Академический Документы
Профессиональный Документы
Культура Документы
Video CBT
LAB SERIES
Wireless Networking
CWNA Study Package
Page 1 of 139
Page 2 of 139
Page 3 of 139
Page 4 of 139
TABLE OF CONTENTS
INTRODUCTION............................................................................................................... 7
LAB SETUP...................................................................................................................... 9
SETTING UP THE LAB................................................................................................... 10
COMPUTER 1........................................................................................................... 13
COMPUTER 2........................................................................................................... 13
COMPUTER 3........................................................................................................... 13
LAB SCENARIO........................................................................................................ 18
LAB 1.............................................................................................................................. 19
CREATING A WIRELESS AD-HOC NETWORK ON WINDOWS CLIENTS .................. 20
SECURING YOUR AD-HOC NETWORK ....................................................................... 33
CONFIGURING WINDOWS CLIENTS SHARE FILES OVER THE AD-HOC NETWORK
.................................................................................................................................. 37
LAB 2.............................................................................................................................. 45
CONNECTING TO THE INTEGRATED WIRELESS ROUTER ...................................... 47
CONFIGURING MANAGEMENT BASICS AND CUSTOMIZING CONFIGURATION.... 50
TESTING CLIENT COMMUNICATIONS TO THE INTERNET ....................................... 55
CONFIGURING BASIC WIRELESS SECURITY ............................................................ 58
LAB 3.............................................................................................................................. 61
USING THE LINKSYS AVAILABLE TOOL TO DO A BASIC SITE SURVEY ................. 62
CONFIGURING WIRELESS CHANNELS ...................................................................... 65
CONFIGURING SERVICE SET IDENTIFIER (SSID) ..................................................... 67
DISABLING SSID BROADCAST .................................................................................... 68
LAB 4.............................................................................................................................. 71
CONFIGURING INBOUND ADDRESS TRANSLATION FOR THE WEB/EMAIL SERVER
.................................................................................................................................. 73
CONFIGURING INTERNET ACCESS RESTRICTIONS ................................................ 78
CONFIGURING WIRELESS MAC FILTERING .............................................................. 84
LAB 5.............................................................................................................................. 87
CONFIGURING WPA PRE-SHARED KEY AUTHENTICATION .................................... 88
CONFIGURING AND TESTING WPA-PSK ON CLIENT1.............................................. 89
ENABLING WPA2 PRE-SHARED KEY AUTHENTICATION (802.11I PERSONAL
MODE) ...................................................................................................................... 93
CONFIGURING AND TESTING WPA2 PRE-SHARED KEY AUTHENTICATION
(802.11I PERSONAL MODE) ON CLIENT1 ............................................................. 94
LAB 6.............................................................................................................................. 97
INSTALLING A RADIUS SERVER IN WINDOWS.......................................................... 98
INSTALLING WINDOWS DNS AND IAS .................................................................. 98
INSTALLING WINDOWS AD .................................................................................. 100
Page 5 of 139
Page 6 of 139
Introduction
Welcome to Train Signal!
This series of labs on Wireless Networking is designed to give you detailed, hands-on
experience working with Wireless Technologies. Train Signals Audio-Visual Lab courses are
targeted towards the serious learner, those who want to know more than just the answers to
the test questions. We have gone to great lengths to make this series appealing to both those
who are seeking the Certified Wireless Network Administrator (CWNA) certification and to
those who want an excellent overall knowledge of Wireless technologies.
Each of our courses puts you in the drivers seat, working for different fictitious companies,
deploying complex configurations and then modifying them as your company grows. They
are not designed to be a cookbook lab, where you follow the steps of the recipe until
you have completed the lab and have learned nothing. Instead, we recommend that you
perform each step and then analyze the results of your actions in detail.
To complete these labs yourself, you will need three computers equipped as described in the
Lab Setup section. You also need to have a foundation in Windows XP/2003 and TCP/IP
concepts. You should be comfortable with installing the Windows operating system and
getting it up and running. Basic networking skills will be very helpful. These labs will start
from a default installation of Windows XP/2003 with wireless adaptor and wireless accesspoint/router. From there, we will run you through the basic configurations and settings that
you must use for the labs to be successful. It is very important that you follow these
guidelines exactly, in order to get the best results from this course.
The course also includes a CD-ROM that features an audio-visual walk-through of all of the
labs in the course. In the walk-through, you will be shown all of the details from start to
finish on each step, for every lab in the course. During the instruction, you will also benefit
from live training that discusses the current topic in great detail, making you aware of many
of the associated fine points.
Thanks for choosing Train Signal!
Scott Skinger
Owner
Train Signal, Inc.
Page 7 of 139
Page 8 of 139
Lab Setup
Page 9 of 139
Item
Minimum
Recommended
Computers
Memory
128 MB
256 MB
Hard Drive
4 GB
6 GB or larger
NIC
1 per computer
(wireless NICs are used)
1 per computer
(wireless NICs are used for the
workstations, the server will use a
wired NIC)
Networking
Software
Windows XP Pro
Windows XP Pro
Windows Server 2003
Page 10 of 139
You are strongly urged to acquire all of the recommended equipment in the list above. It
can all be easily purchased from eBay or another source, for around $500 (less if you already
have some of the equipment). This same equipment is used over and over again in all of
Train Signals labs and will also work great in all sorts of other network configurations that
you may want to set up in the future. It will be an excellent investment in your education.
Call or email us at: support@trainsignal.com if you need help locating networking
equipment. Two other products that you may also want to look into are a KVM (KeyboardVideo-Mouse) switch and a disk-imaging product, such as Norton Ghost. The KVM switch
will allow you to run all of your computers using a single keyboard/monitor/mouse set. A
button allows you to quickly control which PC you are managing. Disk imaging software
will save you a tremendous amount of time when it comes to reinstalling operating systems
for future labs. Many vendors offer trial versions or personal versions of their products that
are very inexpensive.
2. Computer Configuration Overview
Computer
Number
Computer Name
CLIENT1
CLIENT2
SERVER1
IP Address
IP 192.168.1.10
Subnet 255.255.255.0
Default Gateway
192.168.1.1 will be
assigned via routers
DHCP
192.168.1.1 will be
assigned via routers
DHCP
192.168.1.1
OS
Windows XP Pro
Windows XP Pro
Server 2003
Additional
Configurations
Page 11 of 139
SP1 or later
***Important Note***
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND is not connected to a business network.
Train Signal Inc., is not responsible for any damages. Refer to the full disclaimer and limitation of
liability, which appears at the beginning of this document and on our Website at:
http://www.trainsignal.com/legalinfo.html
Page 12 of 139
Page 13 of 139
Page 14 of 139
Windows will prompt you for the location and you can tell it specifically where to find the
new WLAN drivers.
Page 15 of 139
After telling the system where to find the drivers, it will copy them over and your installation
is done!
Repeat the steps from step #1 to load the drivers on CLIENT2 (see steps above).
Note: Once the drivers are installed, do not change any settings on the adaptors or wireless
configuration.
Page 16 of 139
(figure 1)
***Important Note***
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND that is not connected to a business network.
Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of
liability which appears at the beginning of this document and on our Web site at:
www.trainsignal.com
Page 17 of 139
Lab Scenario
Blue Crab Food Co., (www.bluecrabfood.com) is a seafood distribution company. They
process and package seafood at their main office in Nags Head, North Carolina. They are
opening a packaging plant about two miles away, near Whalebone, NC.
Blue Crab Food Co., has always been a low-tech company. However, they have set forth on
an initiative to modernize all their plants. They will install PCs on every desk and across the
plant floor. They will also need to connect all their processing plants to the server at the
main office. The main office was built for Blue Crab back in the early 1900s and has many
rooms and thick concrete walls. Blue Crab will need over 100 cable drops for the new
devices. For these reasons, Blue Crabs CIO has decided that a wireless network
infrastructure would be a better choice over a wired infrastructure. In addition, the CIO has
chosen to connect the new packaging plant, in Whalebone, via a wireless network link. This
will definitely save the company the monthly recurring cost that a T1 circuit would incur.
Fortunately, the new packaging plant has a direct line of sight that should accommodate the
wireless connection well.
Blue Crab Food Co., has hired you, on a contract basis, to implement the new wireless LAN
at the main office and the wireless link connection that will connect the new location. The
CIO, Jim, also mentions that there is an opportunity for you to become a full time network
administrator with the company, if the project goes well.
As a contractor, you will be solely responsible for implementing the new Blue Crab wireless
network. In this series of labs you will start with a small wireless LAN with only one access
point (AP) and one client. You will grow that wireless LAN into multiple APs, add a wireless
bridge link, add levels of security, configure management options, test performance, learn
wireless troubleshooting and much more.
Before starting any of the labs you should ensure that you have set up your network
according to the Lab Setup section which can be found earlier in this lab.
Page 18 of 139
Lab 1
Creating an Ad-Hoc Wireless LAN
You will learn how to:
Create a wireless ad-hoc network on Windows clients
Secure your ad-hoc network
Configure Windows clients share files over the ad-hoc network
Page 19 of 139
Lab Scenario
You have ordered the wireless equipment for the Blue Crab Food network but it has not yet
arrived. In the meantime, you want to experiment with some wireless settings between two
Windows XP client machines. This will better acquaint you with the settings. Also, you want
to see how an ad-hoc network is configured in case you need to implement it later at Blue
Crab. By doing these exercises, you will be better prepared for the future wireless
configuration options when the equipment arrives. You have borrowed two users desktop
machines for your tests. You will call them CLIENT1 and CLIENT2.
Prior to beginning Lab 1, you should have already installed your wireless adaptor and drivers,
per the Lab Setup instructions.
Page 20 of 139
2. You will see the screen below that will ask you to choose a wireless network. As you can
see in this screen you may see other wireless networks that are not yours.
3. Click on the Change advanced settings icon on the left of this window.
Page 21 of 139
4. Go to the Wireless Networks tab. This is where you will do most of your wireless
network configuration.
Page 22 of 139
5. Now, click Add on the Preferred networks section as this is where you will create your
ad-hoc network. You will see the window below. In this window you will create the
SSID (Service Set Identifier) that will uniquely identify your wireless ad-hoc network.
Lets choose BLUECRAB-ADHOC.
Also, to make sure you dont have any trouble making your first connection, you will
disable all authentication and encryption. So select Open for Network Authentication
and Disabled for Data encryption. Check the This is a computer-to-computer (ad
hoc) network; wireless access points are not used box. When you are done, click
OK. Windows may prompt you with a warning that the network is not encrypted but
just click Continue Anyway.
Page 23 of 139
6. When you return to the Wireless Networks screen, click on the Advanced button near
the bottom. Normally, you would use the default settings under the advanced wireless
button as they prefer infrastructure wireless networks (networks with an access point).
However, for the purposes of this lab, you will change those settings so that you only use
ad-hoc networks (computer-to-computer). You will therefore need to check
Automatically connect to non-preferred networks.
Page 24 of 139
7. Click Close to return to the Wireless Networks screen and you will see that your new
preferred ad-hoc network has been added. Click OK to save and apply these settings.
Page 25 of 139
Page 26 of 139
9. Click on the Advanced button and configure the same settings as CLIENT1. This is
where you will set the wireless adaptor to only communicate with ad-hoc networks and
to Automatically connect to non-preferred networks.
10. Click Close to close the window and click OK on the remaining window to save and
apply your settings.
11. CLIENT1 will immediately connect to the net ad-hoc network and will acquire an IP
address.
Page 28 of 139
13. CLIENT2 has obtained an automatic private IP address in the 169.254.x.x range. Double
click on the wireless adaptor on the bottom right of the taskbar to see the adaptors
properties. Click on the Support tab to see its IP address (as shown below)
14. Back on CLIENT1, if you refresh the network list, you will see that the new
BLUECRAB-ADHOC network has appeared and that the client has automatically
connected to it!
Page 29 of 139
15. You may also see a balloon popup that tells you that it has successfully connected to this
new network.
16. CLIENT1 has obtained an automatic private IP address in the 169.254.x.x range. Double
click on the wireless adaptor on the bottom right of the taskbar to see the adaptors
properties. Click on the Support tab to see its IP address (as shown below).
Page 30 of 139
17. We will now disable the Windows Firewall. Right click on the wireless connection in
the system tray and click on Change Windows Firewall settings.
18. To make sure that everything works at this time we will now disable the firewall
completely. On the Windows Firewall screen in the General tab check Off. Note that
this is not the most secure option, but it will allow you to complete the lab without
issues.
Page 31 of 139
19. Now, its time to test this new network! Lets verify first that CLIENT1 can ping
CLIENT2 and that CLIENT2 can ping CLIENT1. From CLIENT1 run CMD and
ping the IP of CLIENT2. Note that your IP address will differ from the one in the
screen below.
20. From CLIENT2 run CMD and ping the IP of CLIENT1. Note that your IP address
will differ from the one in the screen below.
Page 32 of 139
Page 33 of 139
Page 34 of 139
4. Once you have added security, go over to CLIENT2 and you will see that the network
still shows as connected. It will also say that it is secure. This is strange as it shouldnt be
connected on CLIENT2 as you have not put in the new key. However, if you attempt to
ping CLIENT1 now, you will find that there is no longer any communication.
5. Even if you disconnect the network on CLIENT2, it will automatically reconnect, not
prompt for a password, but still have no communications. To prevent the auto
reconnect and to get it to prompt you for a password, go into modify the wireless
settings on CLIENT2. Uncheck the Automatically connect to non-preferred
networks box, as shown in the picture below. Click Close and OK to save settings.
Page 35 of 139
6. The client will now automatically disconnect from the ad-hoc network. Go back into the
list of available wireless networks and double click on the BLUECRAB-ADHOC
network. You will now be prompted for the key. Enter your key - 1234567890.
7. You are now securely connected to the BLUECRAB-ADHOC network using SharedWEP authentication and encryption.
Page 36 of 139
Page 37 of 139
Page 38 of 139
4. Click Next. Note that if you have any unplugged or disabled Internet connections you
will want to ignore them when prompted. Select Other and then click Next.
5. Select This computer belongs to a network that does not have an Internet
connection and click Next.
Page 39 of 139
7. Call your workgroup WORKGROUP and click Next. The real Blue Crab Food Co.,
will, of course, have a Windows active directory domain. Again, this is only for testing
the Windows file sharing capability of your network.
Page 40 of 139
9. After some processing, the wizard will ask if you want to create a network setup disk
which will be used to distribute this configuration. You will select Just finish the
wizard; I dont need to run the wizard on other computers and click Next.
Page 41 of 139
10. After some processing, the Network Setup Wizard will be complete. Click Finish.
11. After the network is set up you will have to enable the guest account to allow Windows
browsing by the remote system. I generally recommend putting a password on it but this
is not necessary for your testing purposes here. When you are all done with your tests,
you will disable the guest account as this is a security risk and is not needed in a
Windows AD network.
Right click on My Computer and click Manage. Click Local Users and Groups and
double click to expand users. Double click on the Guest account and you will see the
following window.
Page 42 of 139
12. Uncheck the Account is disabled checkbox for the Guest account. Click OK to save
these changes and to close your windows.
Next, move over to Client1 and repeat the process in Step #1.
After running the Network Setup Wizard on both systems, lets go into Client1 - Start
Menu My Network Places View workgroup computers and see which
computers are in the workgroup you have created.
13. Youll see that both systems are listed in the workgroup this is a good sign!
Page 43 of 139
14. After clicking on CLIENT2 from CLIENT1 you can see that you are able to see file
shares across the network.
Your new wireless ad-hoc network works! You can ping and share Windows files, all
without an access point, a hub or wires!
Note: When you are done with Lab 1, please go back and do the following on BOTH
clients:
Page 44 of 139
Lab 2
Basic Wireless Router & Client Setup
You will learn how to:
Connect to the integrated wireless router
Configure management basics and customize configuration
Test client communications to the Internet
Configure basic wireless security
Page 45 of 139
Lab Scenario
Now that the new access-points have arrived, you need to setup a basic wireless LAN
(WLAN) and single client. In this lab, you will begin implementing your wireless network by
configuring an access point in infrastructure mode. A WLAN that uses an access point as a
central communications hub between clients is termed as being in infrastructure mode.
This wireless access point (AP) will be the first of many APs you will setup and will serve as
a model for the future access points at Blue Crab Food Co.
The access-point you have selected is an integrated router, switch, wireless AP and firewall.
This integrated device will be connecting to the new cable Internet connection you ordered.
You already have a Motorola cable modem in place. It has an Ethernet jack on the back of it.
For now, you have a dynamic IP address and a 3MB download speed.
While you know that this integrated device should, in theory, work fine in this capacity out
of the box, you do want to go through it and configure all the management options that
need to be configured. These options will help to secure the integrated device and to secure
the wireless LAN.
For this lab, the recommended router/AP in the Lab Setup works best, but most any
router/AP will be able to perform these labs. The recommended router/AP also includes a
router, 4 port switch and firewall. For the clients, the wireless adaptors specified in the Lab
Setup are recommended but most any wireless adaptor will work fine for these labs.
In this lab, the clients will be using the wireless adaptor that was installed in Lab 1.
***Note***
Every manufacturers access point varies in how it must be configured. For the purposes of
these labs, the Lab Setup recommends a standard Linksys home access point because they
are easy to obtain and cover all the basic features you need to know. In the real world, most
businesses would choose to spend much more and to get more features.
Page 46 of 139
Page 47 of 139
3. To configure your new wireless router, open your web browser and point it to the
default IP address of the linksys device, http://192.168.1.1. If you look at your IP
address configuration, this is also your default gateway.
Page 48 of 139
4. You will be prompted to enter a username and password. All you really need to enter is a
password of admin. The username can be left blank. The password of admin and a
blank username is a well-known Linksys attribute. There are websites that list all the
default passwords for devices such as this. For security reasons, you will be changing
this, and other options, later in this lab.
Once authenticated, you will see the following basic setup screen for your new device.
That was easy, wasnt it? Now, knowing that this was so very easy for us, you now want
to make things very difficult for unwanted visitors to our new network device. You will
do that by changing the defaults and customizing the device.
Page 49 of 139
After you change these settings, you will then backup your configuration.
Page 50 of 139
1. To change the router name, host name, and time zone, you can enter these settings from
the main setup screen you have looked at already. Set the router name and host name to
Crab1 as this will be the first wireless access point/router on the network. Set the time
zone to Eastern Time, as this is where North Carolina and the Blue Crab Food Co., are
located. In the screen below, you will see the changes for the network:
Page 51 of 139
2. To set the administrator password, remote access method, and to disable uPnP, go to the
Administration tab. It brings us to the default page called Management. You will
change the administrative password to bluecrab so that not everyone knows it (in the
real world, you should change it to a word that is not in the dictionary and that contains
some special characters with upper and lower case).
At this time you will also change the web administration page to only be available via
HTTPS, not just HTTP. To do this check the HTTPS box and uncheck the HTTP
box. Finally, disable universal plug and play by clicking the Disable button next to
UPnP as this can be a security risk. You can now see the changes in the following screen:
Page 52 of 139
3. After changing these settings, click Save Settings. You will be asked to authenticate
again. Make sure that you use the new password that you just set. Next, you will be
asked to accept the certificate from the Linksys device. If you are not prompted for
this then you need to make sure to update your routers firmware. Some firmware
versions prior to 4.0 had issues with HTTPS - up-to-date firmware can be downloaded
from the Linksys website. This shows that you are being redirected to the secure HTTPS
management site. After that, you will be asked to authenticate again.
Page 53 of 139
4. You should now be back at the main management page for the Linksys device but your
URL will now read HTTPS instead of HTTP and the lock icon will be shown on the
bottom of your web browser. This indicates that you are at a secure site. Lastly, you will
enable logging so that all incoming and outgoing traffic is logged. Staying on the same
default Management page, click on the sub tab Log and then click Enable and then
Save Settings.
5. Here is what the incoming log after a visit to a website looks like.
Page 54 of 139
As you can see from this screenshot, the router has obtained an Internet IP address. You
know this because its IP address is 67.x.x.x (not in the private RFC1918 or APIPA
range) and it is using DHCP. Therefore, it must have obtained this public IP address
from the cable ISP. Other important things of note are the subnet mask, the default
gateway and the DNS servers. These DNS servers will be given to your wireless and
wired clients with their DHCP information.
Page 55 of 139
2. Another good test of Internet connectivity is a ping from the router. This model of
wireless router has built in ping and traceroute functions. Go to the Administration tab
and the Diagnostics section. From here, do a ping to www.trainsignal.com. Here is an
example.
Page 56 of 139
3. Lastly, use your PC to attempt connection to the Internet through the router. Open your
web browser and go to www.trainsignal.com, like this:
It works!
Page 57 of 139
Page 58 of 139
2. Once you click Save Settings, you will loose your wireless connectivity to the accesspoint so be prepared for this. You will have to go into your Windows wireless settings by
double clicking the wireless network icon in the system tray and entering the new
WEP key to reconnect.
Once you are reconnected, you should be able to go back to the Internet and verify
connectivity. Basic WEP encryption is complete and so is Lab 2!
Page 59 of 139
Page 60 of 139
Lab 3
Configure Basic Wireless Settings
You will learn how to:
Do a basic site survey
Configure wireless channels
Configure the SSID
Disable SSID broadcast
Page 61 of 139
Lab Scenario
You are setting up the first Blue Crab Food Co., wireless network. One of the first things
you should configure on every wireless access point is the service set identifier (SSID). This
is the name that identifies the wireless network you are advertising. You dont want to leave
it at the default as that would be a security concern. Also, for security reasons, you want to
disable its broadcast. This isnt a fool proof way of protecting your network as anyone who
is really trying will be able to see the network but it does protect it from the casual observer.
Even though this is the first wireless access point in the building that does not mean that
there arent other wireless APs outside that could be causing interference. You want to
configure the channel on your new AP so that its signal is not subject to this kind of
interference. To do this, you will use the basic site survey tool found on the Linksys driver
CD.
Page 62 of 139
2. Instead of using this tool, you should go to Start Run, click Browse and browse to
D:\Utility and run setup.exe. This will install the Linksys Wireless management utility
which you will use to do a basic site survey. Please note that:
You must either use this utility or Windows to configure your wireless settings
and connect to wireless networks. You cannot use both.
When installing this utility, it may take over your wireless configuration and
you may have to reconnect to the wireless LAN again with the WEP encryption
you used in Lab 2.
The reason you want to use this utility, for this lab, instead of the Windows
drivers is that the Linksys utility has a basic site survey tool built in.
3. Once installed, the utility will appear on the bottom right of your TaskBar. The icon will
look like the example below (circled in RED). You can double click on this icon to run
the Wireless Network Monitor.
You can also access the tool by going to Start All Programs Linksys Wireless-G
USB Network Adaptor Wireless Network Monitor.
3. Once running, the Network Monitor will show you the current status of your wireless
connection.
Page 63 of 139
4. If you arent already connected in this picture, you can go to the Site Survey screen, find
the Linksys SSID, click Connect, and enter your WEP key from Lab 2. Once in the
wireless network monitor, click on Site Survey and you will see the following screen.
In this screen, youll notice that there are 3 access points available (your screen will look
different). See that there are two APs on channel 6 and one on channel 11. In the video you
learned that you should only use APs on channels 1, 6, and 11 to prevent wireless
interference. In your case, you should move your new Linksys AP to channel 1 to prevent
interference with neighboring APs.
Page 64 of 139
Page 65 of 139
2. You will see, on your site survey tool, that your channel has now changed to channel 1
and should no longer be receiving interference from other APs.
Page 66 of 139
2. After changing the name of your SSID, click Save Settings and you will get Settings are
Successful. After changing your SSID and clicking OK, you will get disconnected and
will have to reconnect. Do this with the same Linksys utility. To see the results of your
SSID change, go to the Linksys Site Survey utility and click Refresh. Notice that the
name of the SSID has changed from Linksys to BC1.
Page 67 of 139
Page 68 of 139
2. After disabling SSID broadcast, you will see that the Linksys Network Monitor still sees
the wireless router, even after doing a refresh. If you change over to using Windows to
configure your wireless settings, Windows will not see the BC1 wireless router. Also, if
you uninstall and reinstall the Linksys network monitor, it will no longer see the BC1
wireless router. You will have to create a profile to be able to connect to the BC1
wireless router. Here is the Linksys Network Monitor after an uninstall and reinstall.
Notice that the BC1 wireless router is no longer visible. This is because you have
disabled SSID broadcast. Although it might appear that this is a tremendous security
feature as you have hidden your WLAN from public view, it does not actually offer
much security at all. The SSID is broadcast over the WLAN in beacon frames. Thus, if
someone listened on the WLAN with the right program, they would easily see your SSID
and wireless network. Many times, disabling the SSID broadcast just creates more of a
headache for people who are trying to connect to the WLAN.
Page 69 of 139
Page 70 of 139
Lab 4
Inbound Address Translation, Firewalling, &
MAC Filtering
You will learn how to:
Configure inbound address translation for the web & future
email server
Configure Internet access restrictions using firewall features
Filter workstations that can access the network wirelessly
Page 71 of 139
Lab Scenario
Blue Crab Food Co., will have a local Internet web server. This web server will host their
small e-commerce site where they take credit card orders for seafood. For the web server,
you need to allow for inbound HTTP (hyper-text transfer protocol) to come into the web
server from the Internet. As they are selling their products over the Internet using credit
cards, you also need to allow for HTTPS (HTTP-Secure) so that they can encrypt these
credit card transactions.
At some point in the future, they will also have a local email server. The email server will
receive inbound company email and will send outgoing email. To allow for the email to
come in, you are going to have to permit SMTP (simple mail transfer protocol) on an
inbound basis.
Both the web and email servers will be configured as the same machine for now. We have
put in the request for the external Internet IP address provided to our router by Blue Crab
Foods ISP to be made static.
As you are configuring policies, dont forget that, besides needing to receive inbound traffic,
these devices will also need to be able to send outbound traffic (i.e. the response).
Additionally, you are continuing to shore up network security. One of the security policies
that the CIO has written dictates the following:
Clients in the DHCP range should only be allowed HTTP (port 80) basic web access
Monday through Friday. This will prevent users from using a number of other
applications that they should not be using. It may also help to prevent problems with
spyware and adware. On Saturdays and Sundays, no Internet access is allowed for
these devices.
Devices with static IP addresses should have full Internet access at all times. The
devices with static IP addresses should only be servers and printers.
Any clients who connect to the network wirelessly must be filtered by the MAC
address of their adaptor. While this does not prevent malicious MAC spoofing, it
does prevent the common person with a wireless adaptor from connecting to the
wireless LAN.
Based on these requirements, you will configure restrictions on Internet access and restrict
only two workstations, at this time, to access the network wirelessly.
Page 72 of 139
Page 73 of 139
Port Range
80 to 80
443 to 443
25 to 25
Protocol
TCP
TCP
TCP
IP Address
192.168.1.10
192.168.1.10
192.168.1.10
2. After filling out these settings, check Enable and click Save Settings.
By adding these applications, the router will forward inbound Internet requests for web
traffic to the Blue Crab Food Cos web server. The web server already has access to send
traffic outbound to the Internet so that it can respond. This must be done as the router
is performing NAT and it does not know what to do with a request coming in on its
single Internet IP address (public network). There are a number of internal (private
network) computers (like the web server) and the router must know which system to
forward inbound ports to.
To test this configuration, you can load Microsoft IIS on Server1. Go to Start Menu
Control Panel Add/Remove Programs Add/Remove Windows
Components.
Double Click Application Servers and then check Internet
Information Services (IIS). You will need to have your Windows Server 2003 disc
handy as it will be needed to install some of the files required by IIS.
Page 74 of 139
3. Once installed, you will test to see if the web server is working by going to
http://localhost on the web server.
4. If you get an Under Construction response from localhost, go to a client, like client1,
and try the internal IP address of the web server (as shown in the following screen).
Note that Under Construction is the default page for IIS to load when it has just been
installed.
Page 75 of 139
5. If that works, get your external IP address from the web management of the wireless
router. This can be found on the status page.
Page 76 of 139
6. Now, ideally, you should go to a client that has another Internet connection to test web
services to your external IP address. However, you may also be able to access the
external IP of the web server using one of your internal clients.
Page 77 of 139
Clients in the DHCP range should only be allowed HTTP (port 80) basic web
access Monday through Friday. This will prevent users from using a number of
other applications that they should not be using. It may also help to prevent
problems with spyware and adware. On Saturdays and Sundays, no Internet
access is allowed for these devices.
1. To configure the Internet access restrictions, per the CIOs security policy, open the
wireless routers interface at https://192.168.1.1 and then click on the Access
Restrictions tab. You will be taken to the Internet Access section.
Configure the wireless router so that it fits the security policy requirements. However,
there is a catch here. The HTTP web browsing protocol is not very useful if you cannot
look up domain names. So, you will also have to allow for port 53, DNS. To do this, you
will have to make two policies. The Linksys firewall only allows for two port ranges to be
blocked per policy (these types of rules will vary if you are using another vendors
wireless router). So, you will now need to create Internet Access Policy 1. Call it
blockallbut53and80. Restrict it to the PCs in the wireless routers DHCP client range.
Page 78 of 139
2. Restrict these systems from using this service to only Monday-Friday. Create two new
blocked services that, when combined, block all ports except for DNS (port 53) and
HTTP (port 80) - so, insert upto52, TCP & UDP, 1-52 as shown in the following
screen.
3. Then insert 54to79, TCP & UDP, 54-79 as shown in the following screen.
Page 79 of 139
4. Note that these restrictions will only affect systems in the DHCP range. Thus, they will
not affect our server, located at 192.168.1.10.
Page 80 of 139
5. Now, create Internet Access Policy 2. Call this policy blockallabove80. Use the same
IP restrictions, same day restrictions and same time restrictions.
Create another new service called above80. This will block ports 81 through 65,535.
Insert above80, TCP & UDP, 81-65535 as shown in the following screen.
Page 81 of 139
Page 82 of 139
7. To test your settings, you will need to open Client1s Internet Explorer. You should be
able to visit any regular HTTP website but should not be able to visit a HTTPS website.
Finally, we need to configure a policy to block all Internet access on the weekends. Make
sure you check the relevant boxes to DENY access to these systems. You will have to
specify the same range of IP addresses as in the other policies.
Page 83 of 139
00-0f-66-e7-50-d1
00-12-17-88-18-71
The MAC addresses on your wireless adaptors will be different. Make sure you substitute
the MAC addresses from your own wireless adaptors for the MAC addresses used in these
exercises.
1. To configure wireless MAC filtering and to restrict the wireless network to only our two
clients, go to the Wireless tab and click on the Wireless MAC Filter section. Click
Enable Wireless MAC Filtering. Once enabled, more choices will appear. Click to
Permit Only PCs listed to access the wireless network. Edit the list of MACs that
will be permitted and click Save Settings.
Page 84 of 139
2. Close the MAC Address Filter List window and click Save Settings on the original
Wireless MAC Filter window.
At this point, only the two specified client workstations will be able to access the
network wirelessly. As you add more workstations, you will have to statically configure
the wireless router to allow access for them. For a small network with a fairly static
number of workstations this is not too much trouble. For a large network or a network
with many temporary workstations, static MAC filtering simply isnt practical.
Page 85 of 139
Page 86 of 139
Lab 5
Configuring WPA & WPA2 Pre-shared Key
Authentication
You will learn how to:
Enable WPA pre-shared key authentication
Test WPA-PSK
Enable WPA2 pre-shared key authentication (802.11i personal
mode)
Test WPA2-PSK
Page 87 of 139
Lab Scenario
Successfully implementing and learning about security should be done in layers. The CIO of
Blue Crab Food, of course, wants security to be as strong as possible. We started with no
wireless security, added WEP, and, in this lab, we will configure WPA and WPA2. WPA is
Wi-Fi Protected Access. WPA was meant to be a temporary improvement over WEP prior
to WPA2 (also known as 802.11i) being released.
After configuring WPA, we will configure WPA2. In both of these situations, we will be
using pre-shared keys (passwords, if you will) for authentication. Later, we will use Windows
usernames and passwords for authentication.
Page 88 of 139
2. If you are still using the Linksys Network Monitor to control wireless access right click
on the Linksys Network Monitor in the system tray and then click Use Windows XP
Wireless Configuration. As we are not allowing the broadcast of the wireless routers
SSID (BC1) it wont show up in the list of available wireless networks. Instead, you will
have to go to the advanced settings.
Page 89 of 139
3. After clicking on the Wireless Networks tab, make sure that BC1 is highlighted and
click Properties. The BC1 Preferred network was created back when we disabled the
SSID broadcast and enabled WEP encryption.
4. Before our WPA changes, the settings will look like this:
Page 90 of 139
5. Now change the Network Authentication to WPA-PSK and Data Encryption to AES.
Set the Key to bluecrab so that it matches the key we set on the wireless router.
6. Click OK on this screen and OK again on the previous screen. Your wireless client
should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer
have an X on it and, if you double click it, it should look like this.
Page 91 of 139
7. You should be able to access the Internet through the wireless router as a test, like this:
Page 92 of 139
Page 93 of 139
2. As we are not allowing the broadcast of the wireless routers SSID BC1 it wont show up
in the list of available wireless networks. Instead, you will have to go to the advanced
settings.
Page 94 of 139
3. After clicking on the Wireless Networks tab, make sure that the BC1 preferred network
is highlighted and click Properties.
4. Now change the Network Authentication to WPA2-PSK. You should not have to make
any other changes.
Page 95 of 139
5. Click OK on this screen and OK again on the previous screen. Your wireless client
should now automatically attempt to connect to the wireless router, exchange the preshared key and get a DHCP IP address. If successful, the wireless client should no longer
have an X on it and, if you double click it, it should look like this.
6. You should be able to access the Internet through the wireless router as a test, like this:
You have now reached the maximum level of security, using a pre-shared key, which is
possible using Windows. If you use the Linksys drivers, you can add a little more security
by using TKIP & AES together. However, Windows XP currently does not support this.
Page 96 of 139
Lab 6
Using RADIUS (802.1x Authentication)
You will learn how to:
Install a RADIUS server in Windows
Configure Windows Internet Authentication Service (IAS)
Use RADIUS (802.1x) with WPA2 security
Configure and test your client
Page 97 of 139
Lab Scenario
After configuring WPA2 authentication and AES encryption, you want to go to the final
step and using 802.1x authentication. While there are a number of ways to use 802.1x
authentication (with smart cards, certificates, etc.), you will configure 802.1x & WPA2
authentication using Windows credentials for wireless network authentication. Once
authenticated, the clients will encrypt data with AES (as they did in the previous lab).
To enable 802.1x authentication using Windows credentials, a fair amount of work will be
required on your Windows server. You will have to install Active Directory, certificate
services and Internet Authentication Service (IAS). So, lets get to work!
Install DNS.
Install Internet Authentication Service (IAS).
Make the server a Windows Active Directory domain controller (DC).
Install Certificate Services.
Page 98 of 139
2. Scroll down the list of components that can be installed and double click Network
Services.
3. Under Network Services check Domain Name System (DNS) and Internet
Authentication Service (IAS).
Click OK and then Next when youre back on the Windows Components window. Click
Next Again. You will need to insert your Windows 2003 Server CD. Files will now be
copied and the applications will be installed. When it is completed you can click Finish.
Page 99 of 139
Installing Windows AD
The next step is to install Windows Active Directory services on Server1, making it a domain
controller in the new BlueCrabFood domain.
1. To do this, go to Start Run and execute dcpromo. Click Next through the first
screens. Take the default on the the next screen (that specifies that this will be a domain
controller for a new domain) and click Next. Take the default on the next screen (that
specifies that this will be a domain in a new forest) and click Next. Enter the Full DNS
name BLUECRABFOOD.COM and click Next.
3. Take the default for the log files and databases and click Next. Take the default for the
shared system volume and click Next. If you get the message that DNS Registration
diagnostics failed, select the second choice (as shown below) and click Next.
4. On the next screen, take the default of Windows 2003/2000 permissions and click
Next.
6. On the Summary screen, click Next. The Active Directory install wizard will now install
Windows Active Directory and make your server a domain controller. When the
installation is complete, you will see the window below.
Click Finish, then Restart Now on the popup window that will appear. After the
reboot, continue on to installing certificate services.
Page 102 of 139
2. Scroll down the list of components you can add. Check the checkbox next to
Certificate Services so that it will be installed. Click OK.
3. You will now be prompted with some certificate questions. Leave the default selected
on if you want to make this an Enterprise Root CA and click Next. When asked to name
the CA, enter BlueCrabFoodCo.
Take the default on the location of the certificate databases and click Next. You will be
asked if it is OK to stop IIS (if it is installed). You can say Yes to this question. You will
be required to insert your Windows 2003 Server CD. Files will now be copied and the
applications will be installed. When it is completed you can click Finish.
2. Once inside the IAS management console, right click on the server and click Register
Server in Active Directory.
3. You will be given the two pop up boxes shown below. Click OK on each.
2. Enter the name and IP address of the wireless router, BC1 and 192.168.1.1. Click Next.
3. Type in the same password of bluecrab. This is the same password we will use later
when configuring the wireless router. Click Finish.
IAS policies
1. To simplify our testing and policies, go to the IAS Remote Access Policies folder and
delete all default policies by right clicking on them and then clicking Delete. Right click
on the Remote Access Policies folder and click New Remote Access Policy. This
will bring up the Remote Access Policy Wizard.
2. Click Next on the first introduction screen. Fill out the policy name as wireless and
click Next.
3. On the next screen, specify that this will be a wireless policy and click Next.
4. To simplify our testing, select that we will use the User permissions to control who has
remote access and click Next.
5. Take the default of PEAP as the Authentication Method and click Next.
3. Enter the password Bluecrab1. Then click Next and then Finish.
4. Now you need to right click on the user Jim and go to Properties. On the Dial-in tab
enable Remote Access Permission by checking Allow Access. Click OK.
When youre done, click Save Settings. You will lose connection with the wireless
router over your wireless link.
3. If these two checkboxes are checked, uncheck them. Click on Properties for the EAP
Type.
4. Make sure that your properties match the window above. Click on the Configure
button for the Secure Password (EAP-MSCHAP v2) Authentication Method. Make sure
that the Automatically use my Windows logon name and password box is unchecked.
5. Click the next three OKs to save and apply your settings - your wireless adaptor should
now attempt to connect to the BC1 wireless network. As this network is now protected
by a Windows username and password, you should get a balloon popup from the
notification bar in the bottom right hand of your desktop. It looks like this:
6. Double click on the popup window and you will get a login dialog box.
7. Login with the username Jim and the password Bluecrab1, which you created earlier in
this lab. After negotiating the authentication and getting a DHCP IP address, your client
will connect to the wireless network and you will get the following balloon popup in the
notification bar.
Lab 7
Common Administrative Tasks
You will learn how to:
Backup configuration files
Upgrade firmware
Modify DHCP settings
2. Click Save and you will be prompted as to where you want to save the configuration
file. Specify the directory and click Save.
3. Once downloaded, you will be asked if you want to Open the File, Open the Folder, or
Close. Choose to Close.
4. Just to make sure that your backup was successful, youll now restore the file you backed
up. Back on the wireless routers Config Management screen, click Browse and find
the location of your configuration file.
5. Once you click Open on the file, you will be back at the Config Management screen.
Now click Restore. When the restore is complete, you will, very misleadingly, get the
message that the upgrade is successful, even though no upgrade was performed.
Even though the message is misleading, at least you know that the upgrade worked and
the config file was good. A good way to test this would be to backup your configuration,
make a change and then restore the configuration. On some routers, this method can be
used to clone routers. However, with Linksys routers, the configuration file cannot be
edited as a regular text file.
Page 120 of 139
Upgrading firmware
Every good network administrator should frequently check for new operating
system/firmware upgrades for their network devices. Part of the job of installing the
network at Blue Crab Food Co., involves updating network devices to the latest firmware.
Older firmware can have security holes and bugs that could open your client up to problems
in the future.
1. To upgrade the firmware on our wireless router, first you need to obtain the firmware by
going to the manufacturers website. In our case, go to www.linksys.com and click on
Support. Choose Downloads in the drop down box.
2. On the Downloads page, select your product. In our case, this is the WRT54G version
3. You can leave the default of Windows XP and then click Downloads for this
product.
3. The downloads that are available for this product will be shown. Click on Firmware.
5. The firmware updates come in two versions - an executable file .exe and a zip file. You
want to download the zip file for this lab. Click to download the firmware. Say that you
want to Save the Zip file and specify where. Once the file has been downloaded, click
Open. Unzip the files that you downloaded into a directory of your choice. On the
wireless router, go to the Administration tab and the Firmware Upgrade section.
Notice that there is no way to downgrade firmware or even to download the existing
routers firmware. To upgrade the firmware, click Browse and navigate to the directory
you unzipped the firmware into. Select the firmware image. In our case, the
firmware is called WRT54GV3.1_4.00.7_US_code.bin.
6. Click the Upgrade button and the upgrade will begin. You will see the upgrade progress
represented in the bar. When the upgrade is done, you will get this message:
7. You can see the current version of your firmware on every screen of the web-based
management console in the upper right hand corner.
The firmware has now been upgraded. With this model of Linksys, firmware upgrades
are manual. With some other routers you can configure them to automatically check for
firmware upgrades each time you go to the management interface.
Page 124 of 139
These current settings are viewed by going to the wireless routers web-based Setup tab
and looking on the default page. The default page is under the Setup tab and the Basic
Setup section. Some companies may choose a more robust DHCP solution, like the one
that Windows Server offers. At Blue Crab, the CIO feels that the built-in solution on the
wireless router will be enough for the time being.
Page 125 of 139
2. Now well change the maximum number of DHCP users to 150. Note that, as we are
starting at 192.168.1.100, the 100 + 150 puts IP addresses .100-.249 in use by DHCP.
This does not exceed 254 so there is no need to change the starting IP address of the
DHCP server. The changes look like this:
3. To see which client has which IP address, go to the wireless routers web-based
management interface. Click on the Status tab and on the Local Network section.
Click on the DHCP Clients Table.
Lab 8
Troubleshooting the Wireless LAN
You will learn how to:
Test throughput of your WLAN
Troubleshoot Internet connectivity
Troubleshoot wireless Connectivity
2. Run Qcheck by going to Start All Programs Ixia QCheck QCheck. Start
the same application on Client2. Back on Client1, enter the IP address of endpoint 1
and endpoint 2. These would be the IP addresses of Client 1 and Client 2. You can find
these clients IP addresses by either going to the Windows cmd and typing
IPCONFIG/ALL or by going to the bottom right of your screen and clicking on the
wireless network adaptor icon and then navigating to the support page. Here are the
results for each method on Client1.
3. You can also see which client has which IP address by going to the wireless routers
DHCP client list (see Lab 7s DHCP section). On the QCheck, after entering the IP
addresses for the clients, click on TCP for the Protocol and Throughput on the
Options section.
4. As you can see, the real throughput for our 54Mbps wireless network is only 5.634Mbps.
Of course, your performance will vary based on wireless interference, the number of
clients in use and the types of data being transmitted. Click on Details to get more
information about this test and the clients. See the example screenshot, below.
1. To check connectivity from the wireless router to the Internet, go to the wireless
routers web interface, click on the Administration tab and then on the Diagnostics
section. From here, you can ping and traceroute to Internet or Intranet IP addresses.
For our test here you should ping and traceroute to www.trainsignal.com.
It looks like our test was successful. Perhaps the Internet outage was short and
connectivity has been restored. To double check, go ahead and renew your WAN
DHCP IP address.
2. To release and renew your DHCP IP address, go to the wireless routers web-based
management. Click on the Status tab and the Router section. You can see your current
IP address, default gateway and DNS (note that a loss of DNS can also make it seem
that Internet connectivity is lost). To renew your Internet IP, click Renew.
By being able to successfully renew your Internet IP, you know that you have
connectivity over your Internet connection (whether you are using DSL, Cable, T1 or
other method).
If you cannot renew your IP address, you know that there is a connectivity problem. You
can also ping your default gateway and DNS servers. Many times, this can give you a clue
as to what the problem is.
It would appear that the trouble has passed and the Internet is running again. It is a good
thing you were prepared to be able to intelligently troubleshoot your network.
Page 136 of 139
Find Rogue Access Points NetStumbler can look for rogue access points on your
network. These rogue APs can allow unauthorized or unsecured access to your
network. Rogue APs can also take users away from the real network and steal their
credentials by posing as real APs.
SiteSurvey NetStumbler can tell you where you have poor wireless coverage or
where you are getting interference from other APs.
Antenna Positioning NetStumbler can show you the best place and direction to
place antennas and APs.
To help Blue Crab Food Co., troubleshoot their WLAN issue, you will now download
NetStumbler and use it to analyze wireless coverage near and far from the wireless access
point. The software can be downloaded from:
http://www.netstumbler.com/downloads/
1. Download Netstumbler, run the executable download and install it. Once installed,
run it from the Windows Start All Programs menu. When running, NetStumbler will
disconnect you from your wireless network. While it is running, all you can do is analyze
your wireless network you cant use the WLAN for normal purposes from the system
you are running it on.
NetStumbler looks like this:
2. For this exercise you will perform a simple task to see how wireless coverage changes
with distance. Look at the statistics for BC1 when your Client1 is near the wireless access
point. Notice that in the screenshot, above, the signal to noise ratio (SNR) was 83 when
you are near the wireless access point.
Now, move Client1 away from the wireless access point (approximately 30 feet if
possible). After moving (or, as you move if Client1 is a laptop), you will see that the SNR
has decreased. In the screenshot below, you will see that the SNR went down to 17. At
that low level, it can be difficult to get a connection or, if you can get a connection,
performance will be poor.
You might now be wondering what is a good SNR and what is a bad one. The following
chart can be used as a guide.
40 db or greater
High
25 to 40db
Good
15 to 25db
Low
5 to 10 db
No signal
By testing to see which areas have low or no signal, you will know where to place
additional wireless access points.
In the case of Blue Crab Food Co., you have discovered that you will need to install an
additional wireless access point or wireless bridge in the area that was complaining about
poor performance and intermittent signal.