course management - cisco · iauws course management . overview . implementing advanced cisco...
TRANSCRIPT
IAUWS
Course Management
Overview Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 is a five-day day instructor-led course, designed to help students prepare for the CCNP® wireless certification, a professional-level certification specializing in the wireless field. The goal of the course is to provide network professional with information to prepare them to secure the wireless network from security threats via appropriate security policies and best practices, as well as ensure the proper implementation of security standards and proper configuration of security components. The IAUWS reinforces the instruction by providing students with hand-on labs to ensure students thoroughly understand how to secure a network.
Outline The Course Management section of the Course Administration Guide includes these topics:
Overview
Course Instruction Details
Course Evaluations
Equipment List
Course Version This is the original release of the course named Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0.
Course Objectives Upon completing this course, the learner will be able to meet these overall objectives:
Translate organizational and regulatory security policies and enforce security compliances
Integrate security on client devices
Design and implement guest access services on the WLAN controller
Design and integrate a wireless network with Cisco NAC Appliance
2 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Implement secure wireless connectivity services on the WLAN controller
Use the internal security features on the WLAN controller and integrate the WLAN controller with advanced security platforms to isolate and mitigate security threats to the WLAN
© 2009 Cisco Systems, Inc. Course Administration Guide 3
Target Audience The primary and secondary target audiences of this course are as follows:
Wireless network engineers (primary audience)
Wireless test engineers (primary audience)
Wireless network administrators (primary audience)
Wireless network managers (primary audience)
Mid-level wireless support engineer (primary audience)
Project managers (secondary audience)
Program managers (tertiary audience)
Other – sales and marketing personnel (tertiary audience)
The primary audience is formed of individuals who are tasked with performing or overseeing site surveys for WLAN solution implementations.
The secondary and tertiary audience is formed of individuals who need to know how to sell, design, install and support site surveys for WLAN solution implementations.
Learner Skills and Knowledge The knowledge and skills that a learner must have before attending this course are as follows:
Interconnecting Cisco Networking Devices Part 1 (ICND1)
Interconnecting Cisco Networking Devices Part 2 (ICND2)
Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0
4 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Course Instruction Details This topic provides the information that you need to prepare the course materials and set up the classroom environment.
Instructor Requirements To teach this course, instructors must have attended the following training or completed the following requirements:
Be an active Cisco Certified Systems Instructor in good standing
Attend a Train the Trainer (TTT) or open enrollment delivery of a course facilitated by a qualified Cisco Certified Systems Instructor
Pass an Implementing Advanced Cisco Unified Wireless Security exam at the Instructor pass score
Note Submit questions concerning instructor certification to [email protected].
Classroom Reference Materials These items should be available for the learner during the course:
Student Guide
Lab Guide
Course Evaluation Form
Class Environment This information describes recommended class size and classroom setup:
Room set up classroom style with chairs and tables large enough for 16 learners
Eight pairs of chairs sharing access to eight laptops
Projector to display course slides and projection screen as needed
Sufficient power for all equipment
For local labs, rack and floor space to locate all equipment
Course Flow This is the suggested course schedule. You may make adjustments based on the skills, knowledge, and preferences of the learners in attendance. The presentation of all topics is optional for noncertification offerings, but you are encouraged to use them because they are designed to reinforce the lesson concepts and ensure that learners apply some of the concepts.
Day 1: Course Introduction, Describing Regulatory Compliance, Segmenting Traffic, Configuring Administrative Security, Managing WLAN Controller and Cisco WCS, Alarms, Identifying Security Audit Tools, Configuring EAP Authentication
Module 0 8:30–9:00 Course Introduction
© 2009 Cisco Systems, Inc. Course Administration Guide 5
(0830–0900)
Module 1 Lesson 1 9:00–10:00 (0900–1000)
Describing Regulatory Compliance
10:00–10:15 (1000–1015)
Break
Module 1 Lesson 2 10:15 -11:00 (1015-1100)
Segmenting Traffic
Lab 1-1 11:00-12:00 (1100-1200)
Segmenting Traffic
12:00–1:00 (1200–1300)
Lunch
Module 1 Lesson 3 1:00–1:45 (1300–1345)
Configuring Administrative Security
Lab 1-2 1:45–2:30 (1345–1430)
Configuring Administrative Security
2:30-2:45 (1430-1445)
Break
Module1 Lesson 4 2:45–3:15 (1445–1515)
Managing WLAN Controller and Cisco WCS Alarms
Module 1 Lesson 5 3:15-3:45 (1515–1545)
Identifying Security Audit Tools
Module Summary and Self Check
3:45-4:05 (1545-1605)
Module Summary and Self Check
Module 2 Lesson 1 4:05-5:00 (1605-1700)
Configuring EAP Authentication
5:00 (1700) Day ends
Day 2: Configuring EAP Authentication, Describing the Impact of Security on Applications and Roaming, Configuring the Cisco Secure Services Client, Troubleshooting Wireless Connectivity, Describing Guest Access Architecture, Configuring the WLAN to Support Guest Access, Configuring Guest Access Accounts
8:00–8:30 (0800–0830)
Review of Day 1
Module 2 Lesson 1 8:30–8:50 (0830–0850)
Configuring EAP Authentication (continued)
Lab 2-1 8:50–9:05 (0930–1200)
Configuring EAP Authentication on the Clients
Module 2 Lesson 2 9:05-10:00 (0905-1000)
Describing the Impact of Security on Applications and Roaming
10:00-10:15 (1000-1015)
Break
Module 2 Lesson 3 10:15-11:15 (1015-1115)
Configuring Cisco Secure Services Client
Lab 2-2 11:15-12:00 (1115-1200)
Configuring Cisco Secure Services Client
12:00–1:00 (1200–1300)
Lunch
Module 2 Lesson 4 1:00–1:20 (1300–1320)
Troubleshooting Wireless Connectivity
6 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 2-3 1:20–2:20 (1400–1450)
Troubleshooting Wireless Connectivity
Module 2 Summary and Self-Check
2:20 – 2:40 (1420-1435)
Summary and Self Check
2:40–2:55 (1440–1455)
Break
Module 3 Lesson 1 2:55-3:15 (1455-1515)
Describing Guest Access Architecture
Module 3 Lesson 2 3:15-3:45 (1515-1545)
Configuring the WLAN to Support Guest Access
Lab 3-1 3:45 – 4:15 (1545-1615)
Configure the WLAN to Support Guest Access
Module 3 Lesson 3 4:15-5:00 (1615-1700)
Configuring Guest Access Accounts
5:00 (1700) Day ends
Day 3: Configure a Controller to use the Cisco NAGS for Authentication, Troubleshooting Guest Access, Introducing the Cisco NAC Appliance Solution, Configuring the Controller for Cisco NAC Out-of-Band Operations, Configuring Authentication for the WLAN Infrastructure
8:00–8:30 (0800–0830)
Review of Day 2
Lab 3-2 8:30–9:30 (0830–0930)
Configure a Controller to use the Cisco NGS for Authentication
Module 3 Lesson 4 9:30–9:45 (0930–0945)
Troubleshooting Guest Access
Lab 3-3 9:45-10:00 (0945-1015)
Troubleshooting Guest Access
10:00-10:15 (1000-1015)
Break
Lab 3-3 10:15-11:00 Troubleshooting Guest Access (Cont.)
Module Summary and Self Check
11:00-11:20 Module Summary and Self Check
Module 4 Lesson 1 11:20 – 12:00 (1120-1200)
Introducing the Cisco NAC Appliance Solution
12:00–1:00 (1200–1300)
Lunch
Module 4 Lesson 2 1:00–1:30 (1300–1335)
Configuring the Controller for Cisco NAC Out-of-Band Operations
Lab 4-1 1:30–2:15 (1330–1415)
Configuring the Controller for Cisco NAC
2:15-2:30 Break
Module Summary and Self Check
2:30–2:50 (1430–1450)
Module Summary and Self Check
Module 5 Lesson 1 2:50-3:50 Configuring Authentication for the WLAN Infrastructure
Lab 5-1 3:50-4:25 (1550-1625)
Configuring Local Authentication on the WLAN Controller
Lab 5-2 4:25-5:00 (1625-1700)
Configuring H-REAP for WAN Failure
© 2009 Cisco Systems, Inc. Course Administration Guide 7
5:00 (1700) Day ends
Day 4: Configuring Management Frame Protection, Configuring Certificate Services, Implementing Access Control Lists, Implementing Identity Based Networking, Troubleshooting Secure Wireless Connectivity, Mitigating Wireless Vulnerabilities
8:00–8:30 (0800–0830)
Review of Day 3
Module 5 Lesson 2 8:30–9:00 (0830–0855)
Configuring Management Frame Protection
Lab 5-3 9:00–9:30 (0900–0930)
Configuring Management Frame Protection
Module 5 Lesson 3 9:30–10:15 (0930-1015)
Configuring Certificate Services
10:15-10:30 (1015-1030)
Break
Lab 5-4 10:30-11:30 (1030-1130)
Configuring Certificate Services
Module 5 Lesson 4 11:30-12:00 (1130-1200)
Implementing Access Control Lists
12:00–1:00 (1200–1300)
Lunch
Lab 5-5 1:00–1:30 (1300–1330)
Implementing Access Control Lists
Module 5 Lesson 5 1:30–2:00 (1330–1400)
Implement Identity Based Networking
Lab 5-6 2:00-2:30 (1400-1440)
Implementing Identity Based Networking
2:30-2:45 (1430-1445)
Break
Module 5 Lesson 6 2:45-3:15 (1445-1500)
Troubleshooting Secure Wireless Connectivity
Lab 5-7 3:15-3:45 (1515-1545)
Troubleshooting H-REAP Security Issues
Module Summary and Self Check
3:45-4:00 (1545-1600)
Module Summary and Self Check
Module 6 Lesson 1 4:00-5:00 (1600-1700)
Mitigating Wireless Vulnerabilities
5:00 (1700) Day ends
Day 5: Mitigating Wireless Vulnerabilities, Managing Rogue Access Points, Understanding Cisco’s End-to-End Security Solutions, Integrating Cisco WCS and Wireless IPS
8:00–8:30 (0800–0830)
Review of Day 4
Module 6 Lesson 1 8:30–10:00 (0830–1000)
Mitigating Wireless Vulnerabilities (Cont.)
10:00-10:15 (1000-1015)
Break
Lab 6-1 10:15–11:00 (1015–1100)
Managing Rogue Access Points
8 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 6-2 11:00–1200 (1100–1200)
Managing IDS Signatures
12:00–1:00 (1200–1300)
Lunch
Module 6 Lesson 2 1:00–3:00 (1300–1330)
Understanding Cisco’s End-to-End Security Solutions (Cont.)
3:00-3:15 (1000-1500-1515)
Break
Module 6 Lesson 3 3:15–4:00 (1515–1600)
Integrating Cisco WCS and Wireless IPS
Module Summary and Self-Check
4:00–4:30 (1600–1630)
Module Summary and Self Check
4:30–5:00 (1630–1700)
Wrap-up
High-Level Course Outline This subtopic provides an overview of how the course is organized. The course contains these components:
Course Introduction
Organizational and Regulatory Security Policies
Secure Client Devices
Design and Implement Guest Access Services
Design and Integrate Wireless Network with Cisco NAC Appliance
Internal and Integrated External Attacks Mitigations
© 2009 Cisco Systems, Inc. Course Administration Guide 9
Detailed Course Outline This in-depth outline of the course structure lists each module, lesson, and topic.
Course Introduction The Course Introduction provides learners with the course objectives and prerequisite learner skills and knowledge. The Course Introduction presents the course flow diagram and the icons that are used in the course illustrations and figures. This course component also describes the curriculum for this course, providing learners with the information that they need to make decisions regarding their specific learning path.
Overview
— Learner Skills and Knowledge
Course Goal and Objectives
Course Flow
Additional References
— Cisco Glossary of Terms
Your Training Curriculum
Module 1 of 7: Organizational and Regulatory Security Policies Upon completion of this module, the student should be able to translate organizational and regulatory security policies and enforce security compliances.
Lesson 1: Describing Regulatory Compliance This lesson describes regulatory compliance considerations. Upon completing this lesson, the learner will be able to meet these objectives:
Identify and categorize various common wireless vulnerabilities
Describe the various industry standards and associations and how they affect wireless implementations
Describe the various regulatory compliance acts, what industries they affect, and how they affect wireless implementations
The lesson includes these topics:
Categorizing Wireless Vulnerabilities
Industry Standards and Associations
Regulatory Compliance
Lesson 2: Segmenting Traffic This lesson defines how to segment traffic into different VLANs. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the segmentation of wireless traffic by application type on the controller
Describe the segmentation of wireless traffic by security capabilities on the controller
Describe the segmentation of wireless traffic by QoS policy on the controller
10 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
The lesson includes these topics:
Segmenting Traffic By Application
Segmenting Traffic By Security Capabilities
Segmenting Traffic by QoS Policy
The lesson includes this activity:
Lab 1-1: Segmenting Traffic
Lesson 3: Configuring Administrative Security This lesson defines how to configure administrative security on the controller. Upon completing this lesson, the learner will be able to meet these objectives:
Describe when and how to configure local management authentication on the controller
Describe how to configure RADIUS on the controller to provide authentication and accounting services to management users
Describe how to configure the Cisco Secure ACS to support RADIUS authentication of administrative users on the controller.
Describe how to configure TACACS+ on the controller to provide AAA services to management users
Describe how to configure the Cisco Secure ACS to support TACACS+ authentication of administrative users on the controller.
Describes how to configure the controller to allow management over wireless
Describe how the controller can be used to change the default Cisco username, password, and enable password on the access point
The lesson includes these topics:
Authenticating Management Users Locally
Authenticating Management Users on RADIUS
Configuring the Cisco Secure ACS for RADIUS
Authenticating Management Users on TACACS+
Configuring the Cisco Secure ACS for TACACS+
Enabling Management Over Wireless
Configuring Credentials for Access Points
The lesson includes this activity:
Lab 1-2: Configuring Administrative Security
Lesson 4: Managing WLAN Controller and Cisco WCS Alarms This lesson defines how to manage WLAN controller and Cisco WCS alarms. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to configure system message logging, Syslog server, and SNMP trap notification on the controller
© 2009 Cisco Systems, Inc. Course Administration Guide 11
Describe how to configure logging options and SMTP mail server notification on the Cisco WCS
The lesson includes these topics:
Configuring Logging and Trap Notification on the Controller
Configuring Logging and Message Notification on the Cisco WCS
Lesson 5: Identifying Security Audit Tools This lesson defines how to describe security audit tools. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the framework for wireless penetration testing and examine the mitigations at each level of the framework
Describe when and how to perform a wireless security audit and the tools available to perform them
The lesson includes these topics:
Wireless Security Audits
Performing a Wireless Security Audit
Module 2 of 7: Secure Client Devices Upon completion of this module, the leaner should be able to integrate security on client devices.
Lesson 1: Configuring EAP Authentication This lesson defines how to configure client devices for secure EAP authentication. Upon completing this lesson, the learner will be able to meet these objectives:
Describe 802.1X/EAP and the operation of EAP-FAST, EAP-TLS, PEAP-MSCHAP, and PEAP-GTC
Describe how to configure the controller as an AAA client on the Cisco Secure ACS.
Describe how to configure the various EAP types using MS Wireless Zero Configuration and Intel PROSet wireless clients
The lesson includes these topics:
802.1X/EAP Authentication
Configuring the Wireless Infrastructure to Support Radius Authentication
Configuring 802.1X/EAP Authentication on the Wireless Clients
Lesson 2: Describing the Impact of Security on Application and Roaming This lesson describes the impact of security configurations on application and client roaming. Upon completing this lesson, the learner will be able to meet these objectives:
Describes the impact of security configuration when roaming on applications such as voice over wireless
Describe 802.11i Proactive Key Caching and Cisco Centralized Key Management mechanisms to provide fast secure roaming
12 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
The lesson includes these topics:
Fast, Secure Roaming with Voice
Fast Secure Roaming Mechanisms
The lesson includes this activity:
Lab 2-1: Configuring EAP Authentication on the Clients
Lesson 3: Configuring Cisco Secure Services Client This lesson describes how to configure the Cisco SSC. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to configure various EAP types on the Cisco SSC using the sscManagement Utility
Describe how to configure Cisco Secure Services Client for machine login and pre-session authentication to provide access to domain services using the sscManagement Utility
Describe how the client can configure the Cisco SCC for EAP protocols
The lesson includes these topics:
Configuring EAP on Cisco SSC
Configuring Machine Login and Pre-Session Authentication
Using the Cisco SSC
The lesson includes this activity:
Lab 2-2: Configuring Cisco Secure Services Client
Lesson 4: Troubleshooting Wireless Connectivity This lesson defines how to troubleshoot client wireless connectivity issues. Upon completing this lesson, the learner will be able to meet these objectives:
Identify and isolate problems with EAP authentication using various available tools
Understand the client risks involved with driver updates and Microsoft Hotfixes
The lesson includes these topics:
Troubleshooting EAP Authentication
Driver Updates and Microsoft Hotfixes
The lesson includes this activity:
Lab 2-3: Troubleshooting Wireless Connectivity
Module 3 of 7: Design and Implement Guest Access Services Upon completion of this module, the student should be able to design and implement guest access services on the WLAN controller.
© 2009 Cisco Systems, Inc. Course Administration Guide 13
Lesson 1: Describing Guest Access Architecture This lesson defines the overall architectures for guest access services. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the various traditional guest access architectures available
Describe the elements, features, and benefits of providing guest access through Cisco Unified Wireless Solution
The lesson includes these topics:
Wireless Guest Access Overview
Guest Access Using the Cisco Unified Wireless Solution
Lesson 2: Configuring the WLAN to Support Guest Access This lesson defines how to configure the WLAN to support guest access. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the design considerations for deployment of the guest WLAN using the DMZ anchor controller approach
Describe how to configure the foreign and anchor controller for guest access
Describe the steps to configure guest (wired) LAN access using anchor controller approach
The lesson includes these topics:
Guest WLAN Design Considerations
Configuring the Anchor and Foreign Controllers
Guest LAN Configuration
Lesson 3: Configuring Guest Access Accounts This lesson defines how to configure the WLAN to support guest access accounts. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to use the lobby ambassador services on the controller and Cisco WCS to configure guest user accounts
Identify administrative configurations for guest account management on the Cisco NAC Guest Server
The lesson includes these topics:
Lobby Ambassador
Cisco NAC Guest Server Account Management
The lesson includes this activity:
Lab 3-1: Configure the WLAN to Support Guest Access
Lesson 4: Troubleshooting Guest Access This lesson defines how to isolate and resolve guest access issues. Upon completing this lesson, the learner will be able to meet these objectives:
Describe guidelines for proper deployment of the anchor controller
14 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Identify various tasks to help identify and isolate problems with guest access
The lesson includes these topics:
Anchor Controller Deployment Guidelines
Troubleshooting Guest Access
The lesson includes this activity:
Lab 3-2: Configure a Controller to use the Cisco NGS for Authentication
Lab 3-3: Troubleshooting Guest Access Issues
Module 4 of 7: Design and Integrate Wireless Network with Cisco NAC Appliance Upon completion of this module, the student should be able to design and integrate a wireless network with NAC.
Lesson 1: Introducing the Cisco NAC Appliance Solution This lesson defines how to understand the overall architectures that support the Cisco NAC Appliance solution. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the functions of the various NAC components, such as the Cisco NAS, Cisco NAM, and Cisco NAA
Introduce the various Cisco NAC Appliance deployment options
Describe the data flow for a wireless client for the authentication process
Describes the role of Cisco NACAppliance in guest access services
The lesson includes these topics:
NAC Components
Cisco NAC Appliance Solution Overview
Wireless Client Data Flow
Cisco NAC with Guest Access
Lesson 2: Configuring the Controller for Cisco NAC Appliance for Out-of-Band Operations This lesson defines how to configure the controller to support Cisco NAC Appliance out-of-band operations. Upon completing this lesson, the learner will be able to meet these objectives:
Describe configuring the controller for Cisco NAC out-of-band operations
Describe the configurations on the Cisco NAC Appliance using the Cisco NAM web GUI for supporting Cisco NAC out-of-band operations
Describe the process to verify that the wireless client has successfully passed the NAC appliance authentication and posture assessment,
The lesson includes these topics:
Configure the Controller for Cisco NAC Out-of-Band Operations
Verify the Required Configurations on the Cisco NAC Appliance
© 2009 Cisco Systems, Inc. Course Administration Guide 15
Verify Wireless Client Authentication
The lesson includes this activity:
Lab 4-1: Configuring the Controller for Cisco NAC Out-of-Band Operations
Module 5 of 7: Implement Secure Wireless Connectivity Services Upon completion of this module, the student should be able to implement secure wireless connectivity services on the WLAN controller.
Lesson 1: Configuring Authentication for the WLAN Infrastructure This lesson defines how to configure secure wireless connectivity services on the controller. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to configure local authentication with both a local and a remote LDAP database
Describe how to configure H-REAP to provide authentication services in the event of a WAN failure
Describe how to configure access points to use EAP authentication to connect to the switch
The lesson includes these topics:
Configuring Local Authentication
Configuring H-REAP for WAN Failure
Configuring an Access Point to Authenticate to the Local Switch
The lesson includes these activities:
Lab 5-1: Configuring Local Authentication on the WLAN Controller
Lab 5-2: Configuring H-REAP for WAN Failure
Lesson 2: Configuring Management Frame Protection This lesson defines how to configure management frame protection on clients and controllers. Upon completing this lesson, the learner will be able to meet these objectives:
Describes how to configure management frame protection on clients
Describes how to configure management frame protection on the controller
The lesson includes these topics:
Configuring Management Frame Protection on Clients
Configuring Management Frame Protection on the Controller
The lesson includes this activity:
Lab 5-3: Configuring Management Frame Protection
Lesson 3: Configuring Certificate Services This lesson defines how to configure client and server-side digital certificate services. Upon completing this lesson, the learner will be able to meet these objectives:
16 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Describe the functionality of asymmetric encryption algorithms.
Describe the principles behind a Public key Infrastructure
Describe how to install and configure a server certificate on the Cisco Secure ACS
Describe how to obtain and install a user certificate on the client PC
Describe how to install a self-signed certificate on the Cisco Secure ACS
Describe how to install server and CA certificates on the controller
The lesson includes these topics:
Asymmetric Encryption Overview
Public Key Infrastructure Principles
Installing Certificates on the ACS
Obtaining and Installing User Certificates
Using Self-Signed Certificates on the ACS
Adding Certificates on the Controller
The lesson includes this activity:
Lab 5-4: Configuring Certificates Services
Lesson 4: Implementing Access Control Lists This lesson defines how to implement ACLs on a WLAN controller. Upon completing this lesson, the learner will be able to meet these objectives:
Describes how to install and configure Access Control Lists on the controller
Describes how to apply Access Control Lists on the controller
Describes how to apply preauthentication ACLs on the guest WLAN
The lesson includes these topics:
Configuring Access Control Lists on the Controller
Applying Access Control Lists on the Controller
Preauthentication ACLs
The lesson includes this activity:
Lab 5-5: Implementing Access Control Lists
Lesson 5: Configuring Identity Based Networking This lesson defines how to configure identity based networking on the controller and the Cisco Secure ACS. Upon completing this lesson, the learner will be able to meet these objectives:
Describes how to configure identity based networking on the controller
Describes how to configure identity based networking on the Cisco Secure ACS
The lesson includes these topics:
Configuring Identity Based Networking on the Controller
© 2009 Cisco Systems, Inc. Course Administration Guide 17
Configure Identity Based Networking on the Cisco Secure ACS
The lesson includes this activity:
Lab 5-6: Configuring IBN
Lesson 6: Troubleshooting Secure Wireless Connectivity This lesson defines how to troubleshoot secure wireless connectivity services. Upon completing this lesson, the learner will be able to meet these objectives:
Describes how to troubleshoot secure wireless connectivity issues using the imbedded tools on the controller and Cisco Secure ACS
Describes how to troubleshoot secure wireless connectivity issues utilizing external tools
The lesson includes these topics:
Troubleshooting with the Controller and Cisco WCS
Troubleshooting Issues Utilizing External Tools
The lesson includes this activity:
Lab 5-7: H-REAP Security Issues
Module 6 of 6: Internal and Integrated External Security Mitigations Upon completion of this module, the student should be able to use the integrated security features on the WLAN controller to isolate and mitigate security threats to the WLAN.
Lesson 1: Mitigating Wireless Vulnerabilities This lesson defines how to categorize and mitigate wireless vulnerabilities. Upon completing this lesson, the learner will be able to meet these objectives:
Identify the various possible mitigation strategies available for each of the vulnerabilities already discussed
Describe how to configure rogue policies for access points to be applied to the controller
Describe the function and utilization of the various threat mitigation tools in Cisco WCS to identify and locate threats
The lesson includes these topics:
Mitigating Wireless Vulnerabilities
Configuring a Rogue Policies Template
Threat Identification with Cisco WCS
This lesson includes this activity:
Lab 6-1: Managing Rogue Access Points
Lab 6-2: Managing IDS Signatures
18 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lesson 2: Understanding Cisco’s End-to-End Security Solutions This lesson defines how to describe Cisco's end-to-end security solutions and how they integrate with Cisco's wireless solutions. Upon completing this lesson, the learner will be able to meet these objectives:
Describe Cisco Secure ACS and how it integrates with the CUWN solution.
Describe Cisco NAC Appliance and how it integrates with the CUWN solution
Describe the firewall port configuration requirements to support the WLAN controller for demilitarized zone placement
Describe Cisco IPS appliance and how it integrates with the CUWN solution
Describe Cisco Security Agent and how it integrates with the CUWN solution
Describe Cisco Security MARS and how it integrates with the CUWN solution
The lesson includes these topics:
Cisco ACS Integration
NAC Appliance Integration
Firewall Requirements for DMZ
Cisco IPS Integration
Cisco Security Agent Integration
Cisco Security MARS Integration
Lesson 3: Integrating Cisco WCS with Wireless IPS This lesson defines how to configure Cisco WCS to operate with the Cisco adaptive wireless IPS solution. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the functions of the Cisco adaptive wireless IPS solution
Describe how to configure Cisco WCS to communicate with Cisco Adaptive Wireless IPS
The lesson includes these topics:
Cisco Adaptive Wireless IPS Functions
Integrating Cisco WCS with Wireless IPS
© 2009 Cisco Systems, Inc. Course Administration Guide 19
Course Evaluations Cisco uses a post-course evaluation system, Metrics That Matter (MTM), for its instructor-led courses. The instructor must ensure that each student is aware of the confidential evaluation process and that all students submit an evaluation for each course. There are two options for students to complete the evaluation.
For Classes with Internet Access A URL will be made available, specific to each Cisco Learning Partner. Obtain the URL from your MTM system administrator before the last day of class.
1. Upon completion of the course, instruct the students to enter the URL into their browser.
2. Make sure that the students input their e-mail address (used only for a follow-up evaluation).
Note Sixty days following a learning event, students will receive a brief follow-up evaluation, and, again, responses will be kept confidential. E-mail addresses will not be used for marketing purposes. (If students do not have e-mail addresses, they may type in a “dummy” address.)
3. Instruct the students to select the appropriate course from the drop-down list.
4. Instruct the students to complete the course evaluation and click Submit one time only.
5. Advise the students to wait for “Thank you” to appear on the screen before leaving.
For Classes Without Internet Access A paper-based version of the post-course evaluation is available. Your MTM system administrator can provide you with copies.
1. Distribute paper-based evaluations at the beginning of the last day of class.
2. Instruct the students to complete the survey only after completing the course.
3. Collect the evaluations and submit them to your MTM system administrator.
To View Evaluation Results To view your post-course evaluation results:
1. Go to www.metricsthatmatter.com/client. (Reminder: All data is confidential; you will see only your own data.)
2. Log in using your ID and the password sent to you from MTM or provided by your company MTM system administrator to ensure confidentiality.
3. Choose Menu Option – Learner Evaluation Reports:
— Evaluation Retrieval Tool
— Class Evaluation Summary Report
4. Search for and select the appropriate class.
20 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab Setup
Overview The purpose of the “Lab Setup” section is to assist in the setup and configuration of the training equipment for Implementing Advanced Cisco Unified Wireless Security course. This section includes these topics:
Lab Topology
Hardware and Software Requirements
Workstation Configuration
Lab Equipment Configuration
General Lab Setup
Lab 1-1: Segmenting Traffic
Lab 1-2: Configuring Administrative Security
Lab 2-1: Configuring EAP Authentication on the Clients
Lab 2-2: Configuring Cisco Secure Services Client
Lab 2-3: Troubleshooting Wireless Connectivity
Lab 3-1: Configure the WLAN to Support Guest Access
Lab 3-2: Configure a Controller to use the Cisco NGS for Authentication
Lab 3-3: Troubleshooting Guest Access Issues
Lab 4-1: Configuring the Controller for Cisco NAC
Lab 5-1: Configuring Local Authentication on the WLAN Controller
Lab 5-2: Configuring H-REAP for WAN Failure
Lab 5-3: Configuring Management Frame Protection
Lab 5-4: Configuring Certificate Services
Lab 5-5: Implementing Access Control Lists
Lab 5-6: Implementing IBN
Lab 5-7: Troubleshooting H-REAP Security Issues
© 2009 Cisco Systems, Inc. Course Administration Guide 21
Lab 6-1: Managing Rogue Access Points
Lab 6-2: Managing IDS Signatures
Configuration Files Summary
Lab Activity Solutions
Teardown and Restoration
22 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab Topology This topic describes the lab topology for Implementing Advanced Cisco Unified Wireless Security (IAUWS) v 1.0.
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-3
IAUWS Logical Topology Diagram
This lab consists of a central switch which supports eight remote pods. Each pod consists of a
o
PN
Note: At the time of the course development, we have an AIP-SSM in the ASA 5510. But we
2106 WLC, an AP1252 and a remote laptop with an Intel wireless client card. In addition, there is an ASA 5510 providing firewall services. In the DMZ is a 4402-12 WLC and a CiscNGS appliance. Also connected to the core switch is a Cisco NAM appliance and Cisco NAS appliance, a Windows 2003 server with WCS and a Windows 2003 server (enterprise) running VM with 8 instances of Cisco Secure ACS (one per pod). Windows certificate services is running on the root of the Windows Server with VM. Connection to the remote lab is via Vrunning on a local router with terminal services enabled to provide command line access to the various hardware in the lab. In addition, a remote IP KVM switch and a remote power switch are available to the instructor as necessary. There is one autonomous AP1242 to server as a rogue access point.
couldn’t get the controller to successfully retrieve the shun-list from the AIP-SSM. Therefore, the IPS and WLC integration lab was removed from the course. Without the AIP-SSM requirement in lab, the actual firewall can be any Cisco Firewall like ASA 5505 or IOS Firewall.
© 2009 Cisco Systems, Inc. Course Administration Guide 23
Device Name
Device Name Abbreviation
Assigned Pod
Interface
Network Address
Additional Information
WLC-2106 Pod1-2106 1 1 10.10.1.10 AP Manager 10.10.1.11
AP1252 Pod1-ap 1 FA0 DHCP 10.10.1.x
Remote PC Pod1 1 Ethernet 10.10.1.100 Access Via VPN
WLC-2106 Pod2-2106 2 2 10.20.1.10 AP Manager 10.20.1.11
AP1252 Pod2-ap 2 FA0 DHCP 10.20.1.x
Remote PC Pod2 2 Ethernet 10.20.1.100 Access Via VPN
WLC-2106 Pod3-2106 3 3 10.30.1.10 AP Manager 10.30.1.11
AP1252 Pod3-ap 3 FA0 DHCP 10.30.1.x
Remote PC Pod3 3 Ethernet 10.30.1.100 Access Via VPN
WLC-2106 Pod1-2106 4 4 10.10.4.10 AP Manager 10.40.1.11
AP1252 Pod4-ap 4 FA0 DHCP 10.40.1.x
Remote PC Pod4 4 Ethernet 10.40.1.100 Access Via VPN
WLC-2106 Pod5-2106 5 5 10.50.1.10 AP Manager 10.50.1.11
AP1252 Pod5-ap 5 FA0 DHCP 10.10.5.x
Remote PC Pod5 5 Ethernet 10.50.1.100 Access Via VPN
WLC-2106 Pod6-2106 6 6 10.60.1.10 AP Manager 10.60.1.11
AP1252 Pod6-ap 6 FA0 DHCP 10.60.1.x
Remote PC Pod6 6 Ethernet 10.60.1.100 Access Via VPN
WLC-2106 Pod7-2106 7 7 10.70.1.10 AP Manager 10.10.1.11
AP1252 Pod7-ap 7 FA0 DHCP 10.70.1.x
Remote PC Pod7 7 Ethernet 10.10.1.100 Access Via VPN
WLC-2106 Pod8-2106 8 8 10.80.1.10 AP Manager 10.80.1.11
AP1252 Pod8-ap 8 FA0 DHCP 10.80.1.x
Remote PC Pod8 8 Ethernet 10.80.1.100 Access Via VPN
WCS v5.2 WCS All pods Ethernet port
10.100.1.4
24 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
ACS v4.2 Pod1-ACS 1 Ethernet 10.100.1.51 VM on 10.100.1.5
ACS v4.2 Pod2-ACS 2 Ethernet 10.100.1.52 VM on 10.100.1.5
ACS v4.2 Pod3-ACS 3 Ethernet 10.100.1.53 VM on 10.100.1.5
ACS v4.2 Pod4-ACS 4 Ethernet 10.100.1.54 VM on 10.100.1.5
ACS v4.2 Pod5-ACS 5 Ethernet 10.100.1.55 VM on 10.100.1.5
ACS v4.2 Pod6-ACS 6 Ethernet 10.100.1.56 VM on 10.100.1.5
ACS v4.2 Pod7-ACS 7 Ethernet 10.100.1.57 VM on 10.100.1.5
ACS v4.2 Pod8-ACS 8 Ethernet 10.100.1.58 VM on 10.100.1.5
NGS (v2.0) NGS (v2.0) All pods 0 10.103.1.3
4402-12 Anchor Controller
All pods 1 10.103.1.10 Service port 10.100.1.10
NAM (v4.5) NAM (v4.5) All Pods 0 10.102.1.2
NAS (v4.5) NAS (v4.5) All pods 0 – trusted
1-untrusted
10.100.1.2 – trusted Instructor access only. See port map file on instructor CD for port usage.
Core switch Iauws-sw all pods Multiple ports
10.1.1.1 Instructor access only. See port map file on instructor CD for port usage.
ASA 5510 iauws-asa All pods Multiple ports
10.100.1.7 Instructor access only. See port map file on instructor CD for ACL requirements for the firewall.
AP1242 Rogue-ap All ports FA0 10.100.1.99 Instructor access only
© 2009 Cisco Systems, Inc. Course Administration Guide 25
Hardware and Software Requirements Hardware List The hardware listed in the following table is suggested for this learning product.
Single Unit Price (Monetary Unit) [Insert Unit]
Total Unit Price (Monetary Unit) [Insert Unit]
Description Mfr. Part Number Qty.
OPTIONAL – Internal use only
Student Pod Equipment – 2 Students Per Pod – 8 Pods Total Per Class Class Network equipment to share across all pods
Cisco AP1242 standalone Cisco AIR-AP1242AG-x-K9
1
2.2 dBi 2.4GHz dipole antenna
Cisco AIR-ANT2422DW-R
2
3.5 dBi dipole 5 GHz antenna Cisco AIR-ANT5135DW-R
2
Cisco 1841 router (VPN router)
Cisco CISCO1841-SEC/K9
1
Catalyst 3560E 48 port switch with 1150WAC power supply
Cisco WS-C3560E-48PD-E
1
WLC 4402-12 Cisco AIR-WLC4402-12-K9
1
3310 NAC Appliance for Clean Access Server (includes software and license for 100 users) and Clean Access Manager and NAC Guest Server
Cisco NAC3310-100-K9
3
ASA 5510 Cisco ASA5510--BUN-K9
1
Windows 2003 Server 4G+ memory - used for WCS
Various 1
Windows 2003 Server (enterprise) 8G+ memory - used for VM, ACS,TFTP/FTP, Certificate Services
Various 1
Cables CAT 5 Various 8
Student POD equipment (8 pods)
WLC 2106 Cisco AIR-WLC2106-K9
8
AP1252 Lightweight Cisco AIR- 8
26 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Single Unit Price (Monetary Unit) [Insert Unit]
Total Unit Price (Monetary Unit) [Insert Unit]
Description Mfr. Part Number Qty.
OPTIONAL – Internal use only
LAP1252AG-X-K9
2.2 dBi 2.4GHz dipole antenna
Cisco AIR-ANT2422DW-R
24
3.5 dBi dipole 5 GHz antenna Cisco AIR-ANT5135DW-R
24
Laptop with IntelPRo 4965 a/b/g/n wireless NIC, RS-232 port or USB to RS-232 adapter, 2+GHz processor, 2 Gig RAM, 802.3 10/100 T, PCMCIA and USB ports.
Various 8
Cables CAT 5 Various 24
Other Required Equipment
Web-KVM switch (Example: StarTech.com Enhanced KVM Switch Over IP SV841HDIE - KVM switch - 8 ports +Cables) For remote maintenance
Various 1
Powered APC switch (Example: BayTech Power Switch 20 outlet switched RPC-28) For remote maintenance
Various 1
Software List The software listed in the following table is suggested for this learning product.
Single Unit Price (Monetary Unit) [Insert Unit]
Total Unit Price (Monetary Unit) [Insert Unit]
Description Mfr. Part Number Qty.
OPTIONAL – Internal use only
Class Network - Shared Equipment
IOS software for switch Cisco 12.2(44)SE 1
WLC code v5.2 Cisco SWLC4400K9-52
9
WCS v5.2 with license Cisco WCS-APLOG-52
1
ACS V4.2 Cisco CSACS-4.2-WIN-K9
8
© 2009 Cisco Systems, Inc. Course Administration Guide 27
Single Unit Price (Monetary Unit) [Insert Unit]
Total Unit Price (Monetary Unit) [Insert Unit]
Description Mfr. Part Number Qty.
OPTIONAL – Internal use only
Clean Access Lite Manager (v4.5) NAC Guest Server v.20 ASA (v.7.x or 8.x is fine)
Cisco Cisco Cisco
NACMGR-3-K9 cisco-nac-guest-server-2.0.0-K9.iso 7.x or 8.x
1
Option 1 - Windows 2003 standard on server, WCS-1, ACS-8 (1base+VM and 7 additional VMs)
Microsoft 9
Option 2 - Windows 2003 standard on Server for WCS Windows 2003 Enterprise on ACS server (2 instances with 4 VM each)
Microsoft Microsoft
1 2
Windows 2003 on Server Enterprise
Microsoft 1
VMware Microsoft 1
Free FTP/TFTP Server Various 1
Student PODs
Windows XP Microsoft 8
WLC code v5.2 Cisco SWLC4400K9-52
8
Cisco Secure Services Client
Cisco
Cisco_SSC-XP2K_5.1.1.3.zip
8
Cisco Secure Services Client Management Utility
Cisco Cisco_SSCMgmtUtil_5.1.1.4.zip
8
IntelPro Wireless Client Intel N/A 8
NAC Appliance Agent (v.4.5) Cisco
CCAAgentSetup-4.5.0.0.tar.gz
8
28 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Workstation Configuration These instructions describe how to set up the lab when workstations are required.
Class PCs If you use a remote lab, Steps 1 to 4 apply to class PCs only. If you use a local lab, skip this part and go to Step 5.
Step 1 Make sure that PCs have Windows installed, browser capability, Java (JRE), and proper access to the Internet.
Step 2 Make sure that PCs have Flash plug-in installed, it is required to access Cisco WCS.
Step 3 Download and install Cisco VPN Client software, and provide a shortcut on the desktop.
Step 4 Create Cisco VPN client profiles and copy them the Cisco VPN Client profiles directory.
Step 5 Create a Remote Desktop Connection shortcut on the PC desktop.
Step 6 Download and install TeraTerm Pro and create a shortcut on the desktop.
Lab Laptops The following steps apply to the laptops in the remote lab.
Step 1 Remote laptops should have their IP address properly set (refer to the lab maps), and configured to allow remote access via remote desktop.
Step 2 Install XP SP2, plus any critical category patch for Windows XP Pro, BIOS and Intel wireless card.
Step 3 Obtain a CA certificate from the server which provides ACS and CA services and install the CA certificate in the Trusted Root Certification Authorities store.
Step 4 Install Cisco Secure Services Client and sscUtilityManagement and create shortcuts on the desktop.
Step 5 Obtain a copy of the Self-Signed Certificate from the ACS assigned to the pod and install in the Trusted Root Certification Store.
Step 6 Install a TeraTerm Pro on the laptop and create a shortcut on the desktop.
© 2009 Cisco Systems, Inc. Course Administration Guide 29
Lab Equipment Configuration This equipment configuration information is necessary for initial setup of the lab configuration.
Notes on Delivery Lab Equipment
Learners can access their controllers both from the CLI using the terminal server and from the web interface using their connection to the switch.
Learners can access the remote lab laptops using remote desktop connection.
Save in startup-config of Cat3560E configuration file “iauwsSwitchConfig.txt”.
Save in the startup-config of the ASA5510 the configuration file “’iauws5510config.txt.
Download the configuration file “iauwsanchor4402.txt” to the 4402 anchor controller.
Ensure that all equipment is properly wired to their respective switches.
All AP1252 should be reset to normal mode.
Pod controllers should be reset to factory default.
Cisco WCS should be installed and ready. Root password should be IAUWSwcs123. For WCS http port, choose 81. Use the default https port, 443.
Back up the Cisco WCS database with the controllers and APs added, a building with one floor created and all APs placed on the MAP, and users created. See the WCSusers.txt file for a list of users and passwords. A sample floorplan (floor1.jpg) will be included.
Restore the back up at the end of the class to bring WCS back to this original state.
Terminal server and VPN gateway should be configured to provide access to the remote lab.
The ACS server should have VMware installed and eight VM instances running. Windows Server CA should be enabled on the root and configured to automatically approve certificate requests. Each instance of VM should have a copy of ACS installed. See the iauwsACSconfig.txt file for the items to be configured on each ACS VM. Take a snapshot of each configured VM.
The Cisco NAM should be preconfigured. See the file iauwsNAM.txt for all configuration requirements.
The Cisco NAS should be preconfigured. See the file iauwsNAS.txt for all configuration requirements.
The Cisco NGS should be preconfigured for sponsors. See the file iauwsNGS.txt for all configuration requirements.
30 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
General Lab Setup This information details the procedure to set up and configure the lab equipment.
Step 1 Interconnect all the lab devices equipment.
Step 2 Clear the Cisco 2106 WLC configuration (clear config, reset system without save).
Step 3 In the remote laptops, clear any remaining community on the Cisco Configuration Assistant.
Step 4 In the remote laptops, remove all profiles from the Intel PROSet wireless tool.
Step 5 In the remote laptops, remove all networks and groups from Cisco Secure Services Clients using the ssc Management Utility.
Step 6 In the remote laptops, make sure that the required programs are available as per the previous section.
Step 7 On the class WCS server, install Cisco WCS on ports 80 and 443. Configure with a building and floor and users per the previous section. Perform a Cisco WCS backup with Cisco WCS in its configured state. You will be able to restore the Cisco WCS to its pre-class configuration after the class by restoring this backup.
Step 8 On the main switch, inject the iauwsSwitchConfig.txt file.
Step 9 On the ASA5510, inject the iauws5510config.txt file.
Step 10 On the 4402-12 anchor controller, download the iauwsAnchor4402.txt file.
Step 11 On the Cisco NGS, delete all created uses.
Step 12 On the ACS server, revert each VM to the saved snapshot.
Step 13 In the class PCs, make sure that the required programs are available and that connectivity to the Internet is possible.
© 2009 Cisco Systems, Inc. Course Administration Guide 31
Lab 1-1: Segmenting Traffic This topic details the lab activity for Lab 1-1.
Objectives You will complete these tasks in this lab:
Restore the WLC to factory defaults and complete the initial CLI wizard setup
Connect to the WLC using the web interface and allow SSH and management via wireless
Configure the required interfaces and WLANs using the provided encryption, authentication, and QoS criteria
Configure DHCP pools on the WLAN controller
Create WLANs to provide data and voice segmentation
Visual Objective The figure displays the lab topology that you will use to complete this lab.
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-4
Lab 1-1: Segmenting Traffic
Instructor Notes The students will configure the remote 2106 controllers from a default state.
esents common issues for this lab.
Common Issues This subtopic pr
32 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
First question of confirmation wizard is skipped. When the controller is cleared and then rebooted it will attempt an autoconfig.
When the student cancels or selects no to bypass the autoconfiguration, an extra carriage return is buffered and the installation wizard skips the first question. The students can use the minus (-) key followed by the Enter key to backup to the first question.
© 2009 Cisco Systems, Inc. Course Administration Guide 33
Lab 1-2: Configuring Administrative Security This topic details the lab activity for Lab 1-2.
Objectives You will complete these tasks in this lab:
Configure the controller to use the Cisco Secure ACS for TACACS+ authentication
Add the controller as an AAA client for TACACS+ on the Cisco ACS (Instructor Demo)
Create the administrative user on the Cisco Secure ACS for TACACS+ and assign the appropriate administrative roles (Instructor Demo)
Create an administrative user on the Cisco Secure ACS for TACACS+ and assign the user to the appropriate group (Instructor Demo)
Login to the 2106 controller with the new administrative user you have created
Visual Objective The figure displays the lab topology that you will use to complete this lab.
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-5
Lab 1-2: Configuring Administrative Security
Instructor Notes This lab has the students creating a TACACS+ account on the ACS.
Common Issues Monitor account does not connect. Verify the admin user account is created in the
correct group and that the role is entered correctly. “role1=MONITOR”
34 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
La Clients
This topic details the lab activity for Lab 2-1.
Objectives You will complete these tasks in this lab:
Configure a profile on the wireless client for EAP-FAST authentication using Intel PROSet wireless client and connect to the secure WLAN
Visual Objective The figure displays the lab topology that you will use to complete this lab.
b 2-1: Configuring EAP Authentication on the
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-6
Lab 2-1: Configuring EAP Authentication on the Clients
Instructor Notes This lab has the students using the Intel supplicant on the remote laptop.
Common Issues This subtopic presents common issues for this lab.
Cisco SSC enabled: If the Cisco SSC supplicant is enabled on the remote pc, it must be disabled before this lab can be performed.
Windows Zero Config enabled: If Windows Zero Config is enabled on the remote laptop, it must be disabled before this lab can be performed.
© 2009 Cisco Systems, Inc. Course Administration Guide 35
Intel Supplicant will not connect: After verifying that all parameters are configured
Intel Supplicant will not process server certificate: If the Intel PROSet supplicant fails ACS, verify that the supplicant is configured to
correctly, it the Intel supplicant will not connect, disable and re-enable the radio from the Intel supplicant.
with a certificate error on indicated on the accept “Any trusted CA”.
36 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
LabCl
Objectives You will complete these tasks in this lab:
Configure a wireless profile using the Cisco Secure Services Client Management Utility
Verify the wireless profile created using the Cisco Secure Services Client Management Utility is connected
Visual Objective The figure displays the lab topology that you will use to complete this lab.
2-2: Configuring Cisco Secure Services ient
This topic details the lab activity for Lab 2-2.
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-7
Lab 2-2: Configuring Cisco Secure Services Client
Instructor Notes This lab has the students using the Cisco sscUtilitiesManager supplicant on the remote laptop. CSSC is designed to utilize one interface and disable any others on the machine. This creates a problem for remote labs since once the wireless client becomes active, the wired interface is disabled. If the student configures the CSSC improperly, then the remote PC will become unreachable. The instructor can use the KVM switch to either point the CSSC back to the wired port or disable the CSSC as necessary when this happens.
© 2009 Cisco Systems, Inc. Course Administration Guide 37
Common Issues This subtopic presents common issues for this lab.
Cisco SSC disabled: Be sure the students enabled the SSC client.
38 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 2- less Connectivity Access
This topic details the lab activity for Lab 2-3.
Objectives You will complete these tasks in this lab:
Disable the Cisco Secure Services Client
Capture a successful EAP-FAST connection using the debug commands on the controller
Capture a successful EAP-FAST connection using the client troubleshooting log on Cisco WCS
Identify and isolate issues involving client authentication introduced by your instructor (Multiple issues may be introduced or the same issue using different clients)
Correct the failure
Verify the client has successfully authenticated to the secure wireless network
Visual Objective The figure displays the lab topology that you will use to complete this lab.
3: Troubleshooting Wire
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-8
Lab 2-3: Troubleshooting Wireless Connectivity
Instructor Notes The instructor will introduce common authentication problems in this lab. The following are examples of problems to introduce. The instructor should tell the students that 802.1X
© 2009 Cisco Systems, Inc. Course Administration Guide 39
authentication has just been configured on the ACS and the controller and the users cannot
ce) to RADIUS (Cisco IOS)
ADIUS authentication server setting in the controller.
ange the shared secret of the RADIUS authentication server in the controller.
authentication server in the controller.
connect.
Change the AAA client setting on the ACS for the controller from RADIUS (Cisco Airespa
Uncheck the Net Users check box on the R
Ch
Change the IP address of the RADIUS
40 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 3-Acces
details the lab activity for Lab 3-1.
Obje
gn controller as a mobility group member on the anchor controller
interface and define guest WLAN parameters and policies on the foreign controller
Configure an interface to be used for guest access, create a Guest WLAN mapped to interface and define guest WLAN parameters and policies on the anchor controller
Configure the guest credentials on the anchor controller using Cisco WCS
Create a wireless guest profile on your client utility and connect to the guest WLAN on the foreign controller
Visual Objective The figure displays the lab topology that you will use to complete this lab.
1: Configure the WLAN to Support Guest s This topic
ctives You will complete these tasks in this lab:
Add the forei
Add the anchor controller as a mobility group member on the foreign controller
Configure an interface to be used for guest access, create a Guest WLAN mapped to
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-9
Lab 3-1: Configuring the WLAN to Support Guest Access
© 2009 Cisco Systems, Inc. Course Administration Guide 41
Instructor Notes This lab requires the students to make configuration settings on two controllers. There are twVLA
o Ns configured in the DMZ.
iguring the Guest Server and for the 4402 controller. VLAN 203 is the guest user VLAN where the remote laptops connect in this lab.
sues
gn
troller
controller for guest connectivity to the Internet via the Firewall.
VLAN 103 is the management VLAN for conf
Common IsThis subtopic presents common issues for this lab.
Anchor controller tunnel failure: The anchor controller has a different mobility group name than the foreign controller in the pod. Check these parameters:
— Mobility Group name in mobility group is set to anchor for the 4402 anchor controller and iauws for all other controllers.
— Guest WLAN parameters like SSID must match between anchor and foreicontroller.
— The DMZ has two VLANs 103 and 203. VLAN 103 is for the conmanagement interface. VLAN 203 is for the guest WLAN egress interface on the anchor
42 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 3-Guest entication
te these tasks in this lab:
the NAC Guest Server
ated on the NAC Guest Server
Visual ObThe figure displays the lab topology that you will use to complete this lab.
2: Configure a Controller to use the NAC Server for AuthThis topic details the lab activity for Lab 3-2.
Objectives You will comple
Add your controller as a RADIUS client to the NAC Guest Server
Add a sponsor to the NAC Guest Server
Add the NAC Guest Server as a RADUIS server to your controller
Modify the guest WLAN to direct authentications to
Add a guest user account to the NAC Guest Server
Connect to the guest network using the credentials cre
jective
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-10
Lab 3-2: Configuring a Controller to use the NAC Guest Server for Authentication
Instructor Notes This lab requires the students to make configuration settings on two controllers and the NGS
© 2009 Cisco Systems, Inc. Course Administration Guide 43
Common Issues This subtopic presents common issues for this lab.
Student makes changes on incorrect controller. Ensure the student has made changes to
Student using wired interface for verification. Students must add static routes on the ote laptop to verify the wireless connections. Each time the student resets the wireless
nnection, the static routes must be added again.
the WLAN on the anchor controller.
remco
44 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 3- st Access Issues
Ob
Identify and isolate a guest access failure introduced by your instructor
Correct the failure
Verify the guest access is working
Visual Objective The figure displays the lab topology that you will use to complete this lab.
3: Troubleshooting GueThis topic details the lab activity for Lab 3-3.
jectives You will complete these tasks in this lab:
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-11
Lab 3-3: Troubleshooting Guest Access Issues
Instructor Notes This lab requires the instructor to introduce problems into the network for guest access. Some common examples of problems for this lab follow.
Change mobility group name of the anchor controller to iauws to match the other controllers. This will cause the controller to fail.
Create an ACL to block IP protocol 97 in the ASA 5505.
Create an ACL to block UDP 16666 in the ASA 5505.
Configure the Anchor controller for tunnel security.
Change the SSIDs between the guest WLAN on the pod 2106 and the anchor controller.
© 2009 Cisco Systems, Inc. Course Administration Guide 45
Change the Interface to secure-data on the guest WLAN on the 2106.
46 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
La isco NAC
This topic details the lab activity for Lab 4-1.
Objectives You will complete these tasks in this lab:
Configure SNMP parameters, an NAC enabled interface and WLAN to provide out-of-band services to a client using WPA2 enterprise security
Configure the WLAN controller as a device on the Cisco NAM
Verify some required Wireless NAC out-of-band configurations on the Cisco NAM Configure a client profile to use 802.1X/EAP with WPA2 and connect to the NAC enabled secure WLAN
Use the NAC appliance agent to login and use the NAM and controller GUIs to verify Wireless NAC out-of-band operations
Visual Objective The figure displays the lab topology that you will use to complete this lab.
b 4-1: Configuring the Controller for C
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-12
Lab 4-1: Configuring the Controller for NAC
Instructor Notes This lab has the students use the NAM and NAS.
© 2009 Cisco Systems, Inc. Course Administration Guide 47
Common Issues This subtopic presents common issues for this lab.
NAC Appliance Agent login does not pop-up: Be sure the student has entered static ace.
In our alpha/beta class, we configured a simple requirement check on the NAM to eck that the student’s laptop is running Windows XP with Service Pack 3.
hen generating the digital certificate on the NAM, use the NAC Appliance IP DNS server in lab.
routes to make the remote pc use the wireless interf
ch
W address as the DN if you don’t have
48 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 5- thentication on the W
Objectives
onfigure a local network user on the controller
cal EAP on the controller
Configure a WLAN on the controller to use Local EAP authentication
Configure a wireless profile on the remote lab pc and connect to the secure-data wlan
Visual Objective The figure displays the lab topology that you will use to complete this lab.
1: Configuring Local AuLAN Controller
This topic details the lab activity for Lab 5-1.
You will complete these tasks in this lab:
C
Configure Lo
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-13
Lab 5-1: Configuring Local Authentication on the WLAN Controller
Instructor Notes This lab has the students disable ACS server to verify local authentication.
Common Issues There are no common issues.
© 2009 Cisco Systems, Inc. Course Administration Guide 49
Lab 5-2: Configuring H-REAP for WAN Failure This topic details the lab activity for Lab 3-1.
Objectives ill complete these tasks in this lab:
ly switched WLAN for H-REAP using central
ne mode
ays the lab topology that you will use to complete this lab.
You w
Configure the controller with a central802.1X authentication
Configure a client profile to use the new WLAN created
Enable H-REAP on the access point and configure H-REAP groups
Induce a WAN failure and ensure the client connects to the H-REAP in standalo
Visual Objective The figure displ
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-14
Lab 5-2: Configuring H-REAP for WAN Failure
Instructor Notes the students to use the CLI to disable the port on the pod controller.
Common Issues esents common issues for this lab.
SSID. If student does not verify that the access point is in hreap get put into the exclusion list when trying to connect to the
SSID. Disable client exclusion in the WLAN when troubleshooting client issues.
This lab requires
This subtopic pr
Client will not connect tostandalone mode, the client may
50 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 5-3: Configuring Management Frame Protection
This topic details the lab activity for Lab 5-3.
Objectives You will complete these tasks in this lab:
Enable the management frame protection AP Authentication Policy on the controller
Enable MFP on a WLAN
Verify MFP is required by the controller
Visual Objective The figure displays the lab topology that you will use to complete this lab.
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-15
Lab 5-3: Configuring Management Frame Protection
Instructor Notes This lab has the student verify that the client cannot connect using MFP.
Common Issues This subtopic presents common issues for this lab.
Wireless client cannot authenticate: Make sure student re-enabled the port on the controller via the CLI at the end of Lab 5-2.
© 2009 Cisco Systems, Inc. Course Administration Guide 51
Lab 5-4: Configuring Certificate Services This topic details the lab activity for Lab 5-4.
Objectives You will complete these tasks in this lab:
Verify security certificates and EAP-TLS settings on the Cisco Secure ACS
Obtain and install a user certificate and CA certificate on the client
Visays the lab topology that you will use to complete this lab.
Configure a TLS profile on the client and connect to the WLAN
ual Objective The figure displ
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-16
Lab 5-4: Configuring Certificate Services
Instructor Notes This lab requires the students obtain a user certificate from the CA on 10.100.1.5 and create a
Commoesents no common issues
TLS profile.
n Issues This subtopic pr
52 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
LabThis topic details the lab activity for Lab 5-5.
Objectives You will complete these tasks in this lab:
Create an ACL in the controller
Verify the ACL function
Visual Objective The figure displays the lab topology that you will use to complete this lab.
5-5: Implementing Access Control Lists
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-17
Lab 5-5: Implementing Access Control Lists
Instructor Notes This lab has the students create and apply ACLs on the controller.
Common Issues This subtopic presents common issues for this lab.
Ping will not fail: Be sure the student has entered static routes to make the remote pc use the wireless interface.
© 2009 Cisco Systems, Inc. Course Administration Guide 53
Lab 5-6: Implementing IBN This topic details the lab activity for Lab 5-6.
Objectives ill complete these tasks in this lab:
h the new user and verify the AAA override
Visual Objective ays the lab topology that you will use to complete this lab.
You w
Configure AAA override on a WLAN
Configure a group to send and ACL name and add a user to the ACS
Connect to the WLAN wit
The figure displ
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-18
Lab 5-6: Implementing IBN
Instructor Notes This lab has the students apply ACLs using IBN on the controller.
CommoThis subtopic presents common issues for this lab.
t fail: Be sure the student has entered static routes to make the remote pc use
n Issues
Ping will nothe wireless interface.
54 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Lab 5-7: Troubleshooting H-REAP Security Issues
pic details the lab activity for Lab 5-7.
Objectiv
by your instructor
This to
es You will complete these tasks in this lab:
Place the H-REAP in standalone mode
Identify, isolate and correct a H-REAP security failure introduced
Visual Objective The figure displays the lab topology that you will use to complete this lab.
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-19
Lab 5-7: Troubleshooting H-REAP Security Issues
Instructor Notes This lab has the instructor introduce problems that prevent the HREAP access point from authenticating a user when in standalone mode. The instructor should inform the students that HREAP access points have just been added to the network and configured for authentication on the ACS server first and then on the local server. Add the proper ACS for each pod to the
onfiguration as a primary server. Do not add the HREAP access point as an get an unknown NAS server failure.
Common Issues This subtopic presents no common issues for this lab.
HREAP group cAAA client on the ACS. The student should
© 2009 Cisco Systems, Inc. Course Administration Guide 55
Lab 6-1: Managing Rogue Access Points This topic details the lab activity for Lab 6-1.
Objectives You will complete these tasks in this lab:
Create an open WLAN on the access point
licious rogue access point and friendly access points on your controller
ection to a rogue access point with the wireless client
Visual Objective The figure displays the lab topology that you will use to complete this lab.
Create rules to identify ma
Open a conn
Locate the rogue access point using the WCS and contain the Rogue AP
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-20
Lab 6-1: Managing Rogue Access Points
Instructor Notes the student to create a friendly and malicious rogue rule on the controller.
of the controllers to the WCS and run
each pod, and configured for open authentication. The student can connect to the rogue SSID from the remote desktop and implement a containment using WCS.
This lab requiresThe instructor will need to refresh the configurationRogue AP background “Execute Now” from the Administration>Background Tasks menu on the WCS. The rogue access point is an autonomous access point that is pre-configured with eight SSIDs (rogue1 – rouge8), one for
56 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Common Issues This subtopic presents common issues for this lab.
ller has not updated the WCS. Run Rogue AP background “Execute Now” from the Administration>Background Tasks menu on the
CS.
Friendly APs do not show up: The contro
W
© 2009 Cisco Systems, Inc. Course Administration Guide 57
Lab 6-2: Managing IDS Signatures This topic details the lab activity for Lab 6-2.
Objectives ill complete these tasks in this lab:
ller using the WCS
ent from the WCS
You w
Modify an IDS signature on the contro
Place the rogue access point in containm
Observe the IDS alerts on WCS
Visual Objective The figure displays the lab topology that you will use to complete this lab.
© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-21
Lab 6-2: Managing IDS Signatures
Instructor Notes the student to modify an IDS signature on the controller. In this lab, the
an
CommoThis subtopic presents common issues for this lab.
This lab requiresstudent will use the WCS to attack their own access point (SSID pod1 – pod8) to generate IDS signature attack. The friendly access points are defined in Lab 6-1. Since each student is adding only other controllers SSIDs as a friendly access point, each student must be finished with lab 6-1 before lab 6-2 can be completed.
n Issues
58 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.
Friendly APbackground
s do not show up: The controller has not updated the WCS. Run Rogue AP “Execute Now” from the Administration>Background Tasks menu on the
WCS.
© 2009 Cisco Systems, Inc. Course Administration Guide 59
Teardown and Restoration This topic describes how to tear down and restore the equipment that is used in the course.
Clear the 2106 controllers configuration (clear config reset without saving)
ot and load the saved configuration using auto
te the controller’s on pod 1 through pod 8 from the AAA Radius client on the the NGS?
In the remote laptops, remove the profiles from Intel PROSet.
remote laptops, open sscManagementUtility and delete the Ethernet network
Step 8 In the ACS server, reset each VM to the pre-class snapshot.
Step 9 In the lab server, restore the database you backed up during WCS initial installation, to bring WCS back to “installed, base config database” state.
Step 1
Step 2 Clear the 4402 configuration, reboconfig.
Step 3 Restore the WCS base configuration.
Step 4 DeleNGS. Delete sponsors 1 through 8 and all guest accounts from
Step 5 In the remote laptops, delete the log files from the desktop.
Step 6
Step 7 In theand the IAUWSMGNT group and all networks.