Home » Cisco Manuals » Wireless » Cisco AIR-LAP1252AG-A-K9 » Manual Viewer

Cisco AIR-LAP1252AG-A-K9 Software Configuration Guide - Page 126

Combining MAC-Based, EAP, and Open Authentication, Authenticating Client Devices

UPC - 882658140716

View all Cisco AIR-LAP1252AG-A-K9 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 126 highlights

Security Overview Chapter 4 Security Setup During shared key authentication, the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point allows the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Like open authentication, shared key authentication does not rely on a RADIUS server on your network. Figure 4-5 shows the authentication sequence between a device trying to authenticate and an access point using shared key authentication. In this example the device's WEP key matches the access point's key, so it can authenticate and communicate. Figure 4-5 Sequence for Shared Key Authentication Access point or bridge with WEP key = 123 1. Authentication request 2. Unencrypted challenge 3. Encrypted challenge response 4. Authentication response Client device with WEP key = 123 54584 Combining MAC-Based, EAP, and Open Authentication You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication. See the "Authenticating Client Devices Using MAC Addresses or EAP" section on page 4-34 for more information on this feature. Cisco Aironet 1200 Series Access Point Software Configuration Guide 4-8 OL-2159-03

Section	Page
Cisco Aironet 1200 Series Access Point Software Configuration Guide	1
Contents	3
Preface	13
Audience and Scope	13
Organization	13
Conventions	14
Related Publications	15
Obtaining Documentation	16
World Wide Web	16
Documentation CD-ROM	16
Ordering Documentation	16
Documentation Feedback	17
Obtaining Technical Assistance	17
Cisco.com	17
Technical Assistance Center	18
Cisco TAC Web Site	18
Cisco TAC Escalation Center	19
Overview	21
Key Features	22
Management Options	22
Roaming Client Devices	23
Network Configuration Examples	23
Root Unit on a Wired LAN	23
Repeater Unit that Extends Wireless Range	24
Central Unit in an All-Wireless Network	25
Using the Management Interfaces	27
Using the Web-Browser Interface	28
Using the Web-Browser Interface for the First Time	28
Using the Management Pages in the Web-Browser Interface	28
Navigating Using the Map Windows	30
Using the Command-Line Interface	31
Preparing to Use a Terminal Emulator	32
Connecting the Serial Cable	32
Setting Up the Terminal Emulator	33
Changing Settings with the CLI	33
Selecting Pages and Settings	35
Applying Changes to the Configuration	35
Using a Telnet Session	35
Using SNMP	36
Supported MIBs	36
Configuration	39
Basic Settings	40
Entering Basic Settings	41
System Name	41
MAC Address	41
Configuration Server Protocol	42
Default IP Address	42
Default IP Subnet Mask	42
Default Gateway	42
Radio Service Set ID (SSID)	43
Role in Radio Network	43
Radio Network Optimization (Optimize Radio Network For)	46
Radio Network Compatibility (Ensure Compatibility With)	46
SNMP Admin. Community	46
Filter Setup	47
Protocol Filtering	47
Creating a Protocol Filter	48
Enabling a Protocol Filter	52
MAC Address Filtering	52
Creating a MAC Address Filter	53
Radio Configuration	57
Entering Identity Information	57
Settings on the AP Radio Identification Page	58
Primary Port Settings	59
Default IP Address	59
Default IP Subnet Mask	59
Service Set ID (SSID)	60
LEAP User Name	60
LEAP Password	60
Entering Radio Hardware Information	60
Settings on the AP Radio Hardware Page	61
Service Set ID (SSID)	62
Allow Broadcast SSID to Associate?	62
Enable World Mode	63
Data Rates	63
Transmit Power	64
Frag. Threshold	65
RTS Threshold	65
Max. RTS Retries	65
Max. Data Retries	65
Beacon Period	65
Data Beacon Rate (DTIM)	65
Default Radio Channel	66
Search for Less-Congested Radio Channel	66
Restrict Searched Channels	67
Receive Antenna and Transmit Antenna	67
Entering Advanced Configuration Information	69
Settings on the AP Radio Advanced Page	70
Requested Status	71
Packet Forwarding	71
Default Multicast Address Filters	71
Maximum Multicast Packets/Second	72
Radio Cell Role	72
Maximum Number of Associations	72
Use Aironet Extensions	73
Classify Workgroup Bridges as Network Infrastructure	73
Require Use of Radio Firmware x.xx	74
Ethernet Encapsulation Transform	74
Enhanced MIC verification for WEP	75
Temporal Key Integrity Protocol	75
Broadcast WEP Key rotation interval (sec)	76
Accept Authentication Types	76
Require EAP	76
Default Unicast Address Filter	77
Specified Access Points	77
Radio Modulation	78
Radio Preamble	78
Ethernet Configuration	79
Entering Identity Information	79
Settings on the Ethernet Identification Page	80
Primary Port Settings	80
Default IP Address	80
Default IP Subnet Mask	81
Entering Ethernet Hardware Information	81
Settings on the Ethernet Hardware Page	82
Speed	82
Entering Advanced Configuration Information	84
Settings on the Ethernet Advanced Page	84
Requested Status	84
Packet Forwarding	85
Default Unicast and Multicast Address Filters	85
Maximum Multicast Packets/Second	86
Server Setup	86
Entering Time Server Settings	87
Settings on the Time Server Setup Page	87
Simple Network Time Protocol	88
Default Time Server	88
GMT Offset (hr)	88
Use Daylight Savings Time	88
Manually Set Date and Time	88
Entering Boot Server Settings	89
Settings on the Boot Server Setup Page	89
Configuration Server Protocol	90
Use Previous Configuration Server Settings	90
Read .ini File from File Server	90
BOOTP Server Timeout (sec)	91
DHCP Multiple-Offer Timeout (sec)	91
DHCP Requested Lease Duration (min)	91
DHCP Minimum Lease Duration (min)	91
DHCP Client Identifier Type	92
DHCP Client Identifier Value	93
DHCP Class Identifier	93
Entering Web Server Settings and Setting Up Access Point Help	93
Settings on the Web Server Setup Page	94
Allow Non-Console Browsing	94
HTTP Port	94
Default Help Root URL	94
Extra Web Page File	95
Default Web Root URL	95
Entering Name Server Settings	96
Settings on the Name Server Setup Page	96
Domain Name System	97
Default Domain	97
Domain Name Servers	97
Domain Suffix	97
Entering FTP Settings	98
Settings on the FTP Setup Page	98
File Transfer Protocol	99
Default File Server	99
FTP Directory	99
FTP User Name	99
FTP User Password	99
Routing Setup	99
Entering Routing Settings	100
Default Gateway	100
New Network Route Settings	101
Installed Network Routes list	101
Association Table Display Setup	102
Association Table Filters Page	102
Settings on the Association Table Filters Page	103
Stations to Show	103
Fields to Show	103
Packets To/From Station	104
Bytes To/From Station	104
Primary Sort	105
Secondary Sort	105
Association Table Advanced Page	106
Settings on the Association Table Advanced Page	107
Handle Station Alerts as Severity Level	107
Maximum number of bytes stored per Station Alert packet	108
Maximum Number of Forwarding Table Entries	108
Aironet Extended Statistics in MIB (awcTpFdbTable)	108
Block ALL Inter-Client Communications (PSPF)	108
Default Activity Timeout (seconds) Per Device Class	108
Event Notification Setup	109
Event Display Setup Page	109
Settings on the Event Display Setup Page	110
How should time generally be displayed?	110
How should Event Elapsed (non-wall-clock) Time be displayed?	110
Severity Level at which to display events	110
Event Handling Setup Page	112
Settings on the Event Handling Setup Page	114
Disposition of Events	114
Handle Station Events as Severity Level	115
Maximum memory reserved for Detailed Event Trace Buffer (bytes)	115
Download Detailed Event Trace Buffer	115
Clear Alert Statistics	115
Purge Trace Buffer	115
Event Notifications Setup Page	116
Settings on the Event Notifications Setup Page	117
Should Notify-Disposition Events generate SNMP Traps?	117
SNMP Trap Destination	117
SNMP Trap Community	117
Should Notify-Disposition Events generate Syslog Messages?	117
Syslog Destination Address	118
Syslog Facility Number	118
Security Setup	119
Security Overview	120
Levels of Security	120
Encrypting Radio Signals with WEP	121
Additional WEP Security Features	121
Network Authentication Types	122
Combining MAC-Based, EAP, and Open Authentication	126
Protecting the Access Point Configuration with User Manager	127
Setting Up WEP	127
Using SNMP to Set Up WEP	131
Enabling Additional WEP Security Features	132
Enabling Message Integrity Check (MIC)	132
Enabling Temporal Key Integrity Protocol (TKIP)	134
Enabling Broadcast WEP Key Rotation	136
Setting Up Open or Shared Key Authentication	137
Setting Up EAP Authentication	138
Enabling EAP on the Access Point	138
Enabling EAP in Cisco Secure ACS	143
Setting a Session-Based WEP Key Timeout	144
Setting up a Repeater Access Point as a LEAP Client	145
Setting Up MAC-Based Authentication	147
Enabling MAC-Based Authentication on the Access Point	147
Authenticating Client Devices Using MAC Addresses or EAP	152
Enabling MAC-Based Authentication in Cisco Secure ACS	153
Summary of Settings for Authentication Types	155
Setting Up Backup Authentication Servers	158
Setting Up Administrator Authorization	159
Creating a List of Authorized Management System Users	160
Network Management	165
Using the Association Table	166
Browsing to Network Devices	166
Setting the Display Options	167
Using Station Pages	167
Information on Station Pages	169
Station Identification and Status	169
To Station Information	170
From Station Information	171
Rate, Signal, and Status Information	171
Hops and Timing Information	172
Performing Pings and Link Tests	172
Performing a Ping	173
Performing a Link Test	173
Clearing and Updating Statistics	174
Deauthenticating and Disassociating Client Devices	175
Using the Network Map Window	175
Using Cisco Discovery Protocol	177
Settings on the CDP Setup Page	178
MIB for CDP	178
Assigning Network Ports	179
Settings on the Port Assignments Page	180
Enabling Wireless Network Accounting	180
Settings on the Accounting Setup Page	181
Accounting Attributes	183
Managing Firmware and Configurations	187
Updating Firmware	188
Updating with the Browser from a Local Drive	188
Full Update of the Firmware Components	189
Selective Update of the Firmware Components	190
Updating from a File Server	191
Full Update of the Firmware Components	191
Selective Update of the Firmware Components	193
Distributing Firmware	194
Distributing a Configuration	195
Limiting Distributions	197
Downloading, Uploading, and Resetting the Configuration	198
Downloading the Current Configuration	199
Uploading a Configuration	199
Uploading from a Local Drive	200
Uploading from a File Server	200
Resetting the Configuration	202
Restarting the Access Point	203
Management System Setup	205
SNMP Setup	206
Settings on the SNMP Setup Page	206
Using the Database Query Page	207
Settings on the Database Query Page	208
Changing Settings with the Database Query Page	208
Console and Telnet Setup	209
Settings on the Console/Telnet Page	209
Special Configurations	211
Setting Up a Repeater Access Point	211
Using Hot Standby Mode	215
Diagnostics and Troubleshooting	219
Using Diagnostic Pages	220
Radio Diagnostics Page	220
Antenna Alignment Test	221
Carrier Test	223
Network Ports Page	225
Identifying Information and Status	226
Data Received	226
Data Transmitted	227
Ethernet Port Page	227
Configuration Information	228
Receive Statistics	229
Transmit Statistics	230
AP Radio Page	230
Configuration Information	231
Receive Statistics	232
Transmit Statistics	233
Display Options	234
Event Log Page	235
Display Settings	235
Log Headings	236
Saving the Log	236
Event Log Summary Page	237
Using Command-Line Diagnostics	238
Entering Diagnostic Commands	239
Diagnostic Command Results	239
:eap_diag1_on	240
:eap_diag2_on	240
:vxdiag_arpshow	241
:vxdiag_checkstack	243
:vxdiag_hostshow	243
:vxdiag_i	244
:vxdiag_ipstatshow	245
:vxdiag_memshow	247
:vxdiag_muxshow	247
:vxdiag_routeshow	248
:vxdiag_tcpstatshow	249
:vxdiag_udpstatshow	250
Tracing Packets	251
Reserving Access Point Memory for a Packet Trace Log File	251
Tracing Packets for Specific Devices	252
Tracing Packets for Ethernet and Radio Ports	253
Viewing Packet Trace Data	254
Packets Stored in a Log File	254
Packets Displayed on the CLI	255
Checking the Top Panel Indicators	255
Finding an Access Point by Blinking the Top Panel Indicators	258
Checking Basic Settings	258
SSID	258
WEP Keys	258
EAP Authentication Requires Matching 802.1x Protocol Drafts	259
Resetting to the Default Configuration	261
Channels, Power Levels, and Antenna Gains	263
Channels	264
Channels for IEEE 802.11a	264
Channels for IEEE 802.11b	265
Maximum Power Levels and Antenna Gains	266
For IEEE 802.11a	266
For IEEE 802.11b	267
Protocol Filter Lists	269

Match case Limit results 1 per page

Chapter 4

Security Setup

Security Overview

4-8

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-03

During shared key authentication, the access point sends an unencrypted

challenge text string to any device attempting to communicate with the access

point. The device requesting authentication encrypts the challenge text and

sends it back to the access point. If the challenge text is encrypted correctly,

the access point allows the requesting device to authenticate. Both the

unencrypted challenge and the encrypted challenge can be monitored,

however, which leaves the access point open to attack from an intruder who

calculates the WEP key by comparing the unencrypted and encrypted text

strings. Because of this weakness, shared key authentication can be less

secure than open authentication. Like open authentication, shared key

authentication does not rely on a RADIUS server on your network.

Figure 4-5

shows the authentication sequence between a device trying to

authenticate and an access point using shared key authentication. In this

example the device

’

s WEP key matches the access point

’

s key, so it can

authenticate and communicate.

Figure 4-5

Sequence for Shared Key Authentication

Combining MAC-Based, EAP, and Open Authentication

You can set up the access point to authenticate client devices using a combination

of MAC-based and EAP authentication. When you enable this feature, client

devices that associate to the access point using 802.11 open authentication first

attempt MAC authentication; if MAC authentication succeeds, the client device

joins the network. If MAC authentication fails, the access point waits for the client

device to attempt EAP authentication. See the

“

Authenticating Client Devices

Using MAC Addresses or EAP

”

section on page

4-34

for more information on this

feature.

Access point

or bridge

with WEP key = 123

Client device

with WEP key = 123

1. Authentication request

2. Unencrypted challenge

3. Encrypted challenge response

4. Authentication response

54584