Upload
ravi-ranjan
View
352
Download
3
Tags:
Embed Size (px)
Citation preview
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-1
WLAN Security
Centralizing WLAN Authentication
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-2
802.1X
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-3
802.1X over Wireless
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-4
Unique Encryption Keys
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-5
EAP Process
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-6
EAP Frame Format
EAP defines four message types: Request, Response, Success, and Failure
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-7
RADIUS
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-8
Security > AAA > RADIUS > Authentication
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-9
Security > AAA > RADIUS > Authentication > New
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-10
WLAN > Edit > Security > AAA Servers
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-11
Local EAP
The following EAP methods are supported with local EAP:
− LEAP
− EAP-FAST (both username and password with PAC and certificates)
− EAP-TLS
− PEAP
MAC authentication is also supported in addition to the above methods
Local EAP authentication can be used if the Cisco WLC fails to reach the configured RADIUS servers
Supports local users or LDAP users
Requires WLAN configuration
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-12
Security > Local EAP > Profiles
Local EAP is created in three steps: Creation and configuration of an EAP profile
Creation of local users or delegation to an LDAP server
Validation of the EAP profile in a WLAN
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-13
Security > Local EAP > Profiles > Edit
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-14
Security > Local EAP > EAP-FAST Parameters
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-15
Security > AAA > Local Net Users
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-16
Security > Local EAP > Authentication Priority
Only LDAP is used
LDAP is used only if the local list does not contain the user
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-17
Security >AAA > LDAP
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-18
WLAN > Edit
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-19
Summary
802.1X allows a port to be blocked while the client is authenticated.
EAP creates a framework to carry the typical steps in an authentication process.
WLAN controllers can relay the wireless client authentication task to an external RADIUS server.
WLAN controllers can also be configured to handle EAP locally, based on an internal user database or an external LDAP server.
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-20