a red X on it because it is disconnected from the wireless
network. This is because the wireless router now requires different credentials.
2. As we are not allowing the broadcast of the wireless routers SSID BC1 it wont show up
in the list of available wireless networks. Instead, you will have to go to the advanced
settings.
Page 94 of 139
3. After clicking on the Wireless Networks tab, make sure that the BC1 preferred network
is highlighted and click Properties.
4. Now change the Network Authentication to WPA2-PSK. You should not have to make
any other changes.
Page 95 of 139
5. Click OK on this screen and OK again on the previous screen. Your wireless client
should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer
have an X on it and, if you double click it, it should look like this.
6. You should be able to access the Internet through the wireless router as a test, like this:
You have now reached the maximum level of security, using a pre-shared key, which is
possible using Windows. If you use the Linksys drivers, you can add a little more security
by using TKIP & AES together. However, Windows XP currently does not support this.
Page 96 of 139
Lab 6
Using RADIUS (802.1x Authentication)
Install a RADIUS server in Windows
Configure Windows Internet Authentication Service (IAS)
Use RADIUS (802.1x) with WPA2 security
Configure and test your client
Page 97 of 139
Lab Scenario
After configuring WPA2 authentication and AES encryption, you want to go to the final
step and using 802.1x authentication. While there are a number of ways to use 802.1x
authentication (with smart cards, certificates, etc.), you will configure 802.1x & WPA2
authentication using Windows credentials for wireless network authentication. Once
authenticated, the clients will encrypt data with AES (as they did in the previous lab).
To enable 802.1x authentication using Windows credentials, a fair amount of work will be
required on your Windows server. You will have to install Active Directory, certificate
services and Internet Authentication Service (IAS). So, lets get to work!
Installing a RADIUS server in Windows

Before you can make your server a RADIUS server (using the Microsoft Internet
Authentication Service), you will have to do the following:
Install DNS.
Install Internet Authentication Service (IAS).
Make the server a Windows Active Directory domain controller (DC).
Install Certificate Services.
Installing Windows DNS and IAS

1. To get started on this list, login as Administrator and go to Start Control Panel
Add or Remove Programs. Click Add or Remove Windows Components.
Page 98 of 139
2. Scroll down the list of components that can be installed and double click Network
Services.
3. Under Network Services check Domain Name System (DNS) and Internet
Authentication Service (IAS).
Click OK and then Next when youre back on the Windows Components window. Click
Next Again. You will need to insert your Windows 2003 Server CD. Files will now be
copied and the applications will be installed. When it is completed you can click Finish.
Page 99 of 139
Installing Windows AD
The next step is to install Windows Active Directory services on Server1, making it a domain
controller in the new BlueCrabFood domain.
1. To do this, go to Start Run and execute dcpromo. Click Next through the first
screens. Take the default on the the next screen (that specifies that this will be a domain
controller for a new domain) and click Next. Take the default on the next screen (that
specifies that this will be a domain in a new forest) and click Next. Enter the Full DNS
name BLUECRABFOOD.COM and click Next.
2. Take the default NETBIOS name, BLUECRABFOOD, and click Next.
Page 100 of 139
3. Take the default for the log files and databases and click Next. Take the default for the
shared system volume and click Next. If you get the message that DNS Registration
diagnostics failed, select the second choice (as shown below) and click Next.
4. On the next screen, take the default of Windows 2003/2000 permissions and click
Next.
Page 101 of 139
5. Enter the Restore Mode Password of Bluecrab1 and click Next.
6. On the Summary screen, click Next. The Active Directory install wizard will now install
Windows Active Directory and make your server a domain controller. When the
installation is complete, you will see the window below.
Click Finish, then Restart Now on the popup window that will appear. After the
reboot, continue on to installing certificate services.
Page 102 of 139
Installing Certificate Services

1. Go to Start Control Panel Add or Remove Programs. Click Add or Remove
Windows Components.
2. Scroll down the list of components you can add. Check the checkbox next to
Certificate Services so that it will be installed. Click OK.
Page 103 of 139
3. You will now be prompted with some certificate questions. Leave the default selected
on if you want to make this an Enterprise Root CA and click Next. When asked to name
the CA, enter BlueCrabFoodCo.
Take the default on the location of the certificate databases and click Next. You will be
asked if it is OK to stop IIS (if it is installed). You can say Yes to this question. You will
be required to insert your Windows 2003 Server CD. Files will now be copied and the
applications will be installed. When it is completed you can click Finish.
Page 104 of 139
Configuring Windows Internet Authentication Service (IAS)

Registering the IAS server with AD
1. To register the IAS server with AD, open up the IAS management tool by going to
Start Administrative Tools Internet Authentication Service.
2. Once inside the IAS management console, right click on the server and click Register
Server in Active Directory.
Page 105 of 139
3. You will be given the two pop up boxes shown below. Click OK on each.
Adding a new IAS RADIUS client

1. To add a new client, right click on the RADIUS Clients option and click New
RADIUS Client.
Page 106 of 139
2. Enter the name and IP address of the wireless router, BC1 and 192.168.1.1. Click Next.
3. Type in the same password of bluecrab. This is the same password we will use later
when configuring the wireless router. Click Finish.
Page 107 of 139
IAS policies
1. To simplify our testing and policies, go to the IAS Remote Access Policies folder and
delete all default policies by right clicking on them and then clicking Delete. Right click
on the Remote Access Policies folder and click New Remote Access Policy. This
will bring up the Remote Access Policy Wizard.
2. Click Next on the first introduction screen. Fill out the policy name as wireless and
click Next.
Page 108 of 139
3. On the next screen, specify that this will be a wireless policy and click Next.
4. To simplify our testing, select that we will use the User permissions to control who has
remote access and click Next.
Page 109 of 139
5. Take the default of PEAP as the Authentication Method and click Next.
Click Finish and the new wireless policy is created.

Creating a user
1. We will now create a new Windows domain user called Jim for our testing. This can be
done by going to Active Directory Users and Computers click on Start Menu
Administrative Tools Active Directory Users and Computers. Right click on
Users and then on New User.
Page 110 of 139
2. Enter the following information.
3. Enter the password Bluecrab1. Then click Next and then Finish.
Page 111 of 139
4. Now you need to right click on the user Jim and go to Properties. On the Dial-in tab
enable Remote Access Permission by checking Allow Access. Click OK.
Page 112 of 139
Using RADIUS with WPA2 security

1. On the wireless router, go to the Wireless tab and click on the Wireless Security
section. Set the Security Mode (authentication) to WPA2 Radius Only (WPA2
Enterprise on some firmware). Set the WPA Algorithm to AES. Set the RADIUS
server IP Address to the IP address of Server1. In our case, this is 192.168.1.10. Set the
Shared Key to bluecrab.
When youre done, click Save Settings. You will lose connection with the wireless
router over your wireless link.
Page 113 of 139
Configuring and testing your client

1. In Lab 6, we ended with you setting up WPA2-PSK authentication and AES encryption.
To test our new RADIUS configuration, go into your wireless network connection
and click Change Advanced Settings. Go to the Wireless Networks tab, click on
the preferred network (BC1) and click Properties. Change the Network Authentication
from WPA2-PSK to WPA2. Leave the data encryption set to AES.
2. Click on the Authentication tab. It should look like this:
Page 114 of 139
3. If these two checkboxes are checked, uncheck them. Click on Properties for the EAP
Type.
4. Make sure that your properties match the window above. Click on the Configure
button for the Secure Password (EAP-MSCHAP v2) Authentication Method. Make sure
that the Automatically use my Windows logon name and password box is unchecked.
Page 115 of 139
5. Click the next three OKs to save and apply your settings - your wireless adaptor should
now attempt to connect to the BC1 wireless network. As this network is now protected
by a Windows username and password, you should get a balloon popup from the
notification bar in the bottom right hand of your desktop. It looks like this:
6. Double click on the popup window and you will get a login dialog box.
7. Login with the username Jim and the password Bluecrab1, which you created earlier in
this lab. After negotiating the authentication and getting a DHCP IP address, your client
will connect to the wireless network and you will get the following balloon popup in the
notification bar.
***Note*** RADIUS can be slightly finicky. Restarting the server is recommended

and you may be required to repeat the steps to get it to successfully work.
Lab 6 is now complete.
Page 116 of 139
Lab 7
Common Administrative Tasks
Backup configuration files
Upgrade firmware
Modify DHCP settings
Page 117 of 139
Backing up and restoring configuration files

You need to be aware that there is a bug in the Linksys WRT54G 4.00.7 firmware that
means that you cannot backup your configuration file using the HTTPS interface. Therefore,
for this lab, I have enabled HTTP management and will use that. After the lab, I will disable
HTTP once again.
Backing up configurations of network devices is critical in case the device goes out or
someone modifies the device and starts having trouble. Backups should be done whenever
changes are made, or in some cases, much more frequently.
1. To backup your routers firmware, go to the wireless routers web-based
management, click the Administration tab and then the Config Management
section. Click the Backup button and you will be prompted to save your configuration.
Page 118 of 139
2. Click Save and you will be prompted as to where you want to save the configuration
file. Specify the directory and click Save.
3. Once downloaded, you will be asked if you want to Open the File, Open the Folder, or
Close. Choose to Close.
Page 119 of 139
4. Just to make sure that your backup was successful, youll now restore the file you backed
up. Back on the wireless routers Config Management screen, click Browse and find
the location of your configuration file.
5. Once you click Open on the file, you will be back at the Config Management screen.
Now click Restore. When the restore is complete, you will, very misleadingly, get the
message that the upgrade is successful, even though no upgrade was performed.
Even though the message is misleading, at least you know that the upgrade worked and
the config file was good. A good way to test this would be to backup your configuration,
make a change and then restore the configuration. On some routers, this method can be
used to clone routers. However, with Linksys routers, the configuration file cannot be
edited as a regular text file.
Page 120 of 139
Upgrading firmware
Every good network administrator should frequently check for new operating
system/firmware upgrades for their network devices. Part of the job of installing the
network at Blue Crab Food Co., involves updating network devices to the latest firmware.
Older firmware can have security holes and bugs that could open your client up to problems
in the future.
1. To upgrade the firmware on our wireless router, first you need to obtain the firmware by
going to the manufacturers website. In our case, go to www.linksys.com and click on
Support. Choose Downloads in the drop down box.
Page 121 of 139
2. On the Downloads page, select your product. In our case, this is the WRT54G version
3. You can leave the default of Windows XP and then click Downloads for this
product.
3. The downloads that are available for this product will be shown. Click on Firmware.
Page 122 of 139
4. This will show you only the latest firmware available.
5. The firmware updates come in two versions - an executable file .exe and a zip file. You
want to download the zip file for this lab. Click to download the firmware. Say that you
want to Save the Zip file and specify where. Once the file has been downloaded, click
Open. Unzip the files that you downloaded into a directory of your choice. On the
wireless router, go to the Administration tab and the Firmware Upgrade section.
Notice that there is no way to downgrade firmware or even to download the existing
routers firmware. To upgrade the firmware, click Browse and navigate to the directory
you unzipped the firmware into. Select the firmware image. In our case, the
firmware is called WRT54GV3.1_4.00.7_US_code.bin.
Page 123 of 139
6. Click the Upgrade button and the upgrade will begin. You will see the upgrade progress
represented in the bar. When the upgrade is done, you will get this message:
7. You can see the current version of your firmware on every screen of the web-based
management console in the upper right hand corner.
The firmware has now been upgraded. With this model of Linksys, firmware upgrades
are manual. With some other routers you can configure them to automatically check for
firmware upgrades each time you go to the management interface.
Page 124 of 139
Modifying DHCP settings

1. Today, Blue Crab Food Co., has a relatively small network with only a couple of PCs and
a server. In the future, they plan to have up to 150 PC clients using dynamic IP
addressing and 20 systems with static IP addressing. In your configuration of the wireless
router, you need to plan for these future systems by configuring the DHCP addressing
accordingly. Below, you will find your current DHCP settings.
These current settings are viewed by going to the wireless routers web-based Setup tab
and looking on the default page. The default page is under the Setup tab and the Basic
Setup section. Some companies may choose a more robust DHCP solution, like the one
that Windows Server offers. At Blue Crab, the CIO feels that the built-in solution on the
wireless router will be enough for the time being.
Page 125 of 139
2. Now well change the maximum number of DHCP users to 150. Note that, as we are
starting at 192.168.1.100, the 100 + 150 puts IP addresses .100-.249 in use by DHCP.
This does not exceed 254 so there is no need to change the starting IP address of the
DHCP server. The changes look like this:
Page 126 of 139
3. To see which client has which IP address, go to the wireless routers web-based
management interface. Click on the Status tab and on the Local Network section.
Click on the DHCP Clients Table.
Page 127 of 139
Page 128 of 139
Lab 8
Troubleshooting the Wireless LAN
Test throughput of your WLAN
Troubleshoot Internet connectivity
Troubleshoot wireless Connectivity
Page 129 of 139
Testing throughput of your WLAN

Now that the WLAN is up and working, you want to establish a performance baseline for
the wireless network. Although the gear you have selected says that it offers 54Mbps
throughput in optimal conditions, you have also heard that, because of the inefficiencies in
wireless networking, you can usually expect about half the maximum and less than that if
conditions are not ideal.
1. To test throughput, you will use a tool called QCheck. You can download Qcheck from
their website at:
http://www.ixiacom.com/products/qcheck/
This is a free tool that works much better than ping. In fact, a comparison between
Qcheck and ping can be found at this website:
http://www.ixiacom.com/products/performance_applications/pa_display.php?skey
=pa_q_check
After downloading Qcheck, install it both on Client1 and Client2.
Page 130 of 139
2. Run Qcheck by going to Start All Programs Ixia QCheck QCheck. Start
the same application on Client2. Back on Client1, enter the IP address of endpoint 1
and endpoint 2. These would be the IP addresses of Client 1 and Client 2. You can find
these clients IP addresses by either going to the Windows cmd and typing
IPCONFIG/ALL or by going to the bottom right of your screen and clicking on the
wireless network adaptor icon and then navigating to the support page. Here are the
results for each method on Client1.
Page 131 of 139
3. You can also see which client has which IP address by going to the wireless routers
DHCP client list (see Lab 7s DHCP section). On the QCheck, after entering the IP
addresses for the clients, click on TCP for the Protocol and Throughput on the
Options section.
Page 132 of 139
4. As you can see, the real throughput for our 54Mbps wireless network is only 5.634Mbps.
Of course, your performance will vary based on wireless interference, the number of
clients in use and the types of data being transmitted. Click on Details to get more
information about this test and the clients. See the example screenshot, below.
Page 133 of 139
Troubleshooting Internet connectivity

While at Blue Crab Food Co., you discover that you cannot communicate to the Internet
through your wireless router,. Another user comes in to tell you that they too have lost
connection to the Internet.
From Client1, you cannot ping any Internet web site but you can ping Client2. You go to the
router to do some troubleshooting. With physical access to the device, you may check things
like link lights but, for the purposes of this lab, youll do two things:
1. Check connectivity from the wireless router to the Internet.
2. Renew your WAN DHCP IP address.
Page 134 of 139
1. To check connectivity from the wireless router to the Internet, go to the wireless
routers web interface, click on the Administration tab and then on the Diagnostics
section. From here, you can ping and traceroute to Internet or Intranet IP addresses.
For our test here you should ping and traceroute to www.trainsignal.com.
It looks like our test was successful. Perhaps the Internet outage was short and
connectivity has been restored. To double check, go ahead and renew your WAN
DHCP IP address.
Page 135 of 139
2. To release and renew your DHCP IP address, go to the wireless routers web-based
management. Click on the Status tab and the Router section. You can see your current
IP address, default gateway and DNS (note that a loss of DNS can also make it seem
that Internet connectivity is lost). To renew your Internet IP, click Renew.
By being able to successfully renew your Internet IP, you know that you have
connectivity over your Internet connection (whether you are using DSL, Cable, T1 or
other method).
If you cannot renew your IP address, you know that there is a connectivity problem. You
can also ping your default gateway and DNS servers. Many times, this can give you a clue
as to what the problem is.
It would appear that the trouble has passed and the Internet is running again. It is a good
thing you were prepared to be able to intelligently troubleshoot your network.
Page 136 of 139
Troubleshooting wireless connectivity

One of the Blue Crab Food Co., wireless clients has complained of slow performance and
intermittent wireless connectivity. In this exercise, we will troubleshoot that kind of
problem. Wireless networks are prone to more connectivity issues than a wired network is.
There are numerous wireless troubleshooting tools available - for this lab, we will use the
Linksys drivers that come with our wireless adaptors. Some wireless access points will give
you WLAN troubleshooting tools in their management interface but most small/home
wireless access points do not.
To troubleshoot your wireless network, you can use the tools that come with your wireless
adaptor. For example, the Linksys Network Monitor that came with our Linksys USB
adaptor includes a site survey tool. This tool tells you a great deal of information you can use
to help troubleshoot your WLAN. However, the Linksys Network Monitor does not
support WPA2, at this time.
An example of the numerous other tools available is NetStumbler. NetStumbler will tell you
which wireless access points are available, their wireless statistics and a lot more useful
troubleshooting information.
For example, NetStumbler can be used to:
Find Rogue Access Points NetStumbler can look for rogue access points on your
network. These rogue APs can allow unauthorized or unsecured access to your
network. Rogue APs can also take users away from the real network and steal their
credentials by posing as real APs.
SiteSurvey NetStumbler can tell you where you have poor wireless coverage or
where you are getting interference from other APs.
Antenna Positioning NetStumbler can show you the best place and direction to
place antennas and APs.
To help Blue Crab Food Co., troubleshoot their WLAN issue, you will now download
NetStumbler and use it to analyze wireless coverage near and far from the wireless access
point. The software can be downloaded from:
http://www.netstumbler.com/downloads/
Page 137 of 139
1. Download Netstumbler, run the executable download and install it. Once installed,
run it from the Windows Start All Programs menu. When running, NetStumbler will
disconnect you from your wireless network. While it is running, all you can do is analyze
your wireless network you cant use the WLAN for normal purposes from the system
you are running it on.
NetStumbler looks like this:
2. For this exercise you will perform a simple task to see how wireless coverage changes
with distance. Look at the statistics for BC1 when your Client1 is near the wireless access
point. Notice that in the screenshot, above, the signal to noise ratio (SNR) was 83 when
you are near the wireless access point.
Now, move Client1 away from the wireless access point (approximately 30 feet if
possible). After moving (or, as you move if Client1 is a laptop), you will see that the SNR
has decreased. In the screenshot below, you will see that the SNR went down to 17. At
that low level, it can be difficult to get a connection or, if you can get a connection,
performance will be poor.
Page 138 of 139
You might now be wondering what is a good SNR and what is a bad one. The following
chart can be used as a guide.
40 db or greater
High
25 to 40db
Good
15 to 25db
Low
5 to 10 db
No signal
By testing to see which areas have low or no signal, you will know where to place
additional wireless access points.
In the case of Blue Crab Food Co., you have discovered that you will need to install an
additional wireless access point or wireless bridge in the area that was complaining about
poor performance and intermittent signal.
Page 139 of 139

Labbook Cwna PDF

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Labbook Cwna PDF

Загружено:

Авторское право:

Доступные форматы

Wireless Networking

Video CBT Lab 20

Wireless Network Implementation &

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

About the Author

Train Signal, Inc., 2002-2005

Disclaimer and Limitation of Liability

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

INSTALLING CERTIFICATE SERVICES................................................................ 103

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Setting up the Lab

(2) Pentium 2 266 MHz

(3) Pentium II 400MHz or greater

Linksys WRT54G 802.11b/g

Linksys WRT54G 802.11b/g

Linksys WUSB54G USB

Not required for all labs but you

High-Speed Internet connection (i.e.

Train Signal, Inc., 2002-2005

Any IP given via

Any IP given via

SP2 or later and

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

3. Detailed Lab Configuration

Train Signal, Inc., 2002-2005

4. Installing Client Wireless Adaptors And Drivers

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Creating a wireless ad-hoc network on Windows clients

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

You have now created the ad-hoc network on CLIENT1.

Train Signal, Inc., 2002-2005

8. You will now configure CLIENT2 to communicate only with computer-to-computer

Train Signal, Inc., 2002-2005

You have now completed the configuration required for CLIENT2.

Train Signal, Inc., 2002-2005

12. CLIENT2 gets an automatic private IP address (APIPA) and is connected.

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Train Signal, Inc., 2002-2005

Your ad-hoc network is now tested and working!

Train Signal, Inc., 2002-2005

Securing your ad-hoc network

Train Signal, Inc., 2002-2005

2. Go to the Wireless Networks tab.

3. Now, click on the BLUECRAB-ADHOC network and click Properties in the

Train Signal, Inc., 2002-2005