Category: WLC Security

Dynamic VLAN Assignment with ACS Server

In this post we will learn/test how the dynamic VLAN assignment works.

Basic Info:

Dynamic VLAN assignment: It pushes a wireless user into a specific VLAN based on his identity. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (i.e. ACS).

It’s a type of identity networking. It allows us to have single SSID, but allows specific users to use different VLAN attributes based on the user credentials.

This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (ACS 5.2 in my case). This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

As a result, when a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the RADIUS server for validation. Once the authentication is successful, the RADIUS server passes (IETF) attributes to the user. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client.

***In my post I am using a single SSID

My Topology:

DVAACS1

Let’s take an Example:

  1. We will create a SSID “XYZ” and assign a non-routed VLAN (99) or management VLAN to it.
  2. Now we have Groups of employees in our company “Production, Admin and Sales”.
  3. VLANs as per Roles.(Production – 13, Admin – 14, Sales – 17 )

Steps to Configuration:

  • Configure WLC
  • Configure ACS server
  • Verification

Configure WLC

We must configure the WLC so it can communicate with the RADIUS server in order to authenticate the clients.

  1. Configure ACS on WLC:

From the controller GUI, click Security> AuthenticationDVAACS2

  1. Create dynamic interface (for VLAN 13, 14 and 17)

Example for VLAN 13, same we have to do for VLAN 14 & 17

Controller GUI, in the Controller > Interfaces

DVAACS3

  1. Create a WLAN and assign to a Non Routed VLAN or management interface

From the controller GUI, go to WLANs > Create New

My WLAN isXYZ

DVAACS4

DVAACS5

Enable AAA override feature:

DVAACS6

CLI Command to enable: config wlan aaa-override enable wlan-id

Configure ACS (RADIUS) Server

  • Configure Network Resources.

AAA Client (WLC management IP), Location, and device type

  • Configure User and Identity Store

Create Identity Group, Users and then assign users to Identity Groups(Production, Admin and Sales Users)

Create Identity Store Sequence

  • Define policy elements.

Custom Profile

End Station Filter

Create Authorization Profiles

  • Apply access policies.

Select EAP Method

Assign Auth. Profile as per identity

  1. Configure Network Resources.

First we will add the WLC as an AAA client on the RADIUS server so that the WLC can pass the user credentials to the RADIUS server.

Create a Location type:

From the ACS GUI, go to Network Resources > Network Device Groups > Location, and click Create

DVAACS7

Crete Device Type:

Go to Network Resources > Network Device Groups > Device Type > Create

DVAACS8

Add WLC as AAA client in ACS sever:

Go to Network Resources > Network Devices and AAA Clients. Put the WLC IP and shared secret (it must be same as in WLC)

DVAACS9

DVAACS10

  1. Configure User and Identity Store

Create Identity Group, Users and then assign users to Identity Groups:

In this post we will create three types of users (Production, Admin and Sales Users)

For Identity Groups:

Go to Users and Identity Stores > Identity Groups > Create

For Users:

Go to Users and Identity Stores > Internal Identity Stores > Users > Create

DVAACS11

Create Identity Store Sequence:

As we don’t need it in this post (only internal user option will also work)

Go to Users and Identity Stores > Identity Stores Sequences > Create

DVAACS12

  1. Define policy elements.

Custom Profile

Create a Custom SSID Profile or create an END STATION filter (we will use only one method from this and that will be CUSTOM SSID)

Go to Policy Elements > Custom> Create

Enter the Name (MySSID), choose Dictionary as RADIUS-IETF and Attribute as Called-Station-ID.

DVAACS13

End Station Filter:

Go to Policy Elements> Network Conditions>End Station Filter>Create

*** We will not use this in this post

DVAACS14

DVAACS15

Create Authorization Profiles:

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles > Create.

IN this post we are using vlan 13, 14 and 17 so we need three Auth Profiles.

Two ways to do: Either under Common Tasks or under RADIUS Attributes:

Both ways are shown here.

DVAACS16

DVAACS17

So in end auth profile will look like this:

DVAACS18

  1. Access Policies

We are using Radius Authentication we have to use Default Network Access.

DVAACS19

Select which EAP method we would like the wireless Clients to Authenticate. In this post we will use EAP-FAST or PEAP.

DVAACS20

Select Identity under Default Network Access as “MyLab” which we created earlier.

DVAACS21

Configure Authorization Rules:

Go to Access Policies > Access Services > Default Network Access > Authorization.

We can customize under what conditions we will allow user access to the network and what authorization profile (attributes) we will pass once authenticated. In this post, we selected Location, SSID, Device Type, and Identity Group.

DVAACS22

Verification

Production User must go in vlan 13.

DVAACS23

Sales User must go in vlan 17.

DVAACS24

Admin User must go in vlan 14.

DVAACS25Logs from ACS:

DVAACS26

Thats all 🙂

 

Advertisements

ACLs on WLC

In this post we will learn how to use ACL on WLC.
As we all know that we use ACL to prohibit/restrict the access from specific clients.

Mostly we use two type of ACL:

  1. CPU (Be careful before assigning)
  2. WLAN/Interface Based ACL
  3. Pre-Authentication ACL

Basic Info:

Limitations:

  • We can configure max 64 filters with 64 rules.
  • ACLs can impact the performance of the controller.
  • ACLs can’t block access to the virtual IP address (1.1.1.1) of WLC. Therefore, DHCP cannot be blocked for wireless clients.
  • ACLs do not affect the service port of the WLC.
  • We can only block IP traffic

Parameter used in ACL:

Sequence: Here starts the order that ACL lines are processed against the packet. Even after creation of ACL with sequence number 1, we can replace it with new sequence. Means it also allows us to insert ACL lines anywhere in the ACL even after the ACL is created.

Source IP & Destination IP: Here we have to enter the host or subnet IP and mask (From & To, The masks of the ACL are not wild-masks but normal masks).

Protocol: We need to enter the Protocol to add this in IP packet header.

Here is the list of all which we can use: Any (all protocol numbers are matched)

TCP (6), UDP (17), ICMP (1), ESP (50), AH (51), GRE (47), IP (4), Eth Over IP (97), OSPF (89), Other (Specify)

Source & Destination Port: TCP or UDP can only be specified.

DSCP: Differentiated Services Code Point allows us to specify specific DSCP values to match in the IP packet header (Only 2 option available: Specific & Any).

Direction: Which direction to enforce: Inbound, Outbound and Any

Inbound: Packet sourced from the wireless client. (Client à WLC)

Outbound: Packets destined to the wireless client (Or from WLC à Client)

Any: Sourced from the wireless client and destined to the wireless client are inspected to see if they match the ACL line. We must apply to both Inbound & Outbound directions.

Action: Either Permit or Deny

Rules:

  • We can only specify protocol numbers in the IP header (UDP, TCP, etc…) in ACL lines, because ACLs are restricted to IP packets only.
  • If the source AND destination is any, then the direction is also ANY.
  • If the source or destination is NOT any, then the direction must be specified.
  • The direction is faced FROM the controller.
  • Inbound: Wireless client To WLC
  • Outbound: WLC To wireless client
  • Remember that at last we have an implicit deny at the end.

Let’s start doing configuration.

First we will create an ACL and apply to either WLAN or Interface.

Login to WLC then Security > Access Control lists > Access Control lists, click on New.

Also check the Enable counter to see the statics.

ACwlc1

CPU Access list

In my example:

  1. Block Telnet from a specific workstation on management interface

Workstation: 192.168.128.8
WLC2: 192.168.10.3

Create Access List and Apply it.

*** To remove this ACL either we have to uncheck “Enable CPU ACL” box or Via CLI we must use this command”config acl cpu none”. Remember this command if we stuck into the case where we can’t access WLC anymore then via console run this command to get the access back.

*** LWAPP/CAPWAP control traffic is not affected by CPU ACLs.

***By default Telnet is disabled on WLC, we must enable it for testing.(From Management > Telnet-SSH)

Here is my access List: We can see the hit numbers.

ACwlc2

Apply it: Security > Access Control List > CPU Access List

ACwlc3

How it looks in CLI:

(WLC2) >show acl cpu
 CPU Acl Name................................ TestACL
 Wireless Traffic............................ Enabled
 Wired Traffic............................... Enabled
(WLC2) >show acl summary
 ACL Counter Status               Enabled
 ----------------------------------------
 IPv4 ACL Name                    Applied
 -------------------------------- -------
 TestACL                          Yes
 ----------------------------------------
 IPv6 ACL Name                    Applied
 -------------------------------- -------
(WLC2) >show acl detailed TestACL
 Source                         Destination                 Source Port  Dest Port
 Index  Dir       IP Address/Netmask               IP Address/Netmask       Prot    Range       Range    DSCP  Action      Counter
 ------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
 1  In      192.168.128.8/255.255.255.255      192.168.10.3/255.255.255.255    6     0-65535    23-23     Any   Deny           3
 2 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit          14
 DenyCounter : 0
 URLs configured in this ACL
 ---------------------------
(WLC2) >

WLAN / Interface ACL

ACwlc4

Where to Apply:

  1. Under WLAN

ACwlc5

  1. Under Dynamic interface

ACwlc6

Preauthentication ACL

As its name suggest that this kind ACL is used before any authentication

We usually create this type of pre-authentication ACL for web authentication. Such an ACL could be used to allow certain types of traffic before authentication is complete.

Creation or write an ACL is same as we did in above section, so I will not repeat the same steps here.

Where we can apply this ACL:

  • Go to WLANs > WLANs
  • Click the ID number of the WLAN to open the WLANs > Edit
  • Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page
  • Preauthentication ACL drop-down box, choose the desired ACL and click Apply

ACwlc7

That’s all  🙂

WLC Admin Access by TACAS+ Server

In this post we will learn how to provide or control WLC management user’s access via TACAS+ server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC (Only allow one tab”WLAN” as admin access) – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as TACAS+ server
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign shell profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as TACAS+ server

Go to WLC GUI, click Security > AAA > TACAS+ > Authentication. Enter the parameters specific to the server. Also put Accounting& Authorization server info as well.

TACAS1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select TACAS+ check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign shell profiles to Users

Here we will create shell profile and assign the custom attributes to users.

Admin Users: role1 as ALL
Read-Only User: role1 as WLAN
Lobby Users: role1 as MONITOR

TACAS2

TACAS3

TACAS4

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

TACAS5

Assign the Priority order for management access

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

TACAS6

Verification

To verify each account, we must login with different users and check it.

Verification Logs from ACS about users attempts:

TACAS7

That’s all 🙂

In the next post we will learn the AAA override /Dynamic VLAN Assignment feature.

WLC Admin Access by Radius Server

In this post we will learn how to provide or control WLC management users access via external radius server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as Radius server (Check this post: Configure RADIUS server on WLC
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign roles or Authorization profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as Radius server

Go to WLC GUI, click Security > AAA > RADIUS > Authentication. Enter the parameters specific to the RADIUS server. If we need to put accounting server info then enters the info as well.

*** Don’t forget to Check Management box.

WLC-Admin-RAdius1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select RADIUS check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign roles or Authorization profiles to Users

Here we will Create Authorization profile and assign the Service-Type Attribute to users to get access.

Admin Users: Administrative
Read-Only User: NAS Prompt
Lobby Users: Callback Administrative

WLC-Admin-RAdius5

WLC-Admin-RAdius6

WLC-Admin-RAdius7

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

WLC-Admin-RAdius8

Assign the Priority order for management access

If WLC is configured with management users both locally & RADIUS server with the Management check box enabled. In this case, by default, when a user tries to login to the WLC, the WLC behaves in this manner:

First looks at the local management users. If the user exists in its local list, then it allows authentication for this user. If this user does not appear locally, then it looks to the RADIUS server.

Means WLC always takes precedence when compared to the RADIUS server.

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

WLC-Admin-RAdius9

*** If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS) is unreachable.

Verification

To verify each account, we must login with different users and check it.

If we login with user (sandeeprw) then we will have full administrative access to the WLC.

Example: If we login with read only user (sandeepro) and want to modify something on WLC then this will appear:

WLC-Admin-RAdius10

Verification Logs from ACS about users attempts:

WLC-Admin-RAdius11

That’s all 🙂

Reset Cisco WLC to Factory Default

Just a small post regarding WLC reset, it can be done without NCS and it’s very handy.

Via CLI:

Step1: We need to login to WLC with valid username and password then we need to reset the WLC by using “reset system” at the command prompt.

(WLAN1) >reset system
 The system has unsaved changes.
 Would you like to save them now? (y/N) Y
 Configuration Saved!
 System will now restart!

Step2:  At the prompt it will ask whether we need to save changes to the configuration, enter Yes or No, then controller will reboot.

.
.
(WLAN1)
 Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)
 User:

Step3: When we are prompted for a username then we must enter recover-config to restore the factory default configuration.

User:  recover-config
Press enter and the controller will reset back to factory default.

Via GUI:

  1. login to WLC GUI with valid username and password.
  2. Go to Command > Reset to Factory Default.
  3. Click Reset.

 

Resetwlc1

That’s all  🙂

WLC Authentication by ISE Server

In this post we will see how to configure a Wireless LAN Controller (WLC) and Cisco ISE Server (Cisco Identity Service Engine) so that the AAA server can authenticate management users on the controller. We will also see that how different management users can receive different privileges using Vendor-specific Attributes (VSAs) returned from the Cisco ISE RADIUS server.

Parameters:

ISE Server: 172.99.xx.1
WLC: 172.99.80.1 (TestWLC1)
Shared Secret: CISCO123456789
Read/Write User: sandeeprw, Password: Testwlc1rw
Read/Only User: sandeepro, Password: Testwlc1ro

Now we need to configure WLC and ISE so that:

  • Any user who login to the WLC with the username as sandeeprw is given full administrative access to the WLC.
  • Any user who login to the WLC with the username as sandeepro is given read-only access to the WLC.

Step1:  Cisco WLC Configuration

  1. Login to WLC GUI, click Security > AAA > RADIUS > Authentication > New. The RADIUS Authentication server page appears. Click on New to add a server and then enter all the detail.
  2. Check the Management radio button in order to allow the RADIUS Server to authenticate users who login to the WLC.

wlc-ise1

 

Note: Make sure that the shared secret configured on this WLC will also be the same shared secret on the RADIUS server. Only then the WLC can communicate with the RADIUS server.

  1. Verify whether the WLC is configured to be managed by Cisco ISE. In order to do this, click Security > AAA > RADIUS>Authentication from the WLC GUI.

wlc-ise2

 

  1. We can see that the Management check box is enabled for RADIUS server 172.99.xx.1. This illustrates that ISE is allowed to authenticate the management users on the WLC.

Step2: Cisco ISE configuration

1)      Add the WLC as an AAA client to the RADIUS server.
2)      Create User Identity Groups for users.
3)      Configure a user with read-write access and assign to specific User Identity Group.
4)      Configure a user with read-only access and assign to specific User Identity Group.
5)      Create Authorization profile and assign Diff. RADIUS IETF attributes for these users.
6)      Create Authentication / Authorization policy for these internal users.

 

Add the WLC as an AAA Client to the RADIUS Server

Login to ISE the click on Administration > Network Devices > Add then enter the details of WLC and don’t forget to enter same shared secret as we did in WLC.

wlc-ise3

And clicks save.

Create User Identity Groups for users.

To create user identity groups, click on Administration > Identity Management > Groups > User identity Groups > Add then enter the Name and description.

wlc-ise4

Configure a user with read-write access and assign to specific User Identity Group.

RW: username-sandeeprw, password: Testwlc1rw

Click on Administration > Identity Management > Identities > User > Add then enter the details and assign this user to WLC-AdminRW group, save it.

wlc-ise5

Configure a user with read-only access and assign to specific User Identity Group.

RO: username- sandeepro, password: Testwlc123ro

Click on Administration > Identity Management > Identities > User > Add then enter the details and assign this user to WLC-AdminRO group, save it.

wlc-ise6

wlc-ise7

Create Authorization Profile and assign diff. Radius attributes for these users.

To authenticate a user via RADIUS server, for controller login and management, we must add the user to the RADIUS database with the IETF RADIUS attribute Service-Type set to the appropriate value according to the user’s privileges.

  • In order to set read-write privileges for the user, set the Service-Type Attribute to Administrative.
  • In order to set read-only privileges for the user, set the Service-Type Attribute to NAS-Prompt.

Login to ISE GUI then go to Policy > Policy Elements > Results

wlc-ise8

wlc-ise9

Create Authentication / Authorization policy for these internal users

To create Authentication policy: Login to ISE, click on Policy > Authentication.

wlc-ise10

Here is the full policy name:

AuthWLCAdmin: If {DEVICE:Device Type equals All Device Types#Wireless LAN Controller}
 {Allows Protocol: Default Network Access}
 Default: use Internal user

Authorization Policy:

wlc-ise11

Save to apply changes.

Step3: Verification

Now it’s time for testing
First with username: sandeeprw (read write access)

wlc-ise12

username: sandeepro (read only access)

wlc-ise13

Then I tried to create a WLAN with read-only access, the output was “Authorization Failed No sufficient privileges

wlc-ise14

Hence Proved 🙂

Configure RADIUS Server on WLC

Here is the new posts about RADIUS configuration on WLC , The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and provides access to the wireless clients.

RADIUS server can provide the central Authentication. In WLC, RADIUS server can handle two functions, namely Authentication & Accounting. And TACACS can handle all 3 methods (Authentication, Accounting and Authorization)

Here is the procedure to configure RADIUS in WLC:

Authentication

Step1: Via GUI

From the WLC GUI, click Security. From the menu on the left, click RADIUS > Authentication. The RADIUS Authentication servers page appears. Add  a new RADIUS Server, click New.

RADIUS New

In the RADIUS Authentication Servers > New page, enter the parameters specific to the RADIUS server.

*** Check the Management box , if you want to allow the RADIUS Server to authenticate users who login to the WLC.(I don’t want to authenticate the WLC users via RADIUS)

RADIUS Edit

Make sure that the shared secret configured on this page matches with the shared secret configured on the RADIUS server. Only then the WLC can communicate with the RADIUS server.

Same procedure to add another redundant RADIUS server 🙂

Both Radius

Step2: Configure Authentication Via CLI

(WLAN1) >config radius ?
acct           Configures a RADIUS Accounting Server.
aggressive-failover Enables/Disables Aggressive Failover
auth           Configures a RADIUS Authentication Server.
backward       Configures RADIUS Vendor Id backward compatibility
callStationIdCase Configures Call Station Id case in RADIUS messages.
callStationIdType Configures Call Station Id information sent in radius messages
fallback-test  Configures server fallback test.
(WLAN1) >config radius auth ?
add            Configures a RADIUS Authentication Server.
delete         Deletes a RADIUS Server.
disable        Disables a RADIUS Server.
enable         Enables a RADIUS Server.
ipsec          Enables or disables IPSEC support for an authentication server
keywrap        Configures RADIUS keywrap
mac-delimiter  Configures MAC delimiter for caller-station-ID and calling-station-ID
management     Configures a RADIUS Server for management users.
network        Configures a default RADIUS server for network users.
retransmit-timeout Changes the default retransmission timeout for the server
rfc3576        Enables or disables RFC-3576 support for an authentication server

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius auth add 1 192.xx.xx.14 1812 ascii cisco -> Secret
(WLAN1) >config radius auth retransmit-timeout 1 2  -> Default 2 sec
(WLAN1) >config radius auth network 1 {enable|disable}
(WLAN1) >config radius auth {enable|disable} 1 -> by default enable

If you are not authenticating management user via RADIUS then you must disable it:

(WLAN1) >config radius auth management 1 {enable|disable} -> Enable by default

Follow Same procedure to add  2nd Authentication server.

Accounting:

Step1: Via GUI

Configure RADIUS Accounting

Go to Security -> RADIUS -> Accounting

RADIUS Acct

Follow same step to add 2nd Accounting server.

Here is the screenshot of both the Accounting server in WLC:

RADIUS Both Acct

Step2: Via CLI

Here is the basic CLI configuration for a RADIUS Accounting on a WLC.

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius acct add 1 192.xx.xx.15 1813 ascii cisco ->secret (WLAN1) >config radius acct retransmit-timeout 1 5 -> default is 2s
(WLAN1) >config radius acct network 1 {enable|disable}
(WLAN1) >config radius acct {enable|disable} 1 -> by default enable

Do the same for 2nd accounting server via CLI.

So till now we added both the server for Authentication and accounting.

Now time to verify it.

(WLAN1) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1    N     192.xx.xx.14       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
2    N     192.xx.xx.15       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
Accounting Servers
--More-- or (q)uit
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1      N     192.xx.xx.15       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
2      N     192.xx.xx.14       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
(WLA1) >show radius auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.xx.xx.14
Msg Round Trip Time.............................. 47 (msec)
First Requests................................... 27328
Retry Requests................................... 123
Accept Responses................................. 2439
Reject Responses................................. 140
Challenge Responses.............................. 24736
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 147
Unknowntype Msgs................................. 0
Other Drops...................................... 1
Server Index..................................... 2
Server Address................................... 192.xx.xx.15
Msg Round Trip Time.............................. 29 (msec)
First Requests................................... 14345
--More-- or (q)uit
Retry Requests................................... 98
Accept Responses................................. 1264
Reject Responses................................. 52
Challenge Responses.............................. 13026
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 114
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Now we will add the WLC to Radius Server and don’t forget the shared secret because shared secret must match between WLC and RADIUS (ISE) server:

Login to ISE, go to Administration > Network Resources > Network Devices > add

 

Untitled

That’s it for today 🙂 Enjoyyyyy

Configure Local EAP on WLC

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the external authentication server goes down. When we enable local EAP, the controller serves as the authentication server and the local user database, which removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then re-authenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP. If we never want the controller to try to authenticate clients using an external RADIUS server,  then use this CLI commands in this order: config wlan radius_server auth disable wlan_id

 Note: Local EAP profiles are not supported on Office Extend 600 AP

EAP Topology

 

We can create network users on WLC either via GUI or CLI. Via CLI method we can define two type of users (Permenant & Guest). If we specify the WLAN ID as “0″ than users will allow to any WLAN. For a guest user you can specify the lifetime. (2 hrs in my example)

But I my example we will use a separate WLAN for test purpose and it is “Test” with WLAN id:8

How to create Local network users on WLC:

Via GUI:

Login to WLC, go to Security > AAA > Local Net Users and on right side click on New to add.

Local user wlc

In my example, I will create a 2 permanent type user and one guest type user.

Local user edit

Here are the all 3 local users in my WLC:

2 Permanent User
1 Guest User

List local user

Via CLI:

Here is the procedure to create netuser with CLI.

(WLAN1) >config netuser ?
add            Creates a local network user.
delete         Delete an existing network user.
description    Sets the description for a network user.
lifetime       Configures the lifetime for a Guest Network User. Valid range is 60 to 31536000 seconds.
maxUserLogin   Configures the maximum number of login sessions allowed for a network user
password       Configures a password for a network user.
wlan-id        Configures a Wireless LAN Id for a network user.
(WLAN1) >config netuser add ?
<username>     Enter name up to 50 alphanumeric characters.
(WLAN1) >config netuser add sandeep ?
<password>     Enter password up to 24 alphanumeric characters.
(WLAN1) >config netuser add sandeep cisco ?
wlan           Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan ?
<WLAN id>      Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan 8 ?
userType       Enter the keyword 'userType'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent ?
description    Enter the keyword 'description'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab ?
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep1 cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep2 cisco wlan 8 userType guest  lifetime 7200 description testlab

If our WLN don’t have  web-auth security then it will not add a guets user.

WLAN does not have Web-Auth security configured. Guest user not added.

Create local EAP settings on WLC:

Step1: Configure General setting for local EAP (Specify EAP Timers).

Via GUI:

Go to Security > Local EAP > General

EAP general

Specify values for the local EAP timers

Via CLI:

These are the commands through which we can configure these EAP timers

(WLAN1) >config locaL-AUth Active-timeout ?
<1 to 3600>    Enter the timeout period for the Local EAP to remain active, in seconds.
(WLAN1) >config locaL-AUth Active-timeout 300
(WLAN1) >config advanced eap identity-request-timeout?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap identity-request-timeout 30
(WLAN1) >config advanced eap identity-request-retries ?
<retries>      Enter the number of retries between 1 and 20
(WLAN1) >config advanced eap identity-request-retries 2
(WLAN1) >config advanced eap key-index ?
<key-index>    Enter the key index value, 0 or 3.
(WLAN1) >config advanced eap key-index 0
(WLAN1) >config advanced eap request-timeout ?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap request-timeout 30
(WLAN1) >config advanced eap request-retries ?
<retries>      Enter the number of retries between 0 and 20
(WLAN1) >config advanced eap request-retries 2
(WLAN1) >config advanced eap max-login-ignore-identity-response ?
enable         ignore the same username reaching max in the EAP identity response
disable        check the same username reaching max in the EAP identity response
(WLAN1) >config advanced eap max-login-ignore-identity-response enable
(WLAN1) >config advanced eap eapol-key-timeout ?
<milliseconds> Enter the number of milliseconds between 200 and 5000
(WLAN1) >config advanced eap eapol-key-timeout 1000
(WLAN1) >config advanced eap eapol-key-retries ?
<retries>      Enter the number of retries between 0 and 4
(WLAN1) >config advanced eap eapol-key-retries 2

Step2: We have to create a local EAP profile, which specifies the EAP authentication types that are supported on the wireless clients. I have created a profile named “Test-Local-EAP” and enable EAP-FAST, EAP-TLS & PEAP as allowed protocol.

Via GUI:

EAP profile

Choose Security > Local EAP > Profiles to open the Local EAP Profiles page, We can create up to 16 local EAP profiles. Click New to open the Local EAP Profiles > New page. In the Profile Name text box, enter a name for our new profile(Test-Local-EAP) and then click Apply.

When the Local EAP Profiles page reappears, click the name of our new profile (Test-Local-EAP). The Local EAP Profiles > Edit page appears. Select the EAP-FAST, EAP-TLS, and/or PEAP check boxes to specify the EAP type that can be used for local authentication and then click on Apply.

*** If we chose EAP-FAST and want the device certificate on the controller to be used for authentication, select the Local Certificate Required check box. If we want to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the default setting.

EAP profile edit

EAP-FAST parameters can be changed via “Security -> Local EAP -> EAP-FAST Parameters” section as shown below.

EAP Fast

Step3: Now enable local EAP on a WLAN.

Choose WLANs to open the WLANs page.

Untitled

 

Click the ID number of the Test WLAN.

Untitled

 

When the WLANs > Edit page appears, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.  Select the Local EAP Authentication check box to enable local EAP for this WLAN. From the EAP Profile Name drop-down list, choose the EAP profile that you want to use for this WLAN.

*** We must disable the Radius server authentication means don’t check that box

EAPonwlan3

Click Apply to save.

Via CLI:

Create a local EAP profile

(WLAN1) >config local-auth eap-profile add ?
<profile-name> Enter the profile name, up to 63 alphanumeric characters.
(WLAN1) >config local-auth eap-profile add Test-Local-EAP
Add an EAP method to a local EAP profile by entering this command:
(WLAN1) >config local-auth eap-profile method ?
add            Adds a method to a Local EAP Profile.
delete         Deletes a method from a Local EAP Profile.
fast           Configure EAP-FAST parameters.
(WLAN1) >config local-auth eap-profile method add ?
<EAP-profile-method> Method for an EAP Profile.
(WLAN1) >config local-auth eap-profile method add fast Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add tls Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add peap Test-Local-EAP
Configure EAP-FAST parameters if you created an EAP-FAST profile by entering this command:
(WLAN1) >config local-auth method fast ?
anon-prov      Configures whether anonymous provision is allowed.
authority-id   Set the authority identifier.
pac-ttl        Set Time to Live for the PAC (Protected Access Credentials).
server-key     Set the server key to encrypt/decrypt PACs.
Enable local EAP and attach an EAP profile to a WLAN by entering this command:
(WLAN1) >config wlan local-auth enable Test-Local-EAP ?
<wlanid>       Enables the EAP profile on this WLAN.
(WLAN1) >config wlan local-auth enable Test-Local-EAP 8

Save your changes by entering this command:

(WLAN1) >save config

Lets test EAP Fast and PEAP (EAP-TLS need certificate on client and server side and it is not possible because right now for me to install certificate now, we will do in future post)

Let check first for PEAP client association:

PEAP client asso

Now we will check for EAP-FAST client association:

EAP Fast client asso

If any one found any error in this post then please let me know or just comment here 🙂