Page 1
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-1
WLAN Security: Configuring WLAN Security Policies
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-2
Lesson Overview & Objectives
Overview – This lesson provides an overview of various Cisco security policies and the valuable functions that they perform in a Cisco Unified Wireless Network environment.
Objectives – Upon completing this lesson, you will be able to configure various security policies to support diverse customer security needs in a WLAN deployment. This ability includes being able to meet these objectives:
– List the options for Security Policy configurations
– Describe the MFP modules, process, and settings
– Describe the digital certificates used in PKI and the Cisco Unified Wireless Network solution
– List the features of TLS
– Describe the features and configuration of EAP-PEAP-MS-CHAPv2
– Describe the two protocols of WPA and WPA2 for authentication and encryption
– Explain the advantage of Layer 3 Security in a VPN
– State the purpose of the CA and ID certificates
– Explain how to configure an AP for DTLS data encryption
Page 2
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-3
Security Policy Configurations
Security policy logic
MFP
802.1x
– EAP-PEAP-MS-CHAPv2 authentication
– 802.11i
WPA authentication
WPA2 authentication
VPN pass-through
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-4
Security Policy Logic
Go to Monitor > Clients > Client Detail to see the state of a client.
Start
WebIPsec
NoneStatic WEP802.1xWPAWPA2
RunDHCP Mobility
Start, DHCP, Mobility, and Run are seen in logs or status fields.
Layer 3
Layer 2
Page 3
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-5
Management Frame Protection
MFP has two functional modes:
– Infrastructure-only support (MFP-1)
– Client and infrastructure support in Cisco Compatible Extensions v5 (MFP-2)
MFP-1 provides very quick and accurate detection of a spoofing event.
– Does not prevent spoofed management frames from impacting client
MFP-2 effectively shields authenticated clients from spoofed frames.
MFP prevents many common attacks against WLANs from becoming effective.
Most attacks revert to only degrading WLAN performance.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-6
MFP Modules
MFP offers these modules:
Key management
Protection
Validation
Reporting
Page 4
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-7
AP Authentication Policy—Enabling Global Infrastructure MFP
1. Go to Security > Wireless Protection Policies > AP Authentication.
2. Select Management Frame Protection in the drop-down box for Protection Type.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-8
MFP Settings for WLANs
1. From WLAN configuration, click the Advanced tab to enable/disable Infrastructure MFP.
2. Specify if MFP client protection is disabled/optional/required on the WLAN.
Page 5
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-9
MFP Settings for APs
From AP configuration, choose the Advanced tab to enable/disable MFP Frame Validation.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-10
Verifying MFP Settings
Go to Security > Wireless Protection Policies > Management Frame Protection to view General, WLANs, and APs settings.
Page 6
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-11
802.1x Architecture
EAP
Session Key
Microsoft
Microsoft/Cisco/RSA
Encryption
Authentication
CredentialsCisco
Username and PasswordCertificate
EAP-FastTLS PEAPPEAP
WPA WPA2
802.1x
TKIP AESWEP
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-12
EAP-PEAP-MS-CHAPv2 Overview
Developed by Microsoft, Cisco, and RSA Security
Developed in order to improve upon weaker points of EAP-TLS
– Lack of user identity protection
User identity passed in TLS certificate
– Requires client certificate to authenticate client
Requires management of client certificates
Does not address when users log in from different computers
PEAP carries EAP types within a channel secured by TLS and thus requires a server certificate.
– Allows dynamic keys
Requires re-authentication to roll encryption keys
Does not provide MIC
Page 7
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-13
EAP-PEAP-MS-CHAPv2
Authentication or RADIUS/EAP
Server
Open Authentication
Association
MS-CHAPv2 Exchange
EAP Request Identity
EAP Request Identity Response
Request EAP-PEAP & Certificate Presentation
TLS Negotiation Start
TLS Negotiation Done
Response EAP-PEAP
EAP Request Authentication Type
EAP Request Authentication Type Response
MS-CHAPv2 Exchange Success
Data
Supplicant or Client
Request Connection
EAP Request Identity
EAP Request Identity Response
TLS Tunnel
Authenticator or Controller
AAA
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-14
Configuring 802.1x EAP-PEAP-MS-CHAPv2
Go to WLAN configuration > Security and set the Layer 2 Security drop-down box to be 802.1x.
Microsoft Windows XP clients only support 40-bit or 104-bit dynamic WEP keys.
40 bit key = 56 bit Microsoft key; and 104 bit key = 128 bit Microsoft key
Page 8
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-15
WPA/WPA2 Overview
WPA2 is a security standard developed by IEEE 802.11i task group; WPA was an interim standard.
– RSN is IEEE equivalent to WPA2.
Generally uses AES block ciphers with the CCMP for encryption.
– Also supports TKIP
Generally uses 802.1x authentication methods.
– Supports PSK
– Cisco Centralized Key Management supported
– Combination 802.1x + Cisco Centralized Key Management
WPA/WPA2 use the same authentication architecture, key distribution, and key renewal.
Supports PKC.
Supports pre-authentication.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-16
WPA/WPA2 Authentication
802.1x Authentication PSK Authentication
Authentication server required Authentication server not required
RADIUS used for authentication and
key distribution
Shared secret used for
authentication
Centralized access control Local access control
Page 9
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-17
WPA/WPA2 Encryption
TKIP—Used for WPA
Uses same hardware as WEP
Key mixing improves security
MIC provides additional security
Rekeying provides additional security
Only used for WPA backward-compatibility
AES
Requires newer hardware
Higher security than TKIP
Generally used for WPA2
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-18
WPA PSK
Same key is pre-installed on the client and controller.
Open Authentication
Association
Connection Request
PSK Compare
ANonce Delivered
SNonce Delivered
MIC Negotiate
MIC Negotiate
Encrypted Group Key
Data
Has:Supplicant NonceSupplicant MAC
Needs:Authenticator MACAuthenticator Nonce
Has:Authenticator NonceAuthenticator MAC
Needs:Supplicant MACSupplicant Nonce
Supplicantor Client
PSK Compare
Authenticator or Controller
Page 10
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-19
WPA/WPA2 EAP-PEAP-MS-CHAPv2
Authentication or RADIUS/EAP
Server
Open Authentication
Association
MS-CHAPv2 Exchange Success
802.1x Negotiated
ANonce Delivered
SNonce Delivered
MIC Negotiate
MIC Negotiate
Encrypted Group Key (WPA only)
MS-CHAPv2 Exchange
Data
Supplicantor Client
Authenticator orCisco WLC
WPA uses the encrypted group key exchange, and a race condition may occur. WPA2 integrates this step with MIC negotiation.
AAA
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-20
WPA/WPA2 Considerations
Client (supplicant) must have WPA/WPA2 driver that supports EAP.
– WPA generally prevalent today.
– WPA2 becoming common with new clients.
RADIUS server must understand EAP.
– Many RADIUS servers support EAP.
PEAP carries EAP types within a channel secured by TLS and so requires a server certificate.
– Allows dynamic keys.
WPA2 is more compute-intensive with optional AES encryption.
May require new WLAN hardware to support AES encryption.
– Cisco wireless supports TKIP as alternative.
Page 11
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-21
WPA2 Proactive Key Caching
802.11i is secure but has limitations.
Requires client authentication at each AP.
APs or clients may clean up their security association cache, which will require reauthentication.
Is only optimized if roaming in direction previously authenticated.
– Creates a load on RADIUS server that is hard to measure.
PKC requires 802.1x authentication only once.
Roaming event will still require four-way key exchange.
Mobility group PKC-aware
– Authentication data shared among controllers
– Only one authentication per mobility group
Works with WNIC cards that are WPA2-compatible.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-22
Cisco Centralized Key Management
The Cisco Centralized Key Management:
Introduced to reduce authentication time.
On a single WLAN, WPA1, WPA2, or Cisco Centralized Key Management clients are allowed to join.
Support of TKIP or AES encryption for Cisco Centralized Key Management
– TKIP used by default.
– User can enable or disable AES encryption for Cisco Centralized Key Management.
– Proprietary implementation—works similarly to PKC.
Page 12
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-23
Association and Fast-Roaming Reassociation
Controller caches the session key upon initial 802.1x authentication when a client roams to another AP or other controllers in a mobility group.
The controllers are aware of the key through CAPWAP and the lightweight architecture. Therefore, only two packets are used in re-association.
Re-association frames are extended with additional Cisco Centralized Key Management information to update the keys.
The additional information prevents the latency involved in a full 802.1x authentication and allows the fast roaming needed for VoIP devices.
Cisco WLC Serving as WDS
Re-association Response
Re-association Request
AAA
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-24
Page 13
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-25
Configuring WPA and WPA2 with Cisco Centralized Key Management
The WPA1 + WPA2 option allows Cisco Centralized Key Management at the controller level or 802.1x context (RADIUS) support with Cisco Centralized Key Management.
If 802.1x + Cisco Centralized Key Management is used, a consolidation of two WLANs allows all WPA1, WPA2, or Cisco Centralized Key Management clients to join that SSID.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-26
Lesson Summary
Several options are available for Security Policy configurations.
Two types of Management Frame Protection—Infrastructure MFP and Client MFP—are supported by the Cisco Unified Wireless Network system.
EAP-PEAP-MS-CHAPv2 improves the weaker points of EAP-TLS by providing user identity protection.
WPA/WPA2 was developed to improve the existing 802.1x and WEP security faults.
Page 14
© 2008, Cisco Systems, Inc. All rights reserved. Printed in USA.
© 2010 Cisco Systems, Inc. All rights reserved.
CUWN v6.0—4-27
Cisco