Securely Designing
Your Wireless LAN for
Threat Mitigation, Policy and BYOD
Federico Ziliotto
Technical Solutions Architect
CCIE – 23280 (Wireless, R&S)
BRKEWN-2005
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
Federico ➔ Fede
•
•
12+ years at Cisco
•
4 years as a Customer Support Engineer (CSE)
•
3 years as a Specialized Systems Engineer
•
5 years as a Consulting Systems Engineer (CSE)
•
~1 year as a Technical Solutions Architect (TSA)
FISE
(Family IT Support Engineer)
Always focused on Wireless and NAC
Very, very amateur
photography enthusiast
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Wireless Security is like Family IT Support
• We get a lot of asks
• Sometime we need to simply understand the
question
• The more relaxed, the easier it gets
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Session Objectives
What this session will cover…
…and what it won’t…
•
AP and WLC secure connection;
•
configuration details;
•
wireless radio threats;
•
version discrepancies;
•
secure/open SSID fundamentals;
•
roadmap;
•
client secure connection options;
•
not too much for guests.
•
use cases;
•
mainly AireOS and IOS-XE
BRKEWN-2010
BRKIP6-2191
BRKEWN-2014
…except when it does.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Session Abstract
For your
reference
•
Learn how to design a secure wireless networks from A to Z.
•
In this session we will cover some of the major threats associated with wireless
networks and the tools we have to mitigate and prevent them, such as rogue AP
detection, wIPS and spectrum intelligence.
•
We will also take a look at the principles of secured wireless networks (encryption,
802.1X, guest access, etc.) and will dive into the latest identity services available to
address different kinds of devices (laptops, tablets, smartphones, etc.) and users
(employees, guests, contractors, etc.).
•
Prerequisites: knowledge of 802.11 and 802.1X fundamentals is recommended.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Disclaimer
BRKEWN-2670
New kid on the block
•
Catalyst 9800 Wireless Controllers based on IOS-XE.
•
Support for (almost) the same security features as for AireOS based Wireless LAN
Controllers (i.e., Mobility Express, vWLC, 3504, 5520, 8540).
•
Dedicated references will be provided in case of specific configuration examples.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
For your reference
For your
reference
•
There are slides in your PDF that will not be presented, or quickly presented.
•
They are valuable, but included only “For your reference”.
For your
reference
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
We do everything by the book…
For your
reference
http://www.ciscopress.com/store/ccie-wireless-v3-study-guide-9781587206207
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Agenda
•
Secure the infrastructure
•
Secure the clients
•
Use cases
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Secure the infrastructure
Securing the infrastructure
•
•
•
How to secure the AP connectivity and
access.
How to secure the communication
between the WLC and the AP.
Access Point
(AP)
Wireless LAN Controller
(WLC)
Data Encapsulation – UDP 5247
Control Messages – UDP 5246
CAPWAP
How to secure the radio:
•
intrusion detection/prevention;
•
rogue access points;
•
interferences.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
WLC connectivity and access
For your
reference
WLC
HTTP / HTTPS / telnet / SSH
Control requests from wireless clients or wired clients on the
same subnet as a dynamic interface:
(Cisco Controller) >config network mgmt-via-wireless enable
(Cisco Controller) >config network mgmt-via-dynamic-interface enable *
*
Available via CLI only and needed when sourcing RADIUS traffic from a dynamic interface instead of the management one.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
WLC connectivity and access
For your
reference
WLC
HTTP / HTTPS / telnet / SSH
Control requests from specific networks/clients through CPU ACLs:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4
Logical example (not a real configuration one):
•
deny tcp [other client subnets] [WLC mgmt IP] eq 443
•
deny tcp [other client subnets] [WLC mgmt IP] eq 22
•
permit ip any any (otherwise you may lock lot of things out!!!)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
WLC management authentication / authorization
AireOS
WLC
Local DB:
read-only
read-write
For your
reference
RADIUS
Fail / Success
+
privileges (RO / RW)
* Tasks are the WLC’s menu tabs.
Even when tasks are not explicitly authorized, users have RO access to them.
RO access to a task grants RO access to all the sub-menus.
RW access to a task grants RW access to all the sub-menus.
Fail / Success
+
tasks access *
Config. examples:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71989-manage-wlc-users-radius.html
TACACS
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91631-uwn-tacacs-config.html
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
C9800 management authentication / authorization
IOS-XE
For your
reference
Local DB:
• GUI: read-only / read-write
• CLI: privilege 0-15
C9800
Fail / Success
+
Privileges (CLI)
RO access to the GUI grants access to the Dashboard and Monitoring menus.
RW access to the GUI grants RW access to all menus.
Fail / Success
+
Command AuthZ (CLI)
Read-Only
RADIUS
TACACS
Read-Write
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
AP management access
For your
reference
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
AP control at the access layer
A few words on 802.1X
Layer 2 Point-to-(Multi)Point
Supplicant
EAP over LAN
(EAPoL)
Layer 3 Link
Authenticator
RADIUS
AuthC Server
EAPoL Start
Beginning
EAPoL Request Identity
EAP-Response Identity: Printer
RADIUS Access Request
[AVP: EAP-Response: Printer]
EAP-Request: EAP-FAST
Middle
RADIUS Access-Challenge
[AVP: EAP-Request EAP-FAST]
EAP-Response: EAP-FAST
RADIUS Access Request
[AVP: EAP-Response: EAP-FAST]
End
EAP Success
Multiple
ChallengeRequest
Exchanges
Possible
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
AP control at the access layer
802.1X credentials for the AP *
Access Point
(AP)
Layer 2 Point-to-(Multi)Point
Supplicant
EAP over LAN
(EAPoL)
Layer 3 Link
Authenticator
RADIUS
AuthC Server
AP# capwap ap dot1x username [USER] password [PWD]
* AireOS 8.6 for 802.11ac Wave 2 APs
(EAP-FAST MS-CHAPv2 as for other AP series)
AireOS 8.7+ for EAP-TLS or PEAP MS-CHAPv2
support (802.11ac Wave 2 APs and later)
AireOS
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
AP control at the access layer
802.1X credentials for the AP *
Access Point
(AP)
Layer 2 Point-to-(Multi)Point
Supplicant
EAP over LAN
(EAPoL)
Layer 3 Link
Authenticator
RADIUS
AuthC Server
AP# capwap ap dot1x username [USER] password [PWD]
* AireOS 8.6 for 802.11ac Wave 2 APs
(EAP-FAST MS-CHAPv2 as for other AP series)
AireOS 8.7+ for EAP-TLS or PEAP MS-CHAPv2
support (802.11ac Wave 2 APs and later)
IOS-XE
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
AP control at the access layer
The FlexConnect challenge
Layer 2 Point-to-(Multi)Point
Supplicant
FlexConnect AP
“needs” a trunk port.
EAP over LAN
(EAPoL)
Layer 3 Link
Authenticator
RADIUS
AuthC Server
802.1X (usually)
needs an access port.
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
authentication port-control auto
dot1x pae authenticator
...
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
AP control at the access layer
The FlexConnect challenge
Layer 2 Point-to-(Multi)Point
Supplicant
EAP over LAN
(EAPoL)
Layer 3 Link
Authenticator
RADIUS
AuthC Server
“What do you think?”
“Here I am.”
“Accept. Here is the interface template *”
cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE
template FLEXCONNECT_AP_TRUNK_TEMPLATE
switchport trunk native vlan 100
switchport trunk allowed vlan 100,110,120,130
switchport mode trunk
spanning-tree portfast trunk
BRKEWN-2005
* IOS 15.2(2)E+
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Securing the AP-WLC communication
CAPWAP tunnels
BRKEWN-2010
BRKEWN-2670
DTLS, UDP 5246
CAPWAP Control
CAPWAP Data
(DTLS) UDP 5247
config ap link-encryption enable all/[AP-NAME]
AireOS
IOS-XE
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Securing the AP-WLC communication
Manufacturer Installed Certificate (MIC)
DTLS, UDP 5246
CAPWAP Control
CAPWAP Data
(DTLS) UDP 5247
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Securing the AP-WLC communication
Local Significant Certificate (LSC) - AireOS
Your PKI
CAPWAP
Example:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Securing the AP-WLC communication
Local Significant Certificate (LSC) – IOS-XE
conf t
crypto key generate rsa general-keys exportable modulus 2048 label LSC_RSA_KEY
crypto pki trustpoint LSC_TRUSTPOINT
enrollment url http://10.150.20.101/certsrv/mscep/mscep.dll
subject-name C=FR,ST=IdF,L=Paris,O=Lab,CN=C9800-CL-A/emailAddress=lab@rackwifi.cisco.com
rsakeypair LSC_RSA_KEY
revocation-check none
exit
crypto pki authenticate LSC_TRUSTPOINT
! % Do you accept this certificate? [yes/no]: yes
“You told me it was simple!!!”
crypto pki enroll LSC_TRUSTPOINT
! Password:
! Re-enter password:
! % Include the router serial number in the subject name? [yes/no]: yes
! % Include an IP address in the subject name? [no]: no
! Request certificate from CA? [yes/no]: yes
ap
ap
ap
ap
lsc-provision
lsc-provision
lsc-provision
lsc-provision
join-attempt 0
key-size 2048
subject-name-parameter country FR state IdF city Paris domain Sales org Lab email-address lab@rackwifi.cisco.com
trustpoint LSC_TRUSTPOINT
For Microsoft CA and MSCEP setup, please still refer to:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
Securing the AP-WLC communication
Local Significant Certificate (LSC) – IOS-XE
ap lsc-provision
!
In Non-WLANCC mode APs will be provisioning with RSA certificates with specified key-size configuration. In WLANCC mode APs
! will be provisioning with EC certificates with a 384 bit key by-default or 256 bit key if configured.
! Are you sure you want to continue? (y/n): y
! POINT OF NO RETURN: APs will request LSCs and reboot configured to use those LSCs
wireless management trustpoint LSC_TRUSTPOINT
! To revert back to
no ap lsc-provision
no ap lsc-provision
no ap lsc-provision
no ap lsc-provision
no ap lsc-provision
wireless management
MIC
join-attempt 0
key-size 2048
subject-name-parameter country FR state IdF city Paris domain Sales org Lab email-address lab@rackwifi.cisco.com
trustpoint LSC_TRUSTPOINT
trustpoint ewlc-default-tp
For Microsoft CA and MSCEP setup, please still refer to:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
Securing the AP-WLC communication
AireOS: Default AP Group and WLAN Id > 16
Default AP Group > WLAN Id 1-16
Cisco Live AP Group > WLAN Id 17+
Cisco Live
AP Group
Default
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Securing the AP-WLC communication
For your
reference
AireOS: Out-of-Box AP Group and RF Profile (v7.3+)
Out-of-Box AP Group > Radios Disabled
Out-ofBox
Cisco Live AP Group > Radios Enabled
Out-of-Box
Cisco Live
Out-of-Box
AP Group
Out-of-Box
Example:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/radio_resource_management.html#ID2870
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
APIC-EM Plug-n-Play (PnP)
For your
reference
AireOS 8.2+
WLC
AP SN #123 > Config. File (WLC IP, Cisco Live AP Group, etc.)
APIC-EM
AP SN #456 > Not in any Project list > Claim list
APIC-EM IP in DHCP option 43
or DNS resolution for
pnpserver.<dhcp-domain-option>
AP
(SN #123)
Cisco Live
AP Group
AP
(SN #456)
AP PnP Deployment Guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
Securing the AP-WLC communication
BRKEWN-2670
IOS-XE: Default Policy Tag
default-policy-tag > no WLANs
Cisco-Live-Policy-Tag > WLANs
Cisco-Live-Policy-Tag
Default
• Policy Tag assigned to an AP defines which WLANs are served by that AP
• Policy Tag also ties a WLAN to a Policy Profile
• Policy Profile defines traffic behavior for a WLAN (e.g., switching mode,
VLAN, anchor, QoS, ACL, etc.)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Wireless connection workflow
Endpoint
802.11
Access Point
(AP)
Wireless LAN Controller
(WLC)
Data Encapsulation – UDP 5247
Control Messages – UDP 5246
CAPWAP
Probe Request
Probe Request (forwarded)
Probe Response
Authentication Request (not for 802.1X, but in case of PSK)
Authentication Response
(Re) Association Request
(Re) Association Response
IDS/aWIPS
focus
802.1X phase if enabled
EAPoL Keys exchange in case of PSK or 802.1X
Other identity services
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Intrusion Detection System (IDS)
AireOS
BRKEWN-2005
•
It works with basic
WLC+AP.
•
17 pre-canned signatures.
•
Additional custom
signatures are supported.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
Intrusion Detection System (IDS)
Custom Signatures – AireOS
Name = "EAPOL flood", Ver = 0, Preced= 12, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 30:0x888E:0xFFFF, Freq=50,
Quiet = 300, Action = report, Desc="EAPOL Flood Attack"
Frame Type
N. of Frames per Interval
(if not configured, 1 sec.
by default)
Offset from the
Beginning of
the Frame
Period of Time (in secs)
during which the pattern
must not occur, for the
alarm to stop
Mask to Apply
Result to Obtain
Additional
Pattern
IDS Signatures Tech Note:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html
AireOS 8.5 Configuration Guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wireless_intrusion_detection_system.html
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
adaptive Wireless Intrusion Prevention System
aWIPS with AireOS
Ad-hoc Wireless Bridge
Evil Twin/Honeypot AP
Reconnaissance
HACKER’S
AP
HACKER
Client-to-client backdoor access
Rogue Access Points
Denial of Service
HACKER
Seeking network vulnerabilities
Cracking Tools
HACKER
HACKER
Service disruption
Non-802.11
Attacks
Sniffing and eavesdropping
Detected by CleanAir and tracked by MSE
Backdoor access
BLUETOOTH AP
Service disruption
MICROWAVE
BLUETOOTH
BRKEWN-2005
RF-JAMMERS
RADAR
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
aWIPS with Mobility Services Engine (MSE) 8.0
AireOS
Prime
SOAP/XML over
HTTP/HTTPS
MSE
WLC
AP
AP
WLC
AP
BRKEWN-2005
AP
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
Supported AP modes for aWIPS
AireOS
Data on 2.4 and 5 GHz
Data on 2.4 and 5 GHz
Data on 5GHz
Data on 2.4 and 5 GHz
wIPS on all channels
wIPS on all channels
wIPS on all channels
wIPS on all channels
“best effort”
Cisco Adaptive wIPS Deployment Guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
aWIPS could be
like subscribing for
a shark insurance…
aWIPS could be
like subscribing
for a shark
insurance…
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
IDS and aWIPS Signatures
For your
reference
AireOS
IDS on WLC
wIPS on MSE
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
aWIPS Forensics
For your
reference
AireOS
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
IDS vs. aWIPS ELM vs. aWIPS Monitor
AireOS
IDS
wIPS
ELM
wIPS
Monitor
Client Servicing
Yes
Yes
No
Rogue Detection
and Containment
Yes
Yes
Yes
Attack Detection
17
39
45
MSE needed
No
Yes
Yes
Prime needed
No
Yes
Yes
Attack
Encyclopedia in
Alerts
No
Yes
Yes
Forensics
No
Yes
Yes
Event Correlation
No
Yes
Yes
FlexConnect
Support
Yes
Yes
N/A
For your
reference
Comparison of attacks detected by IDS and by wIPS:
http://www.cisco.com/c/en/us/td/docs/wireless/mse/8-0/MSE_wIPS/MSE_wIPS_8_0/MSE_wIPS_7_6_chapter_01010.html#concept_EF3A934E00C64036B7438C5A634296F1
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
Attacks not Supported in aWIPS ELM
AireOS
For your
reference
Examples:
Alarm Number
95
Alarm Name
CTS_FLOOD
112
VIRTUAL_CARRIER
115
QUEENLAND
157
RTS_FLOOD
102
AIRSNARF_ATTACK
113
FAKE_DHCP_SERVER
Full list:
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113027-wips-00.html#attacks
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
IPS with ISE
For your
reference
WLC
BRKSEC-3300
RADIUS CoA
ISE
FirePOWER
syslog
pxGrid
FireSIGHT
Design and deployment guides:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200240-ISE-and-FirePower-integration-remediat.html
https://communities.cisco.com/servlet/JiveServlet/downloadBody/68293-102-1-125511/How-To_pxGrid_SourceFire.pdf
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
Rogue Access Points
What are they?
•
A rogue AP is an AP that does not belong to our deployment.
“I don’t know it.”
“Me neither.”
•
We might need to care (malicious/on network) or not (friendly).
•
Sometimes we can disable them, sometimes we can mitigate them.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Rogue AP Detection
Rogue Rules in the WLC and General Options – AireOS
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Rogue AP Detection
Rogue Rules in IOS-XE
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
Rogue AP Detection
Rogue Rules in IOS-XE
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Rogue AP Detection
Rogue Rules in IOS-XE
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
Rogue AP Detection
Rogue Location Discovery Protocol (RLDP)
Caveats:
•
it only works if the rogue SSID is open;
•
it does not work if the RLDP message gets filtered;
•
while trying to associate to the rogue AP, the RLDP AP
stops serving clients (up to 30 secs);
•
deprecated for 802.11ac Wave 2 APs;
•
supported on IOS-XE too, for 802.11ac Wave 1 APs.
RLDP message (UDP:6352)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
Rogue AP Detection
For your
reference
Rogue Detector mode
Rogue Detector AP
Trunk with all monitored VLANs
(WLC, AP, client, etc.)
Caveats:
ARP from Rogue Client
• it only works if the rogue client’s MAC is not behind
NAT;
• it supports up to 500 rogue MACs;
• deprecated for 802.11ac Wave 2 APs and IOS-XE.
Config. guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Rogue AP Detection
For your
reference
Switch Port Tracing
CAM Table (next hop)
CDP Neighbors
CAM Table
Prime
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
CleanAir
6
11
1
BRKEWN-2005
RRM
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
CleanAir
6
11
1
BRKEWN-2005
RRM
11
6
1
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
CleanAir
6
6
11
1
BRKEWN-2005
RRM
11
X
6
1
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Event Driven RRM (EDRRM)
AireOS
High: Air Quality ≤ 60
Medium: Air Quality ≤ 50
Low: Air Quality ≤ 35
Rogue AP’s duty cycle
contribution, available as
of AireOS 8.1.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
Event Driven RRM (EDRRM)
IOS-XE
High: Air Quality ≤ 60
Medium: Air Quality ≤ 50
Low: Air Quality ≤ 35
Rogue AP’s duty cycle
contribution.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
CleanAir detectable Attacks
BRKEWN-3010
Some examples
IP and Application
Attacks & Exploits
WiFi Protocol
Attacks & Exploits
RF Signaling
Attacks & Exploits
Traditional IDS/IPS
wIPS
CleanAir
Layer 3-7
Layer 2
Layer 1
Dedicated to L1 Exploits
Rogue
Threats
Wi-Fi
Jammers
“undetectable” rogues
5
GHz
2.4
GHz
“classic” interferers
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
Management Frame Protection (MFP)
For your
reference
AireOS
•
Infrastructure MFP, with additional Message Integrity Check (MIC) for management
frames.
•
Client MFP, with encryption of management frames for associated/authenticated
clients.
MFP Protected
Enterprise
Network
CCXv5
MFP Protected
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
IEEE 802.11w
For your
reference
Protected Management Frames (PMF)
•
Client protection with additional cryptography for de-authentication and disassociation
frames.
•
Infrastructure protection with Security Association (SA) tear down mechanism.
802.11w Protected
Enterprise
Network
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
IEEE 802.11w
For your
reference
What we get
•
Client protection is added by the AP adding cryptographic protection to
•
Infrastructure protection is added by adding a Security Association (SA) teardown
Deauthentication and Disassociation frames preventing them from being spoofed in
a DOS attack.
protection mechanism consisting of an Association Comeback Time and a SAQuery procedure preventing spoofed Association or Authentication request from
disconnecting an already connected client.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
Security Association (SA) Teardown Protection
•
For your
reference
Wireless network behavior prior to 802.11w:
•
If an AP received either an Association or Authentication request from an already associated
client
•
The AP would terminate the existing connection and then start a new connection
•
This allowed for an effective DOS attack on the network; SA teardown protection
prevents this type of attack
•
When using 802.11w, if the STA is associated (with valid SA and MFP negotiated)
and the AP receives either an Association or an Authentication request for this STA
•
The AP will reject the Association Request returning status code 30 "Association request
rejected temporarily; Try again later” to the client
•
Included in the Association Response is an Association Comeback Time information element
specifying a comeback time when the AP would be ready to accept an association with this
STA
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
SA Query
•
For your
reference
802.11w adds a new SA Query Action to check the STA is a real STA not a rogue client during
Association Comeback Time
•
Time interval identified in the Association response to an already associated client before the association can
be tried again
•
Once the Association Request is rejected with Status Code 30, the SA Query Request Action
frame is sent from the AP to the STA and the STA will respond with a SA Query Response Action
Frame or vice-versa.
•
For SA Query three different scenarios are considered
•
If a valid SA Query Response is not received within the SA Query timeout, then tear down the client (send a
disassociation) and consider a new association request like a fresh association request
•
If a valid SA Query Response is received within the SA Query timeout, then
•
•
Do not send a new SA Query until the SA Query process starts again
•
If we get a new association request before the SA Query timeout expires, then drop that Association Request
If we get an association request after the Association Comeback Time, then we can refuse that association
request again with Status code 30 and start a new SA Query.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
IEEE 802.11w
For your
reference
Official support in AireOS and IOS-XE
•
As of WLC 7.4 the 802.11w standard is supported on all 802.11n capable APs and
beyond
•
Except those configured for FlexConnect operation, which is not supported
•
The AP1130 and AP1240 are not 11n capable and are also not supported
•
The 802.11w standard is supported on the 3504, 5520, 8540 and C9800 Wireless
Controller platforms
•
The 7500 and vWLC will not support 11w as they are designed to support
FlexConnect AP’s only and FlexConnect is not supported
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
Some words on KRACK (Key Reinstallation Attacks)
For your
reference
•
“Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”
•
10 vulnerabilities.
•
Only 1 vulnerability affecting the station (i.e., the AP), and only for 802.11r.
•
9 vulnerabilities affecting clients, but not all OSes are all vulnerable at the same level
(e.g., Win 7 and 10 are vulnerable to less attacks than wpa_supplicant).
•
Cisco’s official communication:
https://papers.mathyvanhoef.com/ccs2017.pdf
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
(vulnerabilities referenced as CVE-2017-13077 to 82, CVE-2017-13084 and
CVE-2017-13086 to 88)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
KRACK: example of forcing a nonce reuse
For your
reference
EAPoL M1 (r, ANonce)
Derive PTK
EAPoL M2 (r, SNonce)
Derive PTK
EAPoL M3 (r+1, GTK)
Install PTK & GTK
EAPoL M4 (r+1)
Enc PN [Data(...)]
EAPoL M3 (r+2, GTK)
Re-install PTK & GTK
Enc PN+1 [EAPoL M4 (r+2)]
Enc PN+1 [EAPoL M4 (r+2)]
Enc PN [Data(...)]
EAPoL M4 (r+1)
Install PTK
PN = Packet Number for CCM (a.k.a. “nonce” in the research paper)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
66
Protection and mitigation options against KRACK
For your
reference
•
•
To fix the one vulnerability affecting the APs (Cisco’s ref. CVE-2017-13082), you
could either disable 802.11r or apply an AireOS version integrating the fix:
•
8.0.152.0+
•
8.2.166.0+
•
8.3.133.0+
•
8.5.105.0 (or any other higher version/train)
Note: any wireless station/AP using 802.11r is affected by this vulnerability, unless
fixed by the vendor.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
67
Protection and mitigation options against KRACK
For your
reference
•
To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
•
Configure EAPoL messages retries to exclude retransmissions.
Up until AireOS 7.6, it’s a global command:
As of AireOS 7.6, this is supported on a per WLAN basis:
config advanced eap eapol-key-retries 0
config advanced eap eapol-key-timeout 1000
config
config
config
config
config
(a timeout of 1000ms is usually enough, but
this could change according to other
specific needs)
wlan
wlan
wlan
wlan
wlan
disable <WLAN id>
security eap-params enable <WLAN id>
security eap-params eapol-key-retries 0 <WLAN id>
security eap-params eapol-key-timeout 1000 <WLAN id>
enable <WLAN id>
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
Protection and mitigation options against KRACK
For your
reference
To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
•
Configure EAPoL messages retries to exclude retransmissions.
•
Configure rogue AP detection rules.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
69
Protection and mitigation options against KRACK
For your
reference
To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
•
Configure EAPoL messages retries to exclude retransmissions.
•
Configure rogue AP detection rules.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
Protection and mitigation options against KRACK
For your
reference
To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
•
Configure EAPoL messages retries to exclude retransmissions.
•
Configure rogue AP detection rules.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
Protection and mitigation options against KRACK
For your
reference
To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
•
Configure EAPoL messages retries to exclude retransmissions.
•
Configure rogue AP detection rules.
Example of SNMP trap message from the WLC:
... Impersonation of AP with Base Radio MAC de:ad:be:ef:de:ad using source
address of de:ad:be:ef:de:ad has been detected ...
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
Wi-Fi Protected Access (WPA) 3
Coming up with AireOS, IOS-XE and 802.11ac Wave 2 APs or later
•
New Wi-Fi Alliance (WFA) certification.
•
It certifies new security options defined in the IEEE 802.11-2016 standard.
•
3 main innovations:
o
Simultaneous Authentication of Equals (SAE) for WPA3-Personal
(a variant of the Dragonfly handshake, resistant to offline dictionary attacks)
o
Protected Management Frame (PMF) now mandatory with WPA3
(already available but not always enforced with WPA2)
o
192-bit security equivalent for WPA3-Enterprise
(256-bit AES-GCM + 384-bit elliptic curves + SHA384 + 3072 bits RSA keys)
WPA3-Personal == WPA3 PSK based SSID
WPA3-Enterprise == WPA3 802.1X based SSID
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
73
Wi-Fi Certified Easy Connect
•
Another WFA certification, not part of WPA3.
•
Mostly targeted for home/IoT networks.
Configuration Profile
Enrollee
Configurator
Configuration Profile
Enrollee
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
Wi-Fi Certified Enhanced Open
Coming up along with WPA3
•
Another WFA certification, not part of WPA3.
•
Mostly targeted for hotspots.
•
Based on Opportunistic Wireless Encryption (OWE): APs and clients will be able to
automatically negotiate encryption.
•
It prevents passive attacks (i.e., traffic visibility).
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
Secure the client
Client Context and Policies
Control and Enforcement
IDENTITY
PROFILING
ISE
1
HTTP
802.1X EAP
Machine/User
Authentication
NETFLOW
SNMP
DNS
2
HQ
Company
asset
Corporate
Resources
4
Access Point
2:38pm
Personal
asset
RADIUS
Policy
Decision
Profiling to
identify device
Wireless LAN
Controller
3
Posture
of the device
DHCP
Internet Only
5
Unified Access
Management
BRKEWN-2005
Enforcement
dACL, VLAN,
SGA
6
Full or partial
access granted
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
78
Wireless connection workflow
Endpoint
802.11
Access Point
(AP)
Wireless LAN Controller
(WLC)
Data Encapsulation – UDP 5247
Control Messages – UDP 5246
CAPWAP
Probe Request
Probe Response
Probe Request (forwarded)
Authentication Request (not for 802.1X, but in case of PSK)
Authentication Response
(Re) Association Request
(Re) Association Response
802.1X phase if enabled
EAPoL Keys exchange in case of PSK or 802.1X
Other identity services
BRKEWN-2005
Access
Control
focus
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
80
Secure or open SSID?
•
Secure SSID
•
Open SSID
•
A secure SSID cannot fall back to open.
•
Example: guests not supporting 802.1X cannot fall back to web portal authentication on the same SSID as
corporate users.
•
Pre-shared keys (PSK) and keys derived from 802.1X are not supported together.
•
On both types of SSIDs you can combine multiple identity services if needed.
•
Examples: guest users going through posture assessment, employees going through MDM, employees going
through web portal after device authentication, etc.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
81
Secure SSID and key management
•
Pairwise Master Key
(PMK) derived from
the Pre-Shared Key
(PSK)
• PMK derived
from 802.1X
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
82
Secure SSID – key management and roaming
•
Mobility
Group
Up to 24 WLCs in the
same Mobility Group
▪ With PSK there is no need for key management:
keys are already statically defined.
▪ Pro-active/Opportunistic Key Caching
(PKC/OKC)
– Enabled with WPA2.
– Available since Windows XP SP2.
– Available on Samsung Galaxy S4 (Android 4.2.2).
▪ Cisco Centralized Key Management (CCKM)
– Mostly used with 7921/7925/7926/8821 phones.
– Available as of Samsung Galaxy S4 (Android 4.2.2).
▪ Sticky Key Caching (SKC)
– Available as of Apple iOS 5.0.
▪ 802.11r
– Available as of Samsung Galaxy S4 (Android 4.2.2)
and Apple iPhone 4S (iOS 6.0).
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
Adaptive 802.11r
As of AireOS 8.3 (8.3MR1 for 1800/2800/3800 APs)
WLC
Beacon with specific CCX IE
(understood by Apple only)
AP
Beacon with specific CCX IE
(understood by Apple only)
Standard
probes and
association
frames.
Standard
probes, but
association
frames with
802.11r info.
non-Apple
device
Cool,
CCX IE ☺
Apple
device
iOS 10+ on:
• iPhone 6s (Plus) and later
• iPad Pro and later
• iPhone SE
https://support.apple.com/en-us/HT202628
Enterprise Best Practices for iOS Devices on Cisco Wireless LAN:
https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_Cisco_Wireless_LAN.pdf
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
Choosing the access control method
•
802.1X
•
MAC Authentication Bypass (MAB)
•
Web Authentication
•
What to do next? (posture assessment, MDM, etc.)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
88
EAP Authentication Types
Different Authentication Options Leveraging Different Credentials
Certificate-Based
Tunnel-Based
EAP-PEAP
EAP-FAST
Inner Methods
EAP-GTC
EAP-TLS
EAP-MSCHAPv2
EAP-TLS
• Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP
type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.
This provides security for the inner method, which may be vulnerable by itself.
• Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and
client.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
What are URL-Redirect scenarios?
ISE
NAD
1st connection
Traffic identified by the Url-Redirect-Acl
triggers redirection to the Url-Redirect
External Resources
(DHCP, DNS, AV, MDM, etc.)
802.1X / MAC Authentication
Access-Accept
(Url-Redirect + Url-Redirect-Acl)
Guest/BYOD/posture/MDM
portal redirection rule
DHCP, DNS, ISE portal(s) and other resources
HTTP(S) traffic identified by the Url-Redirect-Acl triggers redirection to ISE
Additional actions if needed (guest login, cert download, MDM check, etc.)
ISE portal for guest,
BYOD, posture,
MDM, etc.
Endpoint’s session
updated
2nd connection (if CoA terminate)
Guest/BYOD/posture/MDM
final (d)ACL/SGT/VLAN/etc.
Change of Authorization (CoA)
802.1X / MAC Authentication
Final Access-Accept
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
93
Cisco Identity Services Engine (ISE)
BRKSEC-2059
BRKSEC-3432
• Centralized Policy
• RADIUS Server
ACS
• Posture Assessment
NAC
Profiler
• Guest Access Services
• Device Profiling
Guest
Server
NAC
Manager
NAC
Server
• Client Provisioning
Identity
Services
Engine
• MDM
• Monitoring & Troubleshooting
• SIEM Integration
• Device Admin / TACACS+
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
97
Authentication and Authorization
What are they?
It tells who/what
the endpoint is.
802.1X / MAB / WebAuth
It tells what the endpoint
has access to.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
98
AVC (Application Visibility and Control)
Per-user profiles via AAA
WLC
RADIUS
cisco-av-pair = avc-profile-name = AVC-Employee
cisco-av-pair = avc-profile-name = AVC-Contract
Employee
YouTube
Facebook
Skype
Contractor
Facebook
BitTorrent
Employee
Skype
Contractor
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
106
Security Group Access (SGA)
AireOS 8.3 and before – SXP peering from the WLC
SGT=5
IP Address
ISE
SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
SGT
10.1.10.102
5
10.1.10.110
14
10.1.99.100
12
SGT=5
IT Portal (SGT 4)
SXP
Users,
Endpoints
10.1.100.10
VLAN 100
WebAuth
Campus Network
802.1X
Catalyst 3k-X
MAB
Speaker
Listener
Cat 6500
Distribution
Agent-less Device
SGT Enforcement
Untagged Frame
Tagged Frame
deny sgt-src 5 sgt-dst 4
The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL
capable devices (e.g. Catalyst 3750-X)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
108
Security Group Access (SGA)
As of AireOS 8.4 and IOS-XE – SXP peering from the AP (802.11ac)
SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
WLC
SGT=5
ISE
Users,
Endpoints
IP Address
SGT
10.1.10.102
5
10.1.10.110
14
10.1.99.100
12
SXP
WebAuth
SGACL
Campus Network
deny sgt-src 5 sgt-dst 4
802.1X
MAB
Agent-less Device
AP
Speaker
Catalyst 3k-X
Listener
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
109
Security Group Access (SGA)
BRKSEC-3690
As of AireOS 8.4 and IOS-XE – SGACL at the WLC or AP (802.11ac)
SGT=5
ISE
SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
SGACL
deny sgt-src 5 sgt-dst 4
WLC
Users,
Endpoints
WebAuth
802.1X
MAB
AP
Agent-less Device
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
111
TrustSec Integrated into SD-Access
BRKEWN-2020
CAPWAP Control Tunnel
VXLAN Data Tunnel
(overlay network)
WLC
(3504, 5520,
8540, 8510, C9800)
Overlay Network
AP
(1800, 2800, 3800)
Edge Device
Edge Devices
Hosts
(End-Points)
Underlay Network
Underlay Control Plane
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
112
TrustSec as Natively Integrated into SD-Access
Control-Plane based on LISP
2. Data-Plane based on VXLAN
1.
ETHERNET
IP
PAYLOAD
ORIGINAL
PACKET
Supports L3
Overlay
ETHERNET
IP
UDP
LISP
IP
PAYLOAD
PACKET IN LISP
Supports L2
& L3 Overlay
ETHERNET
IP
UDP
VXLAN
ETHERNET
IP
PAYLOAD
PACKET IN
VXLAN
VRF + SGT
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
113
Use Cases
Restrict wired access to Wi-Fi authenticated clients
Some additional measures
cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE
interface GigabitEthernet1/0/5
switchport access vlan 100
switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
template FLEXCONNECT_AP_TRUNK_TEMPLATE
switchport trunk native vlan 100
switchport trunk allowed vlan 100,110,120,130
switchport mode trunk
spanning-tree portfast trunk
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
129
Restrict wired access to Wi-Fi authenticated clients
Some additional measures
interface GigabitEthernet1/0/5
switchport access vlan 100
switchport trunk native vlan 100
switchport trunk allowed vlan 100,110,120,130
switchport mode trunk
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast trunk
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
130
Restrict wired access to Wi-Fi authenticated clients
Some additional measures
VLAN 110
interface GigabitEthernet1/0/5
switchport access vlan 100
switchport trunk native vlan 100
switchport trunk allowed vlan 100,110,120,130
switchport mode trunk
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast trunk
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
131
Restrict wired access to Wi-Fi authenticated clients
Some additional measures
SGT
Employee
VLAN 110
SGT Employee
VLAN 110
Unknown SGT
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
132
Corporate Machines and Users – Identities
Certificate
Login/Password
Other
MAC address
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
133
Got AD?
Active
Directory
•
If using AD machine GPOs on a Windows environment, you may want to enable
802.1X machine authentication.*
•
User authentication can be added on top, still through 802.1X, or be delegated to
Windows logon (even if not outside the company domain).
* Microsoft introduced the concept of machine authentication also for this purpose.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
134
Machine and User Authentication
With the native Windows 802.1X supplicant:
• The same EAP method is used for both machine and user.
• Once logged in to Windows, since the user’s identity is available, only user
authentication is triggered.
With Cisco AnyConnect NAM:
• Different, separate EAP methods can be used for the machine and the user.
• EAP Chaining supports authenticating both the machine and the user, in the same
session, whenever 802.1X is triggered.
How to force a user to authenticate from an already authenticated machine?
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
135
Access Enforcement
Machine VLAN
User VLAN
•
Changing VLAN between machine and user authentication is a common option.
*
•
Some supplicants do not detect/support it consistently to trigger IP renewal.
While keeping the same VLAN, a different ACL/SGT can be applied to the machine and
the user.
✓
This is more “client agnostic” as it does not require IP renewal.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
138
Corporate non-Windows Machines
•
There is no concept of machine authentication as with Windows.
•
Through ISE we could still link some attributes of the user’s identity/account to the
machine.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
139
Other options for non-Windows endpoints
• Mac OS X Snow Leopard and later
• Options for creating configuration profiles to choose between three modes:
o User Mode (i.e., user 802.1X authentication when already logged in to the machine);
o System Mode (i.e., machine 802.1X authentication);
o System Mode (i.e., machine 802.1X authentication) + Login Window Mode (i.e., user 802.1X
authentication before logging in to the machine).
• Possible through the iPhone
Configuration Utility or the Apple
Configurator, then by editing the
.mobileconfig file manually.
<key>SSID_STR</key>
<string>My-Employee-SSID</string>
<key>SetupModes</key>
<array>
<string>LoginWindow</string>
</array>
...
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key> ( the very last "PayloadType" occurrence)
• Use of a Profile Manager (Mac OS X servers only) or MDM might be easier.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
140
Find Something Special on Corporate Devices
C:\>ipconfig /setclassid "Local Area Connection" CorpPC
http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
dhcp-user-class-id = 43:6f:72:70:50:43 ➔ Profiling Policy = “corp_laptop”
dhcp-user-class-id = 62:6c:61:62:6c:61
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
142
Corporate Mobile Devices
Specific EAP methods and account/certificate
attributes.
802.1X through a device-specific certificate,
then WebAuth to verify the user behind.
Go for MDM.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
143
802.1X + CWA
Use Case: Machine and User Authentication for Mobiles
WLC
ISE 1.3+
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
144
BYOD: Empower your Employees
DOMAIN\employee
On the WLC
config advanced eap max-login-ignore-identity-response disable
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
147
BYOD: Empower your Employees
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
148
BYOD: Empower your Employees
•
Dedicated guest account groups can be used to
authenticate via 802.1X.
In ISE, guest groups flagged as
“allowed to bypass the portal” are
enabled to authenticate through
other (802.1X) methods, not just
through the web portal.
(back in ISE 1.2 this corresponded to
the “ActivatedGuest” flag)
federico@cisco.com
U45&%ci3@d
•
External guests won’t be able to obtain the same type of
credentials.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
149
Contractors and “more than guest” Users
In ISE, guest groups flagged as
“allowed to bypass the portal” are
enabled to authenticate through other
(802.1X) methods, not just through the
web portal.
(back in ISE 1.2 this was the
“ActivatedGuest” flag)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
153
Identity Pre-Shared Key (IPSK)
For non-802.1X endpoints
PSK = CL_Key_1
SSID “Cisco Live”
PSK = CL_Key_1
[30] Called-Station-Id = CL-AP-Group-1
[31] Calling-Station-Id = aa:bb:cc:dd:ee:ff
[32] NAS-Identifier = Cisco Live
...
ISE
WLC
AP
cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=CL_Key_1
...
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
155
Identity Pre-Shared Key (IPSK)
For non-802.1X endpoints
PSK = CL_Key_1
SSID “Cisco Live”
PSK = CL_Key_1
SSID “Cisco Live”
PSK = CL_Key_2
[30] Called-Station-Id = CL-AP-Group-2
[31] Calling-Station-Id = 00:11:22:33:44:55
[32] NAS-Identifier = Cisco Live
...
ISE
WLC
AP
PSK = CL_Key_2
cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=CL_Key_2
...
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
156
Identity Pre-Shared Key (IPSK)
For non-802.1X endpoints
PSK = CL_Key_1
SSID “Cisco Live”
PSK = CL_Key_1
SSID “Cisco Live”
PSK = CL_Key_2
[30] Called-Station-Id = CL-AP-Group-3
[31] Calling-Station-Id = de:ad:be:ef:de:ad
[32] NAS-Identifier = Cisco Live
...
ISE
WLC
AP
PSK = CL_Key_2
cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=CL_Key_3
...
SSID “Cisco Live”
PSK = CL_Key_3
PSK = CL_Key_3
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
157
DevOps for new security features
Food for thoughts with IOS-XE programmability
Enterprise_802.1X
Backup_PSK
C9800
RADIUS server
Backup_PSK
Enterprise_802.1X
Enterprise_802.1X
%RADIUS-4-RADIUS_DEAD
Backup_PSK
Automated Backup SSID with EEM on Catalyst 9800 Wireless Controllers:
https://community.cisco.com/t5/wireless-mobility-documents/automated-backup-ssid-with-eem-on-catalyst-9800-wireless/ta-p/3743838
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
158
The secure wireless family business
•
Learn the single elements and combine your own solution.
•
Give it a try (e.g., PoC) before starting the production.
•
KISS
(Keep It Simple and Stupid)
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
159
What other
personal wireless
security needs do
you have?
Extra Q&A right
outside the door
Complete your
online session
survey
•
Please complete your session survey
after each session. Your feedback
is very important.
•
Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
•
All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on
demand after the event at ciscolive.com.
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
161
Continue your education
Demos in the
Cisco Showcase
Walk-In Labs
Meet the Engineer
1:1 meetings
Related sessions
BRKEWN-2005
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
162
Thank you