Cisco Systems DL-2159-05 Security Overview

8-2

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-05

Chapter8 Security Setup

Security Overview

Security Overview

This section describes the types of security features you can enable on the access point. The security

features protect wireless communication between the access point and other wireless devices, control

access to your network, and prevent unauthorized entry to the access point management system.

On an access point with two radios, you can assign different secu rity settings to each radio.

Levels of Security

Security is vital for any wireless network, and you should enable all the security features available on

your network. Figure 8-1 shows possible levels of security on Cisco Aironet wireless networking

equipment, from no security on the left to highest security on the right. The highest level of security,

EAP authentication, interacts with a Remote Authentication Dial-In User Service (RADIUS) server on

your network to provide authentication service for wireless client devices.

Figure8-1 Wireless LAN Security Levels

If you don’t enable any security features on your access point, anyone with a wirel ess networking device

is able to join your network. If you enable open or shared-key authentication with WEP encryption, your

network is safe from casual outsiders but vulnerable to intruders who use a hacking algorithm to

calculate the WEP key. If you enable server-based EAP authentication with Message Integrity Check

(MIC), Temporal Key Integrity Protocol (TKIP, also known as key hashing), and broadcast key rotation,

your network is safe from all but the most sophisticated attacks against wireless security.

Encrypting Radio Signals with WEP

Just as anyone within range of a radio station can tune to the station’s frequency and listen to the signal,

any wireless networking device within range of an access point can receive the access point’s radio

transmissions. Because WEP (Wired Equivalent Privacy) is the first line of defense against intruders,

Cisco recommends that you use full encryption on your wireles s network.

Default

settings

Unique

SSID with

Broadcast

SSID

disabled

Shared

key

authen-

tication

with WEP

Open

authen-

tication

with WEP

MAC-

based

authen-

tication

with WEP

EAP

authen-

tication

with WEP

EAP

authen-

tication

with MIC,

TKIP, and

WEP

Not secure Most secure

65677

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Preface Audience and Scope Organization Conventions Related Publications Obtaining Documentation Cisco.com Documentation CD-ROM Ordering Documentation Documentation Feedback Obtaining Technical Assistance Cisco TAC Website Opening a TAC Case TAC Case Priority Definitions Obtaining Additional Publications and Information Overview Key Features Management Options Roaming Client Devices Quality of Service Support What is QoS? Limitations and Restrictions Related Documents VLAN Support What is a VLAN? Related Documents Incorporating Wireless Devices into VLANs A VLAN Example Network Configuration Examples Root Unit on a Wired LAN Repeater Unit that Extends Wireless Range Central Unit in an All-Wireless Network Access Point (Root Unit) Using the Management Interfaces Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Management Pages in the Web-Browser Interface Navigating Using the Map Windows Using the Command-Line Interface Preparing to Use a Terminal Emulator Connecting the Serial Cable Setting Up the Terminal Emulator Changing Settings with the CLI Selecting Pages and Settings Applying Changes to the Configuration Using a Telnet Session Using SNMP Supported MIBs Radio Configuration and Basic Settings Basic Settings Entering Basic Settings System Name MAC Address System Serial Number Configuration Server Protocol Default IP Address Default IP Subnet Mask Default Gateway Radio Service Set ID (SSID) Page Radio Network Optimization (Optimize Radio Network For) Security Setup Link Radio Network Compatibility (Ensure Compatibility With) Security Setup Link SNMP Admin. Community Radio Configuration Entering Identity Information Settings on the AP Radio Identification Page Primary Port Settings Default IP Address Default IP Subnet Mask Service Set ID (SSID) LEAP User Name Entering Radio Hardware Information Settings on the AP Radio Hardware Page Service Set ID (SSID) Allow Broadcast SSID to Associate? Enable World Mode Data Rates Transmit Power Frag. Threshold RTS Threshold Max. RTS Retries Max. Data Retries Default Radio Channel Search for Less-Congested Radio Channel Restrict Searched Channels Receive Antenna and Transmit Antenna Entering Advanced Configuration Information Page Settings on the AP Radio Advanced Page Requested Status Packet Forwarding Default Multicast Address Filters Maximum Multicast Packets/Second Radio Cell Role SSID For Use By Infrastructure Stations Disallow Infrastructure Stations on Any Other SSID Use Aironet Extensions Classify Workgroup Bridges as Network Infrastructure Require Use of Radio Firmware x.xx Ethernet Encapsulation Transform Quality of Service Setup Link VLAN Setup Link Enhanced MIC verification for WEP Temporal Key Integrity Protocol Broadcast WEP Key rotation interval (sec) Advanced Primary SSID Setup Link Preferred Access Points Radio Modulation Radio Preamble Non-Root Mobility Ethernet Configuration Entering Identity Information Settings on the Ethernet Identification Page Primary Port Settings Default IP Address Entering Ethernet Hardware Information Settings on the Ethernet Hardware Page Speed Loss of Backbone Connectivity # of Secs (1-10000) Loss of Backbone Connectivity Action Loss of Backbone Connectivity SSID Entering Advanced Configuration Information Settings on the Ethernet Advanced Page Requested Status Packet Forwarding Default Unicast and Multicast Address Filters Page Page Configuring VLANs Entering VLAN Information Settings on the VLAN Setup page VLAN Summary Status Link VLAN (802.1Q) Tagging 802.1Q Encapsulation Mode Maximum Number of Enabled VLAN IDs Native VLAN ID VLAN Security Policy Broadcast Domain Segmentation Native VLAN Configuration Primary and Secondary SSIDs RADIUS-Based VLAN Access Control Criteria for Deploying Wireless VLANs A Wireless VLAN Deployment Example Page Using the Configuration Screens Obtaining and Recording VLAN ID and Setup Information Creating and Configuring VLANs on the Access Point Creating the Native VLAN Page Page Creating the Full- and Part-Time VLANs Creating the Guest VLAN Creating the Maintenance VLAN Creating and Configuring the SSIDs Page Page Enabling VLAN (802.1Q) Tagging and Identifying the Native VLAN Page Creating an SSID for Infrastructure Devices Guidelines for Wireless VLAN Deployment Page Configuring Filters and QoS Filter Setup Protocol Filtering Creating a Protocol Filter Page Enabling a Protocol Filter MAC Address Filtering Creating a MAC Address Filter Page Page QoS Configuration Entering Information on the AP Radio Quality of Service Setup Page Settings on the Quality of Service Setup Page Generate QBSS Element Use Symbol Extensions Send IGMP General Query Traffic Category Applying QoS By Station Page By VLAN By Filter Page A Wireless QoS Deployment Example Page WEP Set on the Wireless Phone WEP Not Set on the Wireless Phone Page Page Page Configuring Proxy Mobile IP Proxy Mobile IP Introduction to Mobility in IP The Nomadic Approach The Mobile Approach Mobile IP Explained Page Proxy Mobile IP Explained Before Deploying Proxy Mobile IP Issues to Consider While Deploying Proxy Mobile IP Components of a Proxy Mobile IP Network How Proxy Mobile IP Works Agent Discovery Subnet Map Exchange Registration Tunneling Proxy Mobile IP Security The Proxy Mobile IP Setup Page General Settings on the Proxy Mobile IP General Page Enable Proxy Mobile IP Authoritative AP n Authentication Server Settings on the Authenticator Configuration Page Local SA Bindings Settings on the Local SA Bindings Page IP Address Range - Start IP Address Range - End Group SPI Statistics Settings on the Proxy Mobile IP Statistics Page Mobile IP Status Home Agents Foreign Agents Page Registration Requests Denied by HA Gratuitious ARPs sent View Subnet Map Table Settings on the Subnet Map Table Page Configuring Proxy Mobile IP Configuring Proxy Mobile IP on Your Wired LAN 6-20 Follow these steps to create a Proxy Mobile IP configuration. (Figure 6-12). Page Page Configuring Mobile IP Security Associations on a CiscoSecure ACS Server Page Page Page Configuring Other Settings Server Setup Entering Time Server Settings Settings on the Time Server Setup Page Simple Network Time Protocol Default Time Server GMT Offset (hr) Use Daylight Savings Time Entering Boot Server Settings Settings on the Boot Server Setup Page Configuration Server Protocol Use Previous Configuration Server Settings Read .ini File from File Server BOOTP Server Timeout (sec) DHCP Multiple-Offer Timeout (sec) DHCP Requested Lease Duration (min) DHCP Minimum Lease Duration (min) DHCP Client Identifier Type DHCP Client Identifier Value DHCP Class Identifier Entering Web Server Settings and Setting Up Access Point Help Settings on the Web Server Setup Page Allow Non-Console Browsing HTTP Port Default Help Root URL Extra Web Page File Default Web Root URL Entering Name Server Settings Settings on the Name Server Setup Page Domain Name System Default Domain Domain Name Servers Entering FTP Settings Settings on the FTP Setup Page Routing Setup Entering Routing Settings Default Gateway New Network Route Settings Installed Network Routes list Association Table Display Setup Association Table Filters Page Page Settings on the Association Table Filters Page Stations to Show Fields to Show Packets To/From Station Bytes To/From Station Association Table Advanced Page Settings on the Association Table Advanced Page Handle Station Alerts as Severity Level Maximum number of bytes stored per Station Alert packet Maximum Number of Forwarding Table Entries Rogue AP Alert Timeout (minutes) Aironet Extended Statistics in MIB (awcTpFdbTable) Event Notification Setup Event Display Setup Page Settings on the Event Display Setup Page How should time generally be displayed? How should Event Elapsed (non-wall-clock) Time be displayed? Severity Level at which to display events Event Handling Setup Page Page Settings on the Event Handling Setup Page Disposition of Events Handle Station Events as Severity Level Maximum number of bytes stored per Alert packet Maximum memory reserved for Detailed Event Trace Buffer (bytes) Event Notifications Setup Page Settings on the Event Notifications Setup Page Should Notify-Disposition Events generate SNMP Traps? SNMP Trap Destination SNMP Trap Community Should Notify-Disposition Events generate Syslog Messages? Should Syslog Messages use the Cisco EMBLEM Format? Syslog Destination Address Syslog Facility Number IEEE SNMP Traps Should Generate the Following Notifications Security Setup Security Overview Levels of Security Encrypting Radio Signals with WEP Additional WEP Security Features Network Authentication Types Page Page Combining MAC-Based, EAP, and Open Authentication Protecting the Access Point Configuration with User Manager Setting Up WEP Page Page Using SNMP to Set Up WEP Enabling Additional WEP Security Features Enabling Message Integrity Check (MIC) Page Enabling Temporal Key Integrity Protocol (TKIP) Enabling Broadcast WEP Key Rotation Setting Up Open or Shared Key Authentication Setting Up EAP Authentication Enabling EAP on the Access Point Page Page Enabling EAP in Cisco Secure ACS Setting a Session-Based WEP Key Timeout Setting Up a Repeater Access Point As a LEAP Client Page Setting Up MAC-Based Authentication Enabling MAC-Based Authentication on the Access Point Page Page Page Authenticating Client Devices Using MAC Addresses or EAP Enabling MAC-Based Authentication in Cisco Secure ACS Summary of Settings for Authentication Types Page RADIUS Attributes Sent by the Access Point Page Setting Up Backup Authentication Servers Setting Up Administrator Authorization Creating a List of Authorized Management System Users Page Setting up Centralized Administrator Authentication Page System Flow Notes Authorization Parameters Network Management Using the Association Table Browsing to Network Devices Setting the Display Options Using Station Pages Information on Station Pages Station Identification and Status To Station Information From Station Information Rate, Signal, and Status Information Hops and Timing Information Performing Pings and Link Tests Performing a Ping Performing a Link Test Clearing and Updating Statistics Deauthenticating and Disassociating Client Devices Using the Network Map Window Using Cisco Discovery Protocol Settings on the CDP Setup Page MIB for CDP Assigning Network Ports Settings on the Port Assignments Page Enabling Wireless Network Accounting Settings on the Accounting Setup Page Accounting Attributes Page Page Managing Firmware and Configurations Updating Firmware Updating with the Browser from a Local Drive Full Update of the Firmware Components Selective Update of the Firmware Components Updating from a File Server Full Update of the Firmware Components Page Selective Update of the Firmware Components Retrieving Firmware and Web Page Files Distributing Firmware Distributing a Configuration Limiting Distributions Downloading, Uploading, and Resetting the Configuration Downloading the Current Configuration Uploading a Configuration Uploading from a Local Drive Uploading from a File Server Resetting the Configuration Restarting the Access Point Management System Setup SNMP Setup Settings on the SNMP Setup Page Using the Database Query Page Settings on the Database Query Page Changing Settings with the Database Query Page Console and Telnet Setup Settings on the Console/Telnet Page Using Secure Shell Page Special Configurations Setting Up a Repeater Access Point Page Page Using Hot Standby Mode Page Page Page Diagnostics and Troubleshooting Using Diagnostic Pages Network Diagnostics Page Selections on the Network Diagnostics Page Radio Diagnostics Tests VLAN Summary Status SSIDs: Int, Mod Network Ports Page Identifying Information and Status Data Received Data Transmitted Ethernet Port Page Configuration Information Receive Statistics Transmit Statistics AP Radio Page Configuration Information Receive Statistics Transmit Statistics Display Options Event Log Page Display Settings Log Headings Saving the Log Event Log Summary Page Using Command-Line Diagnostics Entering Diagnostic Commands Diagnostic Command Results :eap_diag1_on :eap_diag2_on :vxdiag_arpshow Page :vxdiag_checkstack :vxdiag_hostshow :vxdiag_i :vxdiag_ipstatshow :vxdiag_memshow 13-25 :vxdiag_muxshow :vxdiag_routeshow 13-27 :vxdiag_tcpstatshow :vxdiag_udpstatshow Tracing Packets Reserving Access Point Memory for a Packet Trace Log File Tracing Packets for Specific Devices Tracing Packets for Ethernet and Radio Ports Viewing Packet Trace Data Packets Stored in a Log File Packets Displayed on the CLI Checking the Top Panel Indicators Page Finding an Access Point by Blinking the Top Panel Indicators Checking Basic Settings SSID WEP Keys EAP Authentication Requires Matching 802.1x Protocol Drafts Page Resetting to the Default Configuration Page Page A Channels, Power Levels, and Antenna Gains Channels IEEE 802.11a IEEE 802.11b Maximum Power Levels and Antenna Gains IEEE 802.11a IEEE 802.11b Page Page B Protocol Filter Lists Page Page Page Page Page C Event Log Messages Message Formats Default Format Cisco Emblem Format Page Message Descriptions Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Statuses and Reasons Page Page INDEX Numerics A B C D E F G H I K M N O P Q R S T U V W