WLAN Security: Configuring WLAN Security Policiesai3.itb.ac.id/~basuki/private/Cisco WLAN Training/Ch.09... · · 2012-04-20Management Frame Protection MFP has two functional modes:

© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

© 2010 Cisco Systems, Inc. All rights reserved.

CUWN v6.0—4-1

WLAN Security: Configuring WLAN Security Policies


CUWN v6.0—4-2

Lesson Overview & Objectives

Overview – This lesson provides an overview of various Cisco security policies and the valuable functions that they perform in a Cisco Unified Wireless Network environment.

Objectives – Upon completing this lesson, you will be able to configure various security policies to support diverse customer security needs in a WLAN deployment. This ability includes being able to meet these objectives:

– List the options for Security Policy configurations

– Describe the MFP modules, process, and settings

– Describe the digital certificates used in PKI and the Cisco Unified Wireless Network solution

– List the features of TLS

– Describe the features and configuration of EAP-PEAP-MS-CHAPv2

– Describe the two protocols of WPA and WPA2 for authentication and encryption

– Explain the advantage of Layer 3 Security in a VPN

– State the purpose of the CA and ID certificates

– Explain how to configure an AP for DTLS data encryption



CUWN v6.0—4-3

Security Policy Configurations

Security policy logic

MFP

802.1x

– EAP-PEAP-MS-CHAPv2 authentication

– 802.11i

WPA authentication

WPA2 authentication

VPN pass-through


CUWN v6.0—4-4

Security Policy Logic

Go to Monitor > Clients > Client Detail to see the state of a client.

Start

WebIPsec

NoneStatic WEP802.1xWPAWPA2

RunDHCP Mobility

Start, DHCP, Mobility, and Run are seen in logs or status fields.

Layer 3

Layer 2



CUWN v6.0—4-5

Management Frame Protection

MFP has two functional modes:

– Infrastructure-only support (MFP-1)

– Client and infrastructure support in Cisco Compatible Extensions v5 (MFP-2)

MFP-1 provides very quick and accurate detection of a spoofing event.

– Does not prevent spoofed management frames from impacting client

MFP-2 effectively shields authenticated clients from spoofed frames.

MFP prevents many common attacks against WLANs from becoming effective.

Most attacks revert to only degrading WLAN performance.


CUWN v6.0—4-6

MFP Modules

MFP offers these modules:

Key management

Protection

Validation

Reporting



CUWN v6.0—4-7

AP Authentication Policy—Enabling Global Infrastructure MFP

1. Go to Security > Wireless Protection Policies > AP Authentication.

2. Select Management Frame Protection in the drop-down box for Protection Type.


CUWN v6.0—4-8

MFP Settings for WLANs

1. From WLAN configuration, click the Advanced tab to enable/disable Infrastructure MFP.

2. Specify if MFP client protection is disabled/optional/required on the WLAN.



CUWN v6.0—4-9

MFP Settings for APs

From AP configuration, choose the Advanced tab to enable/disable MFP Frame Validation.


CUWN v6.0—4-10

Verifying MFP Settings

Go to Security > Wireless Protection Policies > Management Frame Protection to view General, WLANs, and APs settings.



CUWN v6.0—4-11

802.1x Architecture

EAP

Session Key

Microsoft

Microsoft/Cisco/RSA

Encryption

Authentication

CredentialsCisco

Username and PasswordCertificate

EAP-FastTLS PEAPPEAP

WPA WPA2

802.1x

TKIP AESWEP


CUWN v6.0—4-12

EAP-PEAP-MS-CHAPv2 Overview

Developed by Microsoft, Cisco, and RSA Security

Developed in order to improve upon weaker points of EAP-TLS

– Lack of user identity protection

User identity passed in TLS certificate

– Requires client certificate to authenticate client

Requires management of client certificates

Does not address when users log in from different computers

PEAP carries EAP types within a channel secured by TLS and thus requires a server certificate.

– Allows dynamic keys

Requires re-authentication to roll encryption keys

Does not provide MIC



CUWN v6.0—4-13

EAP-PEAP-MS-CHAPv2

Authentication or RADIUS/EAP

Server

Open Authentication

Association

MS-CHAPv2 Exchange

EAP Request Identity

EAP Request Identity Response

Request EAP-PEAP & Certificate Presentation

TLS Negotiation Start

TLS Negotiation Done

Response EAP-PEAP

EAP Request Authentication Type

EAP Request Authentication Type Response

MS-CHAPv2 Exchange Success

Data

Supplicant or Client

Request Connection

EAP Request Identity

EAP Request Identity Response

TLS Tunnel

Authenticator or Controller

AAA


CUWN v6.0—4-14

Configuring 802.1x EAP-PEAP-MS-CHAPv2

Go to WLAN configuration > Security and set the Layer 2 Security drop-down box to be 802.1x.

Microsoft Windows XP clients only support 40-bit or 104-bit dynamic WEP keys.

40 bit key = 56 bit Microsoft key; and 104 bit key = 128 bit Microsoft key



CUWN v6.0—4-15

WPA/WPA2 Overview

WPA2 is a security standard developed by IEEE 802.11i task group; WPA was an interim standard.

– RSN is IEEE equivalent to WPA2.

Generally uses AES block ciphers with the CCMP for encryption.

– Also supports TKIP

Generally uses 802.1x authentication methods.

– Supports PSK

– Cisco Centralized Key Management supported

– Combination 802.1x + Cisco Centralized Key Management

WPA/WPA2 use the same authentication architecture, key distribution, and key renewal.

Supports PKC.

Supports pre-authentication.


CUWN v6.0—4-16

WPA/WPA2 Authentication

802.1x Authentication PSK Authentication

Authentication server required Authentication server not required

RADIUS used for authentication and

key distribution

Shared secret used for

authentication

Centralized access control Local access control



CUWN v6.0—4-17

WPA/WPA2 Encryption

TKIP—Used for WPA

Uses same hardware as WEP

Key mixing improves security

MIC provides additional security

Rekeying provides additional security

Only used for WPA backward-compatibility

AES

Requires newer hardware

Higher security than TKIP

Generally used for WPA2


CUWN v6.0—4-18

WPA PSK

Same key is pre-installed on the client and controller.

Open Authentication

Association

Connection Request

PSK Compare

ANonce Delivered

SNonce Delivered

MIC Negotiate

MIC Negotiate

Encrypted Group Key

Data

Has:Supplicant NonceSupplicant MAC

Needs:Authenticator MACAuthenticator Nonce

Has:Authenticator NonceAuthenticator MAC

Needs:Supplicant MACSupplicant Nonce

Supplicantor Client

PSK Compare

Authenticator or Controller



CUWN v6.0—4-19

WPA/WPA2 EAP-PEAP-MS-CHAPv2

Authentication or RADIUS/EAP

Server

Open Authentication

Association

MS-CHAPv2 Exchange Success

802.1x Negotiated

ANonce Delivered

SNonce Delivered

MIC Negotiate

MIC Negotiate

Encrypted Group Key (WPA only)

MS-CHAPv2 Exchange

Data

Supplicantor Client

Authenticator orCisco WLC

WPA uses the encrypted group key exchange, and a race condition may occur. WPA2 integrates this step with MIC negotiation.

AAA


CUWN v6.0—4-20

WPA/WPA2 Considerations

Client (supplicant) must have WPA/WPA2 driver that supports EAP.

– WPA generally prevalent today.

– WPA2 becoming common with new clients.

RADIUS server must understand EAP.

– Many RADIUS servers support EAP.

PEAP carries EAP types within a channel secured by TLS and so requires a server certificate.

– Allows dynamic keys.

WPA2 is more compute-intensive with optional AES encryption.

May require new WLAN hardware to support AES encryption.

– Cisco wireless supports TKIP as alternative.



CUWN v6.0—4-21

WPA2 Proactive Key Caching

802.11i is secure but has limitations.

Requires client authentication at each AP.

APs or clients may clean up their security association cache, which will require reauthentication.

Is only optimized if roaming in direction previously authenticated.

– Creates a load on RADIUS server that is hard to measure.

PKC requires 802.1x authentication only once.

Roaming event will still require four-way key exchange.

Mobility group PKC-aware

– Authentication data shared among controllers

– Only one authentication per mobility group

Works with WNIC cards that are WPA2-compatible.


CUWN v6.0—4-22

Cisco Centralized Key Management

The Cisco Centralized Key Management:

Introduced to reduce authentication time.

On a single WLAN, WPA1, WPA2, or Cisco Centralized Key Management clients are allowed to join.

Support of TKIP or AES encryption for Cisco Centralized Key Management

– TKIP used by default.

– User can enable or disable AES encryption for Cisco Centralized Key Management.

– Proprietary implementation—works similarly to PKC.



CUWN v6.0—4-23

Association and Fast-Roaming Reassociation

Controller caches the session key upon initial 802.1x authentication when a client roams to another AP or other controllers in a mobility group.

The controllers are aware of the key through CAPWAP and the lightweight architecture. Therefore, only two packets are used in re-association.

Re-association frames are extended with additional Cisco Centralized Key Management information to update the keys.

The additional information prevents the latency involved in a full 802.1x authentication and allows the fast roaming needed for VoIP devices.

Cisco WLC Serving as WDS

Re-association Response

Re-association Request

AAA


CUWN v6.0—4-24



CUWN v6.0—4-25

Configuring WPA and WPA2 with Cisco Centralized Key Management

The WPA1 + WPA2 option allows Cisco Centralized Key Management at the controller level or 802.1x context (RADIUS) support with Cisco Centralized Key Management.

If 802.1x + Cisco Centralized Key Management is used, a consolidation of two WLANs allows all WPA1, WPA2, or Cisco Centralized Key Management clients to join that SSID.


CUWN v6.0—4-26

Lesson Summary

Several options are available for Security Policy configurations.

Two types of Management Frame Protection—Infrastructure MFP and Client MFP—are supported by the Cisco Unified Wireless Network system.

EAP-PEAP-MS-CHAPv2 improves the weaker points of EAP-TLS by providing user identity protection.

WPA/WPA2 was developed to improve the existing 802.1x and WEP security faults.



CUWN v6.0—4-27

Cisco

WLAN Security: Configuring WLAN Security Policiesai3.itb.ac.id/~basuki/private/Cisco WLAN Training/Ch.09... · · 2012-04-20Management Frame Protection MFP has two functional modes:

Documents