Top Banner
How to Prepare for the CCNP Wireless Security (IAUWS) Exam Jerome Henry Technology Leader July 14 th 2011 BRKCRT-3214
92

How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

May 13, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

How to Prepare for the

CCNP Wireless Security

(IAUWS) Exam

Jerome Henry

Technology Leader

July 14th 2011

BRKCRT-3214

Page 2: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 2

CCIE

CCNP

CCNA Wireless

CCNA

Professional

Associate

Expert

Cisco Career Certifications:

CCNP Wireless

Expand Your Professional Options

and Advance Your Career

Professional level recognition in wireless.

www.cisco.com/go/certifications

Recommended Training Through

Cisco Learning Partners

Wireless LAN Certification

Conducting Cisco Unified Wireless Site Survey

Implementing Cisco Unified Wireless Mobility Services

Implementing Cisco Unified Wireless Voice Networks

Implementing Advanced Cisco Unified Wireless Security

Page 3: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 3

“To give network professionals the information to prepare them to use appropriate security policies and best practices to secure the wireless network from security threats and to ensure the proper implementation of security standards and configuration of security components.”

Implementing Advanced Cisco Unified Wireless Security

IAUWS Course Goal

Page 4: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 4

• Organizational and Regulatory Security Policies

• Secure Client Devices

Configuring EAP Authentication

Configuring Certificate Services

Impact of Security on Application and Roaming

• Design and Implement Guest Access Services

• Design and Integrate a Wireless Network with Cisco NAC Appliance

• Internal and Integrated External Security Mitigations

Mitigating Wireless Vulnerabilities

Managing Rogue Access Points

Configuring Management Frame Protection

Integrating the WLAN Infrastructure with IPS

IAUWS Covered Fields

Page 5: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 5

Secure Client Devices

Page 6: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 6

802.1X/EAP Overview

Page 7: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 7

Authentication

Page 8: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 8

Common EAP Methods

PEAP-MS-CHAPv2

Protected EAP-MS-CHAPv2

Uses a TLS tunnel to protect MS-CHAPv2 exchange

PEAP-GTC

Protected EA-GTC

Uses a TLS tunnel to protect GTC exchange

EAP-FAST

EAP-Flexible Authentication via Secured Tunnels

Uses a tunnel similar to PEAP

Does not require a PKI

EAP-TLS

EAP-Transport Layer Security

Uses PKI to authenticate WLAN network and client

Requires certificates for both client and authentication server

Page 9: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 9

EAP-TLS Authentication

Page 10: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 10

EAP-FAST Protected Access Credential

A PAC consists of

PAC-Key

PAC-Opaque

PAC-Info

The server generates

PAC-Key

PAC-Opaque

PAC-Info

The PAC-Opaque contains

PAC-Key

Client user identity (I-ID)

Key lifetime

PAC-Opaque is encrypted with Master-Key

PAC-Info contains the authority identity (A-ID)

Page 11: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 11

EAP-FAST Phase Zero

Page 12: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 12

EAP-FAST Phase One

Page 13: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 13

EAP-FAST Phase Two

Page 14: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 14

PEAP Phase One

Page 15: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 15

PEAP Phase Two

Page 16: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 16

Group Transient Key

Page 17: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 17

Cisco Secure ACS

RADIUS server

TACACS+ server

Three platforms

Cisco Secure ACS Solution Engine

Cisco Secure ACS for Windows

Cisco Secure ACS Express

Appliance

50 AAA clients

350 unique users in 24-hour period

Page 18: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 18

TLS Parameters

Page 19: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 19

EAP-FAST Parameters

Bottom of Screen

Page 20: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 20

Fast Secure Roaming

PKC

Supported in WPA2

Layer 2 roaming

Transparent to client

Works across mobility groups

Cisco CKM

Proprietary to Cisco

Created prior to WPA and WPA2 for 802.1X with WEP

Supported in WPA and WPA2

Supported by Cisco Compatible Extensions clients

Transparent to the user

Works across mobility groups

Page 21: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 21

Fast Roaming with PKC

Page 22: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 22

Cisco CKM—Creating the PMK

Page 23: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 23

Working with Certificates

Page 24: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 24

Asymmetric Encryption Algorithms

The typical key length is 512 to 4096 bits.

Key lengths greater than or equal to 1024 bits can be trusted.

Key lengths that are shorter than 1024 bits are considered unreliable for most algorithms.

Page 25: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 25

Asymmetric Confidentiality Process

Alice gets the public key from Bob.

Alice encrypts the message using Bob’s public key.

Bob decrypts the message using his private key.

Page 26: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 26

Authentication Using Certificates

Authentication no longer requires the presence of the CA server.

Users exchange their certificates containing public keys.

Page 27: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 27

Using PKI in the WLAN

Page 28: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 28

Using the Certificates

Page 29: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 29

Integrating Wireless and Wired

Sides Security

Page 30: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 30

Identity-Based Networking

Client associates to SSID “data.”

WLAN for SSID “data” mapped to VLAN 10.

Client authenticated by Cisco Secure ACS.

Client belongs to group 2.

Group 2 mapped to VLAN 20.

Cisco Secure ACS sends new VLAN ID (20) to controller.

Controller maps client to VLAN 20.

Page 31: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 31

Enabling RADIUS (IETF) Attributes

Page 32: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 32

Enabling RADIUS (Cisco Airespace)

Attributes

Page 33: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 33

H-REAP in Connected Mode

Page 34: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 34

Standalone H-REAP with RADIUS Backup

Page 35: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 35

Standalone H-REAP with Local Authentication

Page 36: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 36

Cisco NAC Guest Server

Page 37: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 37

Sponsor Creates a Guest Access Account

Page 38: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 38

Guest Uses a Guest Access Account

Page 39: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 39

Cisco NAC Components

Page 40: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 40

Wireless Virtual Gateway Out-of-Band

Page 41: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 41

802.1X Authentication

Page 42: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 42

Posture Assessment

Page 43: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 43

Remediation

Page 44: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 44

Authenticated and Authorized

Page 45: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 45

Wireless Security Beyond

Wireless Users

Page 46: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 46

TACACS+

Authentication

Authorization

ALL

MONITOR

WLAN

CONTROLLER

WIRELESS

SECURITY

MANAGEMENT

COMMAND

LOBBY

Accounting

Encrypted Traffic

TCP port 49

As many as three TACACS+ servers for redundancy

Configure controller

GUI

CLI

Page 47: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 47

Group Settings for Administrative Users

Page 48: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 48

Configuring the Management Group

TACACS+ Section

Page 49: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 49

Rogue Detection

Page 50: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 50

Management Frame Protection

Page 51: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 51

Infrastructure Mode

Page 52: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 52

Client and Infrastructure Mode

Page 53: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 53

Controller-Based IDS

Access point examines frames:

Local mode access point: 802.11 management frames

Monitor mode access point: 802.11 management and data frames

Compares to signature

Detects possible attack

Sends alert to controller

Page 54: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 54

Locating a Rogue Access Point

Most Likely Location

Page 55: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 55

Component Functions

in a wIPS Deployment

Cisco WCS

Cisco MSE (running wireless IPS service)

Cisco controller

Local mode access point

wIPS monitor mode access point

Page 56: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 56

wIPS Alarm Flow

Page 57: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 57

Integrated Deployment

Page 58: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 58

Overlay Deployment

Page 59: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 59

Detecting Rogue APs with wIPS

Page 60: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 60

Rogue Detector Access Point

Rogue detector access point listens to the wired I/F for MAC address from rogue access point or rogue client.

Notifies controller if MAC detected.

Page 61: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 61

Exam Taking Tips!

IAUWS

Page 62: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 62

Exam Taking Tips

Eliminate options—look for subtleties

Look for the best answer

Budget time—total and individual

Sw/Hw context—v5.2, not later

Make an intelligent guess

Provide feedback during exam

Page 63: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 63

Exam Format

• Question formats

Declarative

Procedural

Complex procedural (simulation)

Drag and drop

• Avoided question formats:

Memorization of command syntax or interface/menus

Trick questions

Test Practical Implementation Skills

Page 64: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 64

Exam Format—Declarative

Which of the following is an 802.11b speed?

A. 6 Mbps

B. 11 Mbps

C. 18 Mbps

D. 48 Mbps

A Declarative Exam Item Tests Simple Recall of Pertinent Facts:

Page 65: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 65

Exam Format—ProceduralA Procedural Exam Item Tests the Ability to Apply Knowledge to Solve a Given Issue:

s0 Which two access list statements are necessary on s0 of the Guilford router to allow FTP access to the Greene Division server from the Internet while blocking all other traffic? (Select two)Pickens Division

10.10.126.0/24Greene Division10.11.127.252/24

Gates Server10.11.128.252/24

Internet

Page 66: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 66

Exam Format—SimulationA Complex Procedural Exam Item Tests the Ability to Apply Multiple Knowledge Points to Solve a Given Issue:

Page 67: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 67

Exam Format—Drag and DropA Drag and Drop Tests the Ability to Relate Concepts:

Internetwork

Session

Link

Presentation

OSI Model

TCP/IP Model

Click and drag the correct Layer to the Network Model to which it applies

Page 68: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 68

IAUWS Exam Practice

Page 69: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 69

Practice Item #1

Which EAP frame does Cisco WLC generate to begin the EAP process?

A. EAP Identity RequestB. EAP Start RequestC. EAP Start Response D. EAP Identity Response

Page 70: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 70

Practice Item #1 — Solution

Which EAP frame does Cisco WLC generate to begin the EAP process?

A. EAP Identity Request B. EAP Start RequestC. EAP Start Response D. EAP Identity Response

Page 71: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 71

Practice Item #2

Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant?

A. GTCB. TLSC. MD5D. MSCHAPv2

Page 72: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 72

Practice Item #2 — Solution

Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant?

A. GTC B. TLSC. MD5D. MSCHAPv2

Page 73: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 73

Practice Item #3

Which inner method is used in EAP-FASTv1 during phase two?

A. GTCB. TLSC. MD5D. MSCHAPv2

Page 74: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 74

Practice Item #3 — Solution

Which inner method is used in EAP-FASTv1 during phase two?

A. GTCB. TLSC. MD5D. MSCHAPv2

Page 75: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 75

Practice Item #4

What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers?

A. CAPWAPB. EoIPC. GRED. LWAPP

Page 76: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 76

Practice Item #4 — Solution

What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers?

A. CAPWAPB. EoIPC. GRED. LWAPP

Page 77: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 77

Practice Item #5

What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute?

A. Enable Session TimeoutB. DHCP RequiredC. Allow WLAN OverrideD. Allow AAA Override

Page 78: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 78

Practice Item #5 — Solution

What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute?

A. Enable Session TimeoutB. DHCP RequiredC. Allow WLAN OverrideD. Allow AAA Override

Page 79: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 79

Practice Item #6

Which version of the Cisco Compatible Extensions introduced PEAP-GTC?

A. v1B. v2C. v3D. v4

Page 80: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 80

Practice Item #6 — Solution

Which version of the Cisco Compatible Extensions introduced PEAP-GTC?

A. v1B. v2C. v3D. v4

Page 81: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 81

Practice Item #7

What communication method is used between the Cisco NAM and the controller?

A. CAPWAPB. PEAPC. SSHD. SNMP

Page 82: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 82

Practice Item #7 — Solution

What communication method is used between the Cisco NAM and the controller?

A. CAPWAPB. PEAPC. SSHD. SNMP

Page 83: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 83

Practice Item #8

With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN?

A. Access SwitchB. Cisco NASC. Cisco NAMD. WLAN Controller

Page 84: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 84

Practice Item #8 — Solution

With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN?

A. Access SwitchB. Cisco NASC. Cisco NAMD. WLAN Controller

Page 85: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 85

Practice Item #9

In PEAP phase one, which combination of certificates is used?

A. client user certificate and Cisco Secure ACS no certificateB. client user certificate and Cisco Secure ACS server

certificateC. client no certificate and Cisco Secure ACS no certificateD. client no certificate and Cisco Secure ACS server

certificate

Page 86: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 86

Practice Item #9 — Solution

In PEAP phase one, which combination of certificates is used?

A. client user certificate and Cisco Secure ACS no certificateB. client user certificate and Cisco Secure ACS server

certificateC. client no certificate and Cisco Secure ACS no certificateD. client no certificate and Cisco Secure ACS server

certificate

Page 87: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 87

Practice Item #10

Which standard signature on the controller is not discovered by an access point in local mode?

A. broadcast deauthenticationB. EAPOLC. Management frame floodD. null probe response

Page 88: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 88

Practice Item #10 — Solution

Which standard signature on the controller is not discovered by an access point in local mode?

A. broadcast deauthenticationB. EAPOLC. Management frame floodD. null probe response

Page 89: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 89

• Receive 25 Cisco Preferred Access points for each session evaluation you complete.

• Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.

• Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

• Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

Complete Your Online

Session Evaluation

Page 90: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 9090

Visit the Cisco Store for Related Titles

http://theciscostores.com

Page 91: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 91

Page 92: How to Prepare for the CCNP Wireless Security (IAUWS) Examd2zmdbbm9feqrf.cloudfront.net/2011/las/pdf/BRKCRT-3214.pdf · prepare them to use appropriate security policies and best

Thank you.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 92