Provisioning CA and Server Certificates on Cisco ISE

Provision both ISE nodes with the CA root certificate and their own individual server certificates
(generated by certificate signing requests).

Relevant documentation:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html

CA Certificate

  1. First, download the Root CA Certificate from your Certificate Authority
  2. http://<ca>/certsrv/
  3. Click “Download a CA certificate, certificate chain, or CRL

Download CA

 

DER Format

  1. Encoding method should be „DER
  2. Click “Download CA Certificate

Save File

Save it to a location on your file system.

  1. On ISE go to Administration > System > Certificates > Certificate Store. Click “Import
  2. Click Browse and locate the root CA Certificate.
  3. Tick “Trust for Client Authentication”. If you don’t you may see failures with “12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain” when using EAP-TLS
  4. Click “Submit”.

ISE Certificate

The CA Certificate will appear alongside the original self-signed certificate generated by ISE.

Certificate Store

If you have 2 or 3 ISE nodes then you must repeat these steps for Root CA.

 ISE Local Server Certificates

  1. On each node go to Administration > System > Certificates > Local Certificates
  2. Click Add > Generate Certificate Signing Request
  3. Fill in the CN with the ISE nodes FQDN and any other relevant fields. Click “Submit

ISE Local

  1. Go to Administration > System > Certificates > Certificate Signing Requests.
  2. Tick the request and click export.

ISE CSR

 

Open Notepad

  1. Save the request onto your computer and open it in notepad.
  2. On your Microsoft CA Server (//<ca>/certsrv/ ) go to Request Certificate > Advanced certificate request >
  3. Paste the contents of the CSR into the request field and select “Web Server” as the template.

Request a Certificate

Advanced Ceri Request

 

Renewl Request

  1. Click Submit
  2. Download the DER encoded certificate. Click “Download Certificate
  3. On ISE go to go to Administration > System > Certificates > Local Certificates
  4. Click “Add” > “Bind CA Certificate
  5. Select the certificate from your computer. Tick “EAP” and “Management Interface” and click “Submit

Bind CA

Bind CA Certificate

  1. ISE will need to reload to complete the certificate installation.
  2. Perform this task on all nodes in the deployment before joining them together.
Advertisements

Multiple SSID configurations on Autonomous AP

We will follow the same procedure as I did for Single SSID on Standalone AP.

Here I will add one more VLAN and that is 102

Fist switch side configuration for this AP is:

int fa 0/15
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 100, 101,102

Step1: Configure the SSID and map to a VLAN

Dot11 ssid data1
 Vlan 101
 Authentication open
 Authentication key-management wpa version 1
 Wpa-psk ascii cisco123
 Mbssid Guest-mode------> To broadcast the multiple SSID
 end
 !
 Dot11 ssid data2
 Vlan 102
 Authentication open
 Authentication key-management wpa version  2
 Wpa-psk accii Cisco12345
 Mbssid Guest-mode
 end

Step2: Configure the radio and Ethernet interface

Config t
 Interface dot11Radio0
 ssid data1
 ssid data2
 exit
 !
 Interface dot11Radio0.100
 encapsulation dot1Q 100
 !
 Interface dot11Radio0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit
 !
 Interface dot11Radio0.102
 encapsulation dot1Q 102
 bridge-group 102
 exit
 !
 int fa 0.100
 encapsulation dot1Q 100
 !
 Interface fa0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit
 !
 Interface fa0.102
 encapsulation dot1Q 102
 bridge-group 102
 exit

Step3: Assign encryption to SSIDs with VLAN

Int dot11Radio0
 Encryption vlan 101 mode  ciphers tkip
 Encryption vlan 102 mode  ciphers aes-ccm
 mbssid

Step4: Configure AP for management

Int BVI1
 Ip address 10.35.100.250 255.255.255.0
 Ip default-gateway 10.35.100.254
 No shut
 end

Step5: To verify the results:

Sh ip int br

ap#sh ip int brief
 Interface                  IP-Address      OK? Method Status                Protocol
 BVI1                       10.35.100.250    YES manual up                    up
 Dot11Radio0                unassigned      YES unset  up                    up
 Dot11Radio0.100             unassigned      YES unset  up                    up
 Dot11Radio0.101             unassigned      YES unset  up                    up
 Dot11Radio0.102             unassigned      YES unset  up                    up
 Dot11Radio1                unassigned      YES unset  administratively down down
 FastEthernet0              unassigned      YES other  up                    up
 FastEthernet0.100           unassigned      YES unset  up                    up
 FastEthernet0.101           unassigned      YES unset  up                    up
 FastEthernet0.102           unassigned      YES unset  up                    up

Sh dot11 association

 ap#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [data2] :
 MAC Address    IP address      Device        Name            Parent         State
 5426.963e.4bee 10.35.102.251    unknown       -               self           Assoc
 ap#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [data1] :
 MAC Address    IP address      Device        Name            Parent         State
 5426.963e.4bee 10.35.101.251    unknown       -               self           AssoC

Single SSID configuration on Autonomous AP

Today I  learnt to create SSID with different authentication in my test LAB on cisco Autonomous AP.

In this post, will see the configuration for one SSID with WPA authentication

Before starting the configuration, there are few things which we should remember:

    • SSID are a case sensitive and can contain up to 32 alphanumeric characters.
    • There should be no space in SSID.
    • There is limitation of max SSID on cisco AP(Depends on which model you have)
    • If there is only one SSID then we must use guest-mode command under SSID.
    • If we have multiple SSID then :

Mbssid under the radio interface and mbssid guest-mode under SSID config section
Dot11 mbssid under the global config section and mbssid guest-mode under the SSID config section

Just few things:

      • I have a DHCP server config on my Cisco Switch in VLAN 101.
      • Vlan 100 is for management.

Let’s start with the configuration:

Fist switch side configuration for this AP is:

int fa 0/15
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100, 101

 Step1: Configure the SSID and map to a VLAN

Config t
 Dot11 ssid data1
 Vlan 101
 Authentication open
 Authentication key-management wpa version 1
 wpa-psk ascii cisco123
 Guest-mode ------> To broadcast the SSID
 end

 Step2: Configure the radio and Ethernet interface

Interface dot11Radio0
  ssid data1----->Mapping the SSID to Radio Interface
  exit
 !
 Interface dot11Radio0.100
  encapsulation dot1Q 80
 !
 Interface dot11Radio0.101
  encapsulation dot1Q 101
  bridge-group 101
  exit
 !
 int fa 0.100
  encapsulation dot1Q 100
 !
 Interface fa0.101
  encapsulation dot1Q 101
  bridge-group 101
 exit

Step3: Assign encryption (if wpa or wpa2 types is used) to SSIDs with VLAN

Int dot11Radio0
 encryption vlan 101 mode ciphers tkip

Step4: Configure AP for management

Int BVI1
Ip address 10.35.100.250 255.255.255.0
 !
Ip default-gateway 10.35.100.254

Step5: To verify the results:

      1. Sh ip int br
ap#sh ip int brief
 Interface                  IP-Address      OK? Method Status                Protocol
 BVI1                       10.35.100.250    YES manual up                    up
 Dot11Radio0                unassigned      YES unset  up                    up
 Dot11Radio0.100             unassigned      YES unset  up                    up
 Dot11Radio0.101             unassigned      YES unset  up                    up
 Dot11Radio1                unassigned      YES unset  administratively down down
 FastEthernet0              unassigned      YES other  up                    up
 FastEthernet0.100           unassigned      YES unset  up                    up
 FastEthernet0.101           unassigned      YES unset  up                    up
  
      1. Sh dot11 associations
ap#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [data1] 
 MAC Address    IP address      Device        Name            Parent         State
 5426.963e.4bee 10.35.101.251    unknown       -               self           Assoc
  

Reset a Autonomous AP to factory default by Mode Button

Here is the process to reset Standalone AP to Factory Default

Steps:

  1. Remove the power supply from the Access Point.
  2. Press and hold the MODE button while reconnect the power to AP.
  3. Press MODE button till the Ethernet LED turns to RED (or Amber), then release the button (Pressing time will be around 10-20 seconds). Sometime AP will go in to boot mode, then we must enter command “boot”  and press enter.
  4. Now Access Point will reboot and we can configure again via console or web interface.

Note: Cisco APs have a default configuration that includes a user name and password combination, both of which are Cisco. After we reset to factory defaults, be ready to give Cisco as both the username and password when either the GUI or the command-line interface (CLI) prompts us.

Access Point Conversion (LAP to AAP and vice versa)

First of all we must know about Access Point images 🙂

Remember some facts/clue about images:
Autonomous image: k9w7
Lightweight image: k9w8
To know more about AP images, please visit my post: Understanding AP images.

Make sure the autonomous access points must be running Cisco IOS Release 12.3(7) JA or later to perform the lightweight mode conversion. If necessary, upgrade the access point to Cisco IOS Release 12.3(7)JA or later.

Now we will see how to convert from LAP to AAP

Lightweight to Autonomous Conversion:

Step1: Download the software from cisco.com
Here is the screenshot:

Download AAP

Start TFTP server and put the IOS image (k9w7) in TFTP root directory.

I have this image: c1240-k9w7-mx.124-25d.JA2
Step2: Connect PC and AP with an Ethernet cable. Make sure that both AP and PC should be in same subnet.
Step3: Run this commands on AP:

 AP588d.0903.e31c # debug lwapp console cli or debug capwap console cli » this command is necessary to enter in config mode.
 AP588d.0903.e31c # config t
 AP588d.0903.e31c (confg)# int fa 0
 AP588d.0903.e31c (confg-if)# ip addr 10.0.0.5 (same subnet as that of the PC)
 AP588d.0903.e31c (confg-if)# end

My PC IP address is 10.0.0.1/24
Try to ping from AP to PC.

 AP588d.0903.e31c#ping 10.0.0.1
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
 AP588d.0903.e31c#

Then run this command:

 AP588d.0903.e31c# archive download-sw /force-reload /overwrite tftp://10.0.0.1/ c1240-k9w7-mx.124-25d.JA2.tar
 examining image...
 Loading c1240-k9w7-tar.124-25d.JA2.tar from 10.0.0.1 (via FastEthernet0): !
 extracting info (286 bytes)
 Image info:
 Version Suffix: k9w7-.124-25d.JA2
 Image Name: c1240-k9w7-mx.124-25d.JA2
 Version Directory: c1240-k9w7-mx.124-25d.JA2
 Ios Image Size: 5007872
 Total Image Size: 5755392
 Image Feature: WIRELESS LAN
 Image Family: C1240
 Wireless Switch Management Version: 7.0.94.21
 Extracting files...

To verify image on AP, run this command:

 AP# sh version
 Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(25d)JA2, RELEASE
 SOFTWARE (fc1)
 Technical Support: http://www.cisco.com/techsupport
 Copyright (c) 1986-2012 by Cisco Systems, Inc.
 Compiled Wed 12-Sep-12 01:52 by prod_rel_team
 ROM: Bootstrap program is C1240 boot loader
 BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE
 (fc2)
 ap uptime is 2 minutes
 System returned to ROM by power-on
 System image file is "flash:/c1240-k9w7-mx.124-25d.JA2/c1240-k9w7-mx.124-25d.JA2"

Autonomous to Lightweight Conversion

Step1: Download the software from cisco.com
First off all, we need to obtain the recovery image for a given access point. This is obtained through cisco.com > Download and then we can enter the AP number.
Choose to download Lightweight AP IOS Software.
Example for1240AP, I already have a recovery image “1240-rcvk9w8-tar.123-11JX1.tar”
You can download it from here, check this pic:

Download LAP

Step2: If there is enough space then Move the software image file to access Point via TFTP By using this command:

 AP# copy tftp://10.0.0.1/1240-rcvk9w8-tar.123-11JX1.tar flash:/

Step3: Install the image on AP
*** Be aware, in this case we will loose the configuration of AP so don’t forget to backup the config before applying new Image.

Or if we have the image on TFTP root directory then From the Access Point CLI runs the command

 AP# archive download-sw /overwrite /reload tftp ://10.0.0.1/c1240-rcvk9w8-tar.123-11JX1.tar
 examining image...
 Loading c1240-rcvk9w8-tar.123-11JX1.tar from 10.0.0.1 (via BVI1): !
 extracting info (273 bytes)
 Image info:
 Version Suffix: rcvk9w8-
 Image Name: c1240-rcvk9w8-mx
 Version Directory: c1240-rcvk9w8-mx
 Ios Image Size: 1874432
 Total Image Size: 1874432
 Image Feature: WIRELESS LAN|LWAPP|RECOVERY
 Image Family: C1240
 Wireless Switch Management Version: 3.0.51.0
 Extracting files...
 c1240-rcvk9w8-mx/ (directory) 0 (bytes)
 extracting c1240-rcvk9w8-mx/c1240-rcvk9w8-mx (1865438 bytes)!!!!!!!
 extracting c1240-rcvk9w8-mx/info (273 bytes)
 extracting info.ver (273 bytes)
 [OK - 1873920 bytes]
 Deleting current version: flash:/c1240-k9w7-mx.124-25d.JA2...done.
 New software image installed in flash:/c1240-rcvk9w8-mx
 Configuring system to use new image...done.
 Requested system reload skipped due to unsaved config changes.
 archive download: takes 32 seconds

Issue the command and wait for reboot

The Access Point will download the file and overwrite the existing image file (/overwrite) in the flash and then reboot (/reload) into LWAPP mode. If the reload does not happen, enter the reload command manually.

ap#reload
 System configuration has been modified. Save? [yes/no]: no
 Proceed with reload? [confirm]
 *Mar 1 02:19:31.529: %SYS-5-RELOAD: Reload requested by console. Reload Reason:
 Reload Command.Xmodem file system is available.
 flashfs[0]: 8 files, 4 directories
 flashfs[0]: 0 orphaned files, 0 orphaned directories
 flashfs[0]: Total bytes: 15998976
 flashfs[0]: Bytes used: 6974464
 flashfs[0]: Bytes available: 9024512
 flashfs[0]: flashfs fsck took 29 seconds.
 Base ethernet MAC Address: 58:8d:09:03:e3:1c
 Initializing ethernet port 0...
 Reset ethernet port 0...
 Reset done!
 ethernet link up, 100 mbps, full-duplex
 Ethernet port 0 initialized: link is up
 Loading "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx"...###########################
 ################################################################################
 ##################################################################
 File "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx" uncompressed and installed, entr
 y point: 0x3000
 executing...

Do the verification:

AP588d.0903.e31c#sh version
 Cisco IOS Software, C1240 Software (C1240-RCVK9W8-M), Version 12.3(11)JX1, RELEA
 SE SOFTWARE (fc1)
 Technical Support: http://www.cisco.com/techsupport
 Copyright (c) 1986-2006 by Cisco Systems, Inc.
 Compiled Mon 17-Jul-06 11:44 by alnguyen
 ROM: Bootstrap program is C1240 boot loader
 BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE
 (fc2)
 AP588d.0903.e31c uptime is 1 minute
 System returned to ROM by reload
 System image file is "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx"

Timeout setting on Wireless LAN Controller

In this post we will the check the specific timeout on WLC. I did some test on idle timeout and session timeout.
Let’s see how it works and what does it means:
Session Timeout
Session timeout is a value that forces a re-auth when the timer expires. This value starts copying down when the client is authenticated.
The Session Timeout is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. If we use an Extensible Authentication Protocol (EAP) method with key management, the rekeying occurs at every regular interval in order to derive a new encryption key. Without key management, this timeout value is the time that wireless clients need to do a full re-authentication. The session timeout is specific to the WLAN.
How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to WLAN > WLAN ID > Advanced

SessionTimeout
By default session timeout set to 1800sec, we can also uncheck this box or change the timeout value to bigger one. The session timeout can be configured as per WLAN, from 300~86400 seconds.
When the session timeout is being triggered, the PMK cache will be removed, and the client will have to do the authentication again.
Configurable session timeout range is:
• 300-86400 for 802.1x.
• 0-65535 for all other security types.
If we configure session timeout as 0, it means disabling session-timeout, in case of open system, and 86400 seconds for all other system types.

Via CLI:

 (WLAN1) >config wlan session-timeout ?
 <WLAN id> Enter WLAN Identifier between 1 and 16.
 (WLAN1) >config wlan session-timeout 8 ?
 <seconds> The duration of session in seconds (0 = infinity is true only for open system).
 (WLAN1) >config wlan session-timeout 8 65535

User Idle Timeout

The user idle timeout is a global parameter for controller. If the AP/WLC does not receive any packets from the client, after a certain period of time, the client entry will be deleted or when a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is de-authenticated by the WLC. The client has to re-authenticate and re-associate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away.
Increasing the user idle timeout utilizes more RAM on the WLC and will make the WLC client database less accurate. Default is 300 seconds (5 minutes).
The user idle timeout can be configured from 15~100000 seconds.

How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to Controller > General > User Idle Timeout

Idle Timeout

 

Via CLI:

Here is very simple way to configure by command line.

(WLAN1) >config network usertimeout ?
 <seconds> Recommended user idle timeout in seconds between 90 and 100000. Range <15 - 100000>. Default is 300
(WLAN1) >config network usertimeout 86400

ARP Timeout

The ARP Timeout is used to delete ARP entries on the WLC for the devices learned from the network.
Increasing this timeout increases the CPU load and distorts statistics for the number of simultaneous users. The default value is 300 seconds (5 minutes). The is a global parameter for controller.
How to configure it..

Via GUI:
Log in to WLC GUI, then go to Controller > General > ARP Timeout.

ARP Timeout
Via CLI:

Very easy way by CLI:

(WLAN1) >config network arptimeout ?
 <seconds> The ARP entry timeout in seconds. Min is 10, Default is 300
(WLAN1) >config network arptimeout 86400

So it is very important to design and configure the proper value for these timeout parameters otherwise you face the problem of re-Logining every after 5 minute.