how to prepare for the ccnp wireless security (iauws)...

How to Prepare for the

CCNP Wireless Security

(IAUWS) Exam

Jerome Henry

Technology Leader

July 14th 2011

BRKCRT-3214

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 2

CCIE

CCNP

CCNA Wireless

CCNA

Professional

Associate

Expert

Cisco Career Certifications:

CCNP Wireless

Expand Your Professional Options

and Advance Your Career

Professional level recognition in wireless.

www.cisco.com/go/certifications

Recommended Training Through

Cisco Learning Partners

Wireless LAN Certification

Conducting Cisco Unified Wireless Site Survey

Implementing Cisco Unified Wireless Mobility Services

Implementing Cisco Unified Wireless Voice Networks

Implementing Advanced Cisco Unified Wireless Security


“To give network professionals the information to prepare them to use appropriate security policies and best practices to secure the wireless network from security threats and to ensure the proper implementation of security standards and configuration of security components.”

Implementing Advanced Cisco Unified Wireless Security

IAUWS Course Goal


• Organizational and Regulatory Security Policies

• Secure Client Devices

Configuring EAP Authentication

Configuring Certificate Services

Impact of Security on Application and Roaming

• Design and Implement Guest Access Services

• Design and Integrate a Wireless Network with Cisco NAC Appliance

• Internal and Integrated External Security Mitigations

Mitigating Wireless Vulnerabilities

Managing Rogue Access Points

Configuring Management Frame Protection

Integrating the WLAN Infrastructure with IPS

IAUWS Covered Fields


Secure Client Devices


802.1X/EAP Overview


Authentication


Common EAP Methods

PEAP-MS-CHAPv2

Protected EAP-MS-CHAPv2

Uses a TLS tunnel to protect MS-CHAPv2 exchange

PEAP-GTC

Protected EA-GTC

Uses a TLS tunnel to protect GTC exchange

EAP-FAST

EAP-Flexible Authentication via Secured Tunnels

Uses a tunnel similar to PEAP

Does not require a PKI

EAP-TLS

EAP-Transport Layer Security

Uses PKI to authenticate WLAN network and client

Requires certificates for both client and authentication server


EAP-TLS Authentication


EAP-FAST Protected Access Credential

A PAC consists of

PAC-Key

PAC-Opaque

PAC-Info

The server generates

PAC-Key

PAC-Opaque

PAC-Info

The PAC-Opaque contains

PAC-Key

Client user identity (I-ID)

Key lifetime

PAC-Opaque is encrypted with Master-Key

PAC-Info contains the authority identity (A-ID)


EAP-FAST Phase Zero


EAP-FAST Phase One


EAP-FAST Phase Two


PEAP Phase One


PEAP Phase Two


Group Transient Key


Cisco Secure ACS

RADIUS server

TACACS+ server

Three platforms

Cisco Secure ACS Solution Engine

Cisco Secure ACS for Windows

Cisco Secure ACS Express

Appliance

50 AAA clients

350 unique users in 24-hour period


TLS Parameters


EAP-FAST Parameters

Bottom of Screen


Fast Secure Roaming

PKC

Supported in WPA2

Layer 2 roaming

Transparent to client

Works across mobility groups

Cisco CKM

Proprietary to Cisco

Created prior to WPA and WPA2 for 802.1X with WEP

Supported in WPA and WPA2

Supported by Cisco Compatible Extensions clients

Transparent to the user

Works across mobility groups


Fast Roaming with PKC


Cisco CKM—Creating the PMK


Working with Certificates


Asymmetric Encryption Algorithms

The typical key length is 512 to 4096 bits.

Key lengths greater than or equal to 1024 bits can be trusted.

Key lengths that are shorter than 1024 bits are considered unreliable for most algorithms.


Asymmetric Confidentiality Process

Alice gets the public key from Bob.

Alice encrypts the message using Bob’s public key.

Bob decrypts the message using his private key.


Authentication Using Certificates

Authentication no longer requires the presence of the CA server.

Users exchange their certificates containing public keys.


Using PKI in the WLAN


Using the Certificates


Integrating Wireless and Wired

Sides Security


Identity-Based Networking

Client associates to SSID “data.”

WLAN for SSID “data” mapped to VLAN 10.

Client authenticated by Cisco Secure ACS.

Client belongs to group 2.

Group 2 mapped to VLAN 20.

Cisco Secure ACS sends new VLAN ID (20) to controller.

Controller maps client to VLAN 20.


Enabling RADIUS (IETF) Attributes


Enabling RADIUS (Cisco Airespace)

Attributes


H-REAP in Connected Mode


Standalone H-REAP with RADIUS Backup


Standalone H-REAP with Local Authentication


Cisco NAC Guest Server


Sponsor Creates a Guest Access Account


Guest Uses a Guest Access Account


Cisco NAC Components


Wireless Virtual Gateway Out-of-Band


802.1X Authentication


Posture Assessment


Remediation


Authenticated and Authorized


Wireless Security Beyond

Wireless Users


TACACS+

Authentication

Authorization

ALL

MONITOR

WLAN

CONTROLLER

WIRELESS

SECURITY

MANAGEMENT

COMMAND

LOBBY

Accounting

Encrypted Traffic

TCP port 49

As many as three TACACS+ servers for redundancy

Configure controller

GUI

CLI


Group Settings for Administrative Users


Configuring the Management Group

TACACS+ Section


Rogue Detection


Management Frame Protection


Infrastructure Mode


Client and Infrastructure Mode


Controller-Based IDS

Access point examines frames:

Local mode access point: 802.11 management frames

Monitor mode access point: 802.11 management and data frames

Compares to signature

Detects possible attack

Sends alert to controller


Locating a Rogue Access Point

Most Likely Location


Component Functions

in a wIPS Deployment

Cisco WCS

Cisco MSE (running wireless IPS service)

Cisco controller

Local mode access point

wIPS monitor mode access point


wIPS Alarm Flow


Integrated Deployment


Overlay Deployment


Detecting Rogue APs with wIPS


Rogue Detector Access Point

Rogue detector access point listens to the wired I/F for MAC address from rogue access point or rogue client.

Notifies controller if MAC detected.


Exam Taking Tips!

IAUWS


Exam Taking Tips

Eliminate options—look for subtleties

Look for the best answer

Budget time—total and individual

Sw/Hw context—v5.2, not later

Make an intelligent guess

Provide feedback during exam


Exam Format

• Question formats

Declarative

Procedural

Complex procedural (simulation)

Drag and drop

• Avoided question formats:

Memorization of command syntax or interface/menus

Trick questions

Test Practical Implementation Skills


Exam Format—Declarative

Which of the following is an 802.11b speed?

A. 6 Mbps

B. 11 Mbps

C. 18 Mbps

D. 48 Mbps

A Declarative Exam Item Tests Simple Recall of Pertinent Facts:


Exam Format—ProceduralA Procedural Exam Item Tests the Ability to Apply Knowledge to Solve a Given Issue:

s0 Which two access list statements are necessary on s0 of the Guilford router to allow FTP access to the Greene Division server from the Internet while blocking all other traffic? (Select two)Pickens Division

10.10.126.0/24Greene Division10.11.127.252/24

Gates Server10.11.128.252/24

Internet


Exam Format—SimulationA Complex Procedural Exam Item Tests the Ability to Apply Multiple Knowledge Points to Solve a Given Issue:


Exam Format—Drag and DropA Drag and Drop Tests the Ability to Relate Concepts:

Internetwork

Session

Link

Presentation

OSI Model

TCP/IP Model

Click and drag the correct Layer to the Network Model to which it applies


IAUWS Exam Practice


Practice Item #1

Which EAP frame does Cisco WLC generate to begin the EAP process?

A. EAP Identity RequestB. EAP Start RequestC. EAP Start Response D. EAP Identity Response


Practice Item #1 — Solution

Which EAP frame does Cisco WLC generate to begin the EAP process?

A. EAP Identity Request B. EAP Start RequestC. EAP Start Response D. EAP Identity Response


Practice Item #2

Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant?

A. GTCB. TLSC. MD5D. MSCHAPv2



Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant?

A. GTC B. TLSC. MD5D. MSCHAPv2


Practice Item #3

Which inner method is used in EAP-FASTv1 during phase two?




Which inner method is used in EAP-FASTv1 during phase two?



Practice Item #4

What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers?

A. CAPWAPB. EoIPC. GRED. LWAPP



What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers?

A. CAPWAPB. EoIPC. GRED. LWAPP


Practice Item #5

What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute?

A. Enable Session TimeoutB. DHCP RequiredC. Allow WLAN OverrideD. Allow AAA Override



What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute?

A. Enable Session TimeoutB. DHCP RequiredC. Allow WLAN OverrideD. Allow AAA Override


Practice Item #6

Which version of the Cisco Compatible Extensions introduced PEAP-GTC?

A. v1B. v2C. v3D. v4



Which version of the Cisco Compatible Extensions introduced PEAP-GTC?

A. v1B. v2C. v3D. v4


Practice Item #7

What communication method is used between the Cisco NAM and the controller?

A. CAPWAPB. PEAPC. SSHD. SNMP



What communication method is used between the Cisco NAM and the controller?

A. CAPWAPB. PEAPC. SSHD. SNMP


Practice Item #8

With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN?

A. Access SwitchB. Cisco NASC. Cisco NAMD. WLAN Controller



With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN?

A. Access SwitchB. Cisco NASC. Cisco NAMD. WLAN Controller


Practice Item #9

In PEAP phase one, which combination of certificates is used?

A. client user certificate and Cisco Secure ACS no certificateB. client user certificate and Cisco Secure ACS server

certificateC. client no certificate and Cisco Secure ACS no certificateD. client no certificate and Cisco Secure ACS server

certificate



In PEAP phase one, which combination of certificates is used?

A. client user certificate and Cisco Secure ACS no certificateB. client user certificate and Cisco Secure ACS server

certificateC. client no certificate and Cisco Secure ACS no certificateD. client no certificate and Cisco Secure ACS server

certificate


Practice Item #10

Which standard signature on the controller is not discovered by an access point in local mode?

A. broadcast deauthenticationB. EAPOLC. Management frame floodD. null probe response



Which standard signature on the controller is not discovered by an access point in local mode?

A. broadcast deauthenticationB. EAPOLC. Management frame floodD. null probe response


• Receive 25 Cisco Preferred Access points for each session evaluation you complete.

• Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.

• Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

• Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

Complete Your Online

Session Evaluation

http://www.ciscolivevirtual.com/


Visit the Cisco Store for Related Titles

http://theciscostores.com

http://theciscostore.com/

Thank you.


how to prepare for the ccnp wireless security (iauws)...

Documents