1-6
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Operating System Security
•RSN with or without Pre-Shared key.
•Cranite FIPS140-2 compliant passthrough.
•Fortress FIPS140-2 compliant passthrough.
•Optional MAC Filtering.
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as:
•Terminated and passthrough VPNs
•Terminated and passthrough Layer Two Tunneling Protocol (L2TP), which uses the IP Security
(IPSec) protocol.
•Terminated and pass-through IPSec protocols. The terminated Cisco WLAN Solution IPSec
implementation includes:
–
Internet key exchange (IKE)
–
Diffie-Hellman (DH) groups, and
–
Three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI
X9.52-1998 data encryption standard), or AES/CBC (advanced encryption standard/cipher
block chaining).
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication
using:
–
Message digest algorithm (MD5), or
–
Secure hash algorithm-1 (SHA-1)
•The Cisco Wireless LAN Solution supports local and RADIUS MAC Address filtering.
•The Cisco Wireless LAN Solution supports local and RADIUS user/password authentication.
•The Cisco Wireless LAN Solution also uses manual and automated Disabling to block access to
network services. In manual Disabling, the operator blocks access using client MAC addresses. In
automated Disabling, which is always active, the operating system software automatically blocks
access to network services for an operator-defined period of time when a client fails to authenticate
for a fixed number of consecutive attempts. This can be used to deter brute-force login attacks.
These and other security features use industry-standard authorization and authentication methods to
ensure the highest possible security for your business-critical wireless LAN traffic.
Cisco WLAN Solution Wired SecurityMany traditional access point vendors concentrate on security for the Wireless interface similar to that
described in the “Operating System Security” section on page 1-5. However, for secure Cisco Wireless
LAN Controller Service Interfaces, Cisco Wireless LAN Controller to access point, and inter-Cisco
Wireless LAN Controller communications during device servicing and client roaming, the operating
system includes built-in security.
Each Cisco Wireless LAN Controller and Cisco 1000 series lightweight access point is manufactured
with a unique, signed X.509 certificate. This certificate is used to authenticate IPSec tunnels between
devices. These IPSec tunnels ensure secure communications for mobility and device servicing.
Cisco Wireless LAN Controllers and Cisco 1000 series lightweight access points also use the signed
certificates to verify downloaded code before it is loaded, ensuring that hackers do not download
malicious code into any Cisco Wireless LAN Controller or Cisco 1000 series lightweight access point.