Wireless Components

This section discusses the components of a WLAN. The devices include APs and controllers. Switches are also considered a component that is integrated into the WLAN via a physical connection between the AP and the switch.

Wireless Access Points

Access points are one of the main components of a WLAN. Your home router is considered an access point that allows access to the Internet. APs use an 802.11 standard modulation technique and operate within a frequency spectrum. Users connect to APs, and many authenticate users to the WLAN. There are different types of APs, including single and multiple radios.

Wireless Controllers/Switches

In situations where a larger wireless infrastructure is needed, a wireless LAN controller can be used. APs can be configured on an individual basis, which is practical for small networks but not for large WLANs at the enterprise level. For this reason, you must use a wireless LAN controller or switch. Wireless LAN switches are built with wireless LAN controllers in them. The controller has Ethernet ports that connect to an AP or connect to a switch that connects to APs. Cisco makes many wireless controllers that have many limitations and capabilities, which means that your wireless LAN administrator must review the features of each and choose the most appropriate solution for your network. Figure 20-1 provides an example of a wireless network with a wireless controller and access point connected via a LAN switch.

Wireless Site Survey

Unless your installation takes place in an office with a few people in it, a site survey should be conducted to determine the best areas to place your access points for the best coverage possible. During the site survey, an AP and a client device are used as you move to different locations to find the most optimal location for the AP. Without a site survey or a well-planned survey, WLANs will have inadequate coverage, and the office will suffer from low performance in some locations. The time that it takes to complete the site survey will vary by the size of the office space. It is easier to complete the survey in buildings that have similar layouts on each floor. It is optimal to place the APs in the same location on each floor.

Access Point Installation

One of the most important installations of a WLAN is the access point. As mentioned earlier in this chapter, if you use many APs, you must configure them one by one, whereas if you use a controller, the configuration can be completed by the controller for each AP. The AP should be installed clear of obstacles to increase the range of the signal. Do not place it near metal objects and furniture. Ceilings are an ideal place to mount access points so that employees cannot tamper with them. Also keep in mind weather conditions of the area. If an AP is to be installed outdoors or in the elements, make sure that it is designed to withstand such environmental factors.

Access Point Configuration

After you connect a Cisco lightweight access point (LAP), it will boot up and try to communicate through the switch to a Cisco wireless LAN controller. The switch needs to be configured with the correct access VLAN and inline power settings. The LAP will try to locate one or more controllers on the network to join. The LAP will try to build a CAPWAP tunnel with the controller and will send a CAPWAP join request. The controller will respond with a join response message. The LAP will then download its image and configuration from the WLC. After the discovery process is finished, the LAP can now be fully managed by the controller.

WLAN Controller Installation

WLAN Controller Configuration

This section focuses on the configuration of the WLAN controller using the Cisco GUI.

Initial Configuration of WLC via a Web Browser

If you don't want to use the CLI to configure the WLC, you can use a feature which enables a non-configured WLC to provide an IP address to PCs via DHCP. This allows the PC to connect to the WLC via the IP address. The IP range assigned by the WLC is from 192.168.1.3 to 192.168.1.14, and the WLC is configured with IP address 192.168.1.245. In the browser, we navigate to http://192.168.1.245. Figure 20-2 shows the initial page where you create your admin account. Click Start to continue.

The next page is where we set up the WLC system name, country, date/time, and NTP server. This is also where we configure the management IP address, subnet mask, default gateway, and management VLAN ID. Follow Figures 20-3 and 20-4 for the Cisco WLC configuration.

Shown in Figure 20-5, the Create Your Wireless Networks page, we configure the network name/SSID (Service Set Identifier), choose the security type, and define the network and VLAN assignment. Optionally, you can also create a guest network and enable a way for guests to secure wireless network access. It is best practice to use WPA2 with AES encryption and 802.1x authentication. A pre-shared key should not be used in enterprise networks.

In Figure 20-6, you can configure the WLC for intended RF use in order to take advantage of Cisco WLC best practice default settings.

Next, your WLC configuration will be summarized. Click Apply and reboot the WLC for changes to take effect. Figures 20-7 and 20-8 display the WLC configuration summaries.

After rebooting the WLC, use the management IP address we configured to log in. To connect to the WLC, browse to its management IP address to use the web-based GUI to configure, monitor, and troubleshoot the WLC as shown in Figure 20-9.

WLC Monitoring

Upon logging into the WLC, we see the network summary of the WLC as displayed in Figure 20-10. You cannot make any configuration changes here.

Click Advanced in the upper-right corner to make changes. Now we see MONITOR, WLANs, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMANDS, HELP, and FEEDBACK in the top menu.

You can see the summary screen of the wireless controller GUI in Figure 20-11. It features information such as the controller IP address, software version, name, number of access points, current clients, and rogue access points.

VLAN Configuration

The Interfaces option under CONTROLLER in the left menu is where we configure VLANs on the WLC. Interfaces are logical connections internal to the controller, whereas controller ports are physical connections on the WLAN.

Click CONTROLLER and click Interfaces. Click New in the top-right corner. We will step through the screens to create a new VLAN/interface. Follow along with Figures 20-12 through 20-15.

Click Apply in the top-right corner. Next, we configure the VLAN ID, subnet, gateway, network mask, and DHCP information.

Enter the IP address, network, and gateway of the VLAN.

Click Interfaces in the left menu to see the VLAN we just created.

DHCP Configuration

Under CONTROLLER, there is Internal DHCP Server in the left menu. Expand it and click DHCP Scopes where we can see the initial DHCP scope (day0-dhcp-mgmt) that allowed us to access the WLC for initial configuration. Follow along with Figures 20-16 through 20-18.

To create our new DHCP scope, click New and assign it VLAN 100, our VLAN that we created earlier. We see that our address pool is 0.0.0.0 - 0.0.0.0. Click the VLAN to change the settings.

We can now configure the subnet, net mask, lease time, default routers, and DNS servers.

Don't forget to click Apply in the upper-right menu and click Save configuration in the upper-right menu afterward.

WLAN Configuration

To create a new WLAN, click WLANs in the top menu. You now see already configured WLANs. Click the Go button which allows us to create a new WLAN. Follow along with Figures 20-19 through 20-22.

Choose the WLAN type in the dropdown menu and enter the profile name and choose your SSID. It is recommended to use the same profile name and SSID. We will create ID 10.

You must click Enabled next to Status to activate the WLAN.

Let’s look at the QoS tab and look at the preset settings. If we select Quality of Service, we see preset settings for video and voice among others. If a client asked to you prioritize voice, you would select that option.

MANAGEMENT

If you click the MANAGEMENT tab as shown in Figure 20-23, we see different options for managing the WLAN. Let's look at SNMP (port 162) and SYSLOG and HTTP-HTTPS.

Encryption and Authentication

Let’s very briefly cover wired equivalent privacy (WEP), because it should not be used for encryption and any network using WEP should be considered insecure. It is important to protect your data by keeping unauthorized users out of the networks and preventing eavesdropping. Next, you learn about Wi-Fi Protected Access (WPA) and 802.1x authentication.

Authentication Server

Let’s configure a RADIUS server for authentication. Navigate to SECURITY and then under AAA click RADIUS and Authentication. Follow along with Figures 20-24 through 20-27.

If you click New, we can create a new server.

In order to authenticate clients to your WLAN, you should use an authentication server. Click the Security tab. We see that we can choose WPA2 and use AES for encryption. We see Authentication Key Management where 802.1x can be enabled.

If you expand the AAA Servers option, we see RADIUS and TACACS+ options. Let’s configure RADIUS using the server we created.

Cisco ISE and WLAN

We can configure and manage WLCs with Cisco ISE. Browse to the ISE GUI at https://ISEIP/admin. If this is your first login, you will be asked to run the Wireless Setup wizard. If it is not your first time, then the wizard is in the upper-right corner of the ISE GUI. Figure 20-28 displays the Cisco ISE GUI.

This section will cover deploying ISE and a WLC. Navigate to the Wireless Setup wizard by hovering over the circle icon with an arrow in the top-right corner and selecting Wireless Setup as shown in Figure 20-29.

We will use the Wireless Setup wizard to configure ISE with the following options following Figure 20-30 through Figures 20-37:

Bring Your Own Device (BYOD) : Give your employees the option to use their own devices you specify as admin or allow them to enroll in a device portal.

Guest Access: This will allow a custom portal page where a guest can register their device to create a wireless access account.

Secure Wireless with WPA2, PEAP authentication, and 802.1x: This will secure corporate users using Active Directory for authentication.

Wireless Setup Wizard

We have three options for configuration, and you can run any one or all three in any order.

We can see three options under Guest Access: Self Registration, Hotspot, and Sponsored. To allow for guests to self-register via a portal, choose Self Registration. Enter your wireless controller information. Using at least 16 characters for your shared secret is advised.

Click Register and advance to the next screen where we select our WLC and click Commit.

Configure the wireless SSID and the VLAN for your guest users and select account duration (it is 24 hours by default) and the URL redirect after guests have logged in. Apress_Guest was already configured on the WLC, so it was already listed. Let’s create Apress_Guest1.

We can customize the guest portal by clicking the pencil icon. We can customize three pages: Login Page, Registration Page, and Registration Success.

Click Login Page and let's customize the background and icon images. You can change the terms and conditions for your company needs. Click Commit to save your changes.

Click the TEST PORTAL button to test your configuration. If changes are necessary, then click the pencil; and if you are done, then click Go Live, and guests can now log into your network. You can see how simple it was to create a wireless network using the wizard with Cisco ISE.

Hotspot Wizard

Now we will configure a hotspot using Cisco ISE. Navigate to the Wireless Setup wizard and click Hotspot under Guest Access. Then we can select our WLC or click the + icon to connect to a new WLC. Follow the hotspot configuration using Figure 20-38 through Figures 20-46.

Enter the hotspot name and VLAN we will use and click Add. Also, we can choose the POST LOGIN REDIRECT. As we can see, the account access duration is 30 days.

Select the hotspot you created and click Commit.

We can customize the hotspot portal by clicking the pencil icon. We can customize two pages. When you are finished, click Next.

Click the pencil icon to get a closer look at our options.

Our hotspot is ready now. Click Commit.

Click TEST PORTAL to test our hotspot.

Click Accept to finish testing our hotspot.

We have successfully tested the hotspot.

We are now ready to go live. Click Go Live so users can use the hotspot. Figure 20-47 displays the BYOD wireless wizard.

BYOD Wizard

Navigate to Bring Your Own Device from the Wireless Setup wizard. Select from Single SSID or Dual SSID and then click SETUP. We will go with Single SSID. Follow along using Figures 20-48 through Figures 20-53.

Select Single SSID.

Select your WLC or add a new one and click Commit.

Add your wireless SSID and click Add.

Select your SSID and click Commit.

Select your Active Directory you previously configured and add employees to the group.

You can choose to customize the BYOD portal and the My Devices Portal just as we did with the guest portal. Enter your custom URL for employees to remember it. The URL could be mydevices.local. It should be in your corporate DNS server and pointed to ISE. Once complete, click Next and Go Live after verifying your configuration.

We can customize the device portal by clicking the pencil and adjusting settings like the color. Then click Commit.

Lastly, we are ready to click Go Live and use the BYOD portal.

Wireless Network Monitoring

You can monitor a wide variety of aspects within your wireless network with Prime. You can do this by clicking Dashboard and then Overview to see your WLC and AP count. The Cisco Prime network summary can be seen in Figure 20-59.

If we hover over Inventory and navigate to Device Management and Network Devices, we can see our WLC. Click Wireless Controller, and we can see our managed WLC in Prime. We can see the network devices in Figure 20-60.

We can click our WLC to view the details of the device as shown in Figure 20-61.

Rogue access points can be identified in Alarms and Events as shown in Figure 20-62.

We can select an alarm message to view the details as shown in Figure 20-63.

To view security attacks that have been detected by Prime, go to Dashboard ➤ Wireless ➤ Security as shown in Figure 20-64.

Prime Infrastructure Maps

Prime allows you to have a visual representation of your wireless controllers and APs to include their location and coverage area. PI provides this visual representation with maps; data displays physical locations and predictive RF coverage. You can upload a floor plan as an image file as well. Maps can be accessed by navigating to Maps ➤ Wireless Maps ➤ Site Maps. Follow the map configuration using Figures 20-65 through Figures 20-71.

Insert a campus map and under it we create Floor 1.

We will add a floor to our Apress campus map. We drag our floor plan over to the page and click Save at the bottom.

We can set the location of our campus using latitude and longitude.

Now we see our map that has been loaded into Prime.

Maps can show access points, clients, interferers, rogue APs, rogue clients, and coverage areas. Rogue clients are clients not known to Prime, and rogue APs are APs that are not part of the enterprise network. This is very useful and could be a security incident. Let’s add an AP to the floor. Click Floor 1, click Edit, and under Access Points select Add.

Now select the appropriate AP and click Add selected.

On the map if you click an access point, a window will pop up and display information related to the AP including name, MAC address, AP type, AP model, WLC IP address, location, and uptime. You can also monitor the access point and configure the access point from this menu.

On the map if you have a client and click it, we see information related to the client to include the username and MAC address of the client.

We can enable AP coverage which shows the coverage area in Figure 20-72.

Select Rogue APs to see where rogue APs are located.

Prime Infrastructure Configuration

Prime has a configuration wizard for creating a rogue AP policy. Let’s go through it using Figure 20-73. Navigate to Services ➤ Mobility Services ➤ Wireless Security.

If we click Next, we can start to configure our rogue policy as shown in Figure 20-74.

If we click Next, we can use current rules or create new rogue rules as shown in Figure 20-75.

Figure 20-76 displays the configuration of a rogue rule titled TEST.

After we have created our rogue rule, we can click Apply. Figure 20-77 shows the rogue policy.

Threats and Vulnerabilities

There are many threats to a WLAN, as signals propagate through the air for any eavesdropper to view and analyze. This section focuses on those vulnerabilities, as well as ways to prevent security breaches. The only advantage that WLANs have over wired networks is that hackers must be within reasonable physical proximity of the WLAN. Even from several miles away, an attacker can use a cheap antenna to send or sniff Wi-Fi signals. It is good to understand the threats that are in a WLAN, because you can better defend your network. Let’s not forget how the placement of your APs is integral to security of your Wi-Fi network. You want to restrict physical access to your network devices to unauthorized personnel as they can easily be replaced, moved, or reset.

Service Set Identifiers (SSIDs) are treated as a security mechanism, when in reality they are only used to separate WLANs from one another. Sniffing is undetectable, but there are many free and commercial sniffing tools available. SSIDs are broadcasted multiple times per second in each beacon frame from an AP. It is best practice to turn off the SSID broadcast, but even then, your SSID is broadcast whenever a client associates or reassociates with the AP. This SSID can be sniffed and is in the clear. This is one type of gaining access to the network. Sometimes WLANs even use their SSID as their password.

If you use WEP for security, you might as well not use a password. There are many tools that can be used to crack WEP keys in seconds. Sniffing tools can be used to capture usernames or other important information. There are many websites that tell you how to make antennas that can be used to gain access to networks. Wardriving is completed by scanning wireless signals for networks, and there are sites that contain online databases of unprotected wireless networks. The best practice is to use WPA2 to protect your data in the network.

WLANs can easily be disrupted by denial of service (DoS) attacks that can be completed with radio-jamming equipment. Disassociation attacks also occur by posing as an AP and disassociating a device from an AP. Then the attacker can constantly send disassociating attacks to cause DoS. An attacker could also pose as a “man in the middle” to make a client associate with it and then sniff all its data. Air Jack is a tool that can locate a hidden network that does not broadcast its SSID. The tools dissociate a device from an AP, forcing it to reassociate with the AP; it sniffs the SSID in the reassociation packet. It can also transmit invalid authentication requests by spoofing legitimate clients, which causes APs to dissociate legitimate clients. The best way to prevent this type of attack is to make sure that your WLAN coverage ends inside your building and that it does not stretch outside. This can be done by focusing on the placement of the APs and walking around with a scanner to verify that the network does not extend further than you want it to.

Some APs restrict users’ access by MAC addresses, but in this case, it is trivial to sniff packets that contain legitimate users’ MAC addresses, and thus someone can spoof this to be accepted on the network. Rogue APs are unauthorized and not allowed on a network; some users set them up because they think it is easy, and attackers may set them up to steal account information from users. Any device can try to associate with a rogue AP, and the account information used to authenticate can steal a user’s credentials. Do not think that you will be able to identify a rogue AP, because it can mimic your normal AP. Credit card data can be stolen, as well as other confidential information. One-time passwords can be used to minimize the threat, but even a one-time password can be stolen, although it is only valid for that one session. Wireless surveys should be performed on your network to detect rogue APs.

In most instances, malicious wireless snooping and cracking is done to gain access to the Internet without paying a service provider or to conceal malicious activity within an unknowing victim’s wireless network, deflecting any searches for the source of that activity from the individual. Usually, networks that take even moderate care in securing the access points by using encryption and authentication, and by following good physical security practices, won’t be targeted in favor of the low-hanging fruit of an unsecured or poorly secured network. Attackers want the easy target most of the time—so secure your network!

Exercise 1

On the admin workstation, go to the browser and navigate to http://192.168.1.254 as shown in Figure 20-80.

Create whatever password you want to. Next we move on with the WLC configuration as shown in Figure 20-81.

Navigate to the WIRELESS tab to view the APs that have registered with the WLC as shown in Figure 20-82.

Click WLANs to create two WLANs. Name them Floor1 and Floor2 as shown in Figure 20-83.

Make sure they are enabled as shown in Figure 20-84.

Click the Security tab.

Under Layer 2, select WPA+WPA2.

Select WPA2 Policy and select AES for encryption.

Select PSK for pre-shared key.

Type Apress123 for our pre-shared key and click Apply as shown in Figure 20-85.

Repeat for Floor2.

In the WLANs menu, select Advanced and create a group for each floor by selecting Add Group as shown in Figure 20-86.

Click the Floor1 group and select the WLANs tab and add a new SSID and name it Floor1 as shown in Figure 20-87.

Next, go to the WLANs tab and select the Floor1 AP and click Add New as shown in Figure 20-88.

Select Floor1 and click Add as shown in Figure 20-89.

Next, go to the APs tab and select the Floor1 AP and click Add APs as shown in Figure 20-90.

Repeat this for Floor2.

Click the smart phone and connect it to the Floor2 AP. Enter the SSID, select WPA2-PSK, and enter your key and select AES for encryption as shown in Figure 20-91. You may need to select Static and switch back to DHCP to pull an IP address. We see the phone connected to the Floor2 AP.

Click the tablet and connect it to the Floor1 AP. Enter the SSID, select WPA2-PSK, and enter your key and select AES for encryption as shown in Figure 20-92. We see the tablet connected to the Floor1 AP.

We can see the wireless devices authenticated and connected to the Floor1 and Floor2 access points.