how to prepare for the ccnp wireless security (iauws)...
TRANSCRIPT
How to Prepare for the
CCNP Wireless Security
(IAUWS) Exam
Jerome Henry
Technology Leader
July 14th 2011
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 2
CCIE
CCNP
CCNA Wireless
CCNA
Professional
Associate
Expert
Cisco Career Certifications:
CCNP Wireless
Expand Your Professional Options
and Advance Your Career
Professional level recognition in wireless.
www.cisco.com/go/certifications
Recommended Training Through
Cisco Learning Partners
Wireless LAN Certification
Conducting Cisco Unified Wireless Site Survey
Implementing Cisco Unified Wireless Mobility Services
Implementing Cisco Unified Wireless Voice Networks
Implementing Advanced Cisco Unified Wireless Security
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 3
“To give network professionals the information to prepare them to use appropriate security policies and best practices to secure the wireless network from security threats and to ensure the proper implementation of security standards and configuration of security components.”
Implementing Advanced Cisco Unified Wireless Security
IAUWS Course Goal
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 4
• Organizational and Regulatory Security Policies
• Secure Client Devices
Configuring EAP Authentication
Configuring Certificate Services
Impact of Security on Application and Roaming
• Design and Implement Guest Access Services
• Design and Integrate a Wireless Network with Cisco NAC Appliance
• Internal and Integrated External Security Mitigations
Mitigating Wireless Vulnerabilities
Managing Rogue Access Points
Configuring Management Frame Protection
Integrating the WLAN Infrastructure with IPS
IAUWS Covered Fields
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 5
Secure Client Devices
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 6
802.1X/EAP Overview
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 8
Common EAP Methods
PEAP-MS-CHAPv2
Protected EAP-MS-CHAPv2
Uses a TLS tunnel to protect MS-CHAPv2 exchange
PEAP-GTC
Protected EA-GTC
Uses a TLS tunnel to protect GTC exchange
EAP-FAST
EAP-Flexible Authentication via Secured Tunnels
Uses a tunnel similar to PEAP
Does not require a PKI
EAP-TLS
EAP-Transport Layer Security
Uses PKI to authenticate WLAN network and client
Requires certificates for both client and authentication server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 9
EAP-TLS Authentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 10
EAP-FAST Protected Access Credential
A PAC consists of
PAC-Key
PAC-Opaque
PAC-Info
The server generates
PAC-Key
PAC-Opaque
PAC-Info
The PAC-Opaque contains
PAC-Key
Client user identity (I-ID)
Key lifetime
PAC-Opaque is encrypted with Master-Key
PAC-Info contains the authority identity (A-ID)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 11
EAP-FAST Phase Zero
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 12
EAP-FAST Phase One
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 13
EAP-FAST Phase Two
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 16
Group Transient Key
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 17
Cisco Secure ACS
RADIUS server
TACACS+ server
Three platforms
Cisco Secure ACS Solution Engine
Cisco Secure ACS for Windows
Cisco Secure ACS Express
Appliance
50 AAA clients
350 unique users in 24-hour period
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 19
EAP-FAST Parameters
Bottom of Screen
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 20
Fast Secure Roaming
PKC
Supported in WPA2
Layer 2 roaming
Transparent to client
Works across mobility groups
Cisco CKM
Proprietary to Cisco
Created prior to WPA and WPA2 for 802.1X with WEP
Supported in WPA and WPA2
Supported by Cisco Compatible Extensions clients
Transparent to the user
Works across mobility groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 21
Fast Roaming with PKC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 22
Cisco CKM—Creating the PMK
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 23
Working with Certificates
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 24
Asymmetric Encryption Algorithms
The typical key length is 512 to 4096 bits.
Key lengths greater than or equal to 1024 bits can be trusted.
Key lengths that are shorter than 1024 bits are considered unreliable for most algorithms.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 25
Asymmetric Confidentiality Process
Alice gets the public key from Bob.
Alice encrypts the message using Bob’s public key.
Bob decrypts the message using his private key.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 26
Authentication Using Certificates
Authentication no longer requires the presence of the CA server.
Users exchange their certificates containing public keys.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 27
Using PKI in the WLAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 28
Using the Certificates
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 29
Integrating Wireless and Wired
Sides Security
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 30
Identity-Based Networking
Client associates to SSID “data.”
WLAN for SSID “data” mapped to VLAN 10.
Client authenticated by Cisco Secure ACS.
Client belongs to group 2.
Group 2 mapped to VLAN 20.
Cisco Secure ACS sends new VLAN ID (20) to controller.
Controller maps client to VLAN 20.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 31
Enabling RADIUS (IETF) Attributes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 32
Enabling RADIUS (Cisco Airespace)
Attributes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 33
H-REAP in Connected Mode
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 34
Standalone H-REAP with RADIUS Backup
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 35
Standalone H-REAP with Local Authentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 36
Cisco NAC Guest Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 37
Sponsor Creates a Guest Access Account
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 38
Guest Uses a Guest Access Account
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 39
Cisco NAC Components
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 40
Wireless Virtual Gateway Out-of-Band
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 41
802.1X Authentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 42
Posture Assessment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 44
Authenticated and Authorized
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 45
Wireless Security Beyond
Wireless Users
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 46
TACACS+
Authentication
Authorization
ALL
MONITOR
WLAN
CONTROLLER
WIRELESS
SECURITY
MANAGEMENT
COMMAND
LOBBY
Accounting
Encrypted Traffic
TCP port 49
As many as three TACACS+ servers for redundancy
Configure controller
GUI
CLI
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 47
Group Settings for Administrative Users
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 48
Configuring the Management Group
TACACS+ Section
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 50
Management Frame Protection
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 51
Infrastructure Mode
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 52
Client and Infrastructure Mode
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 53
Controller-Based IDS
Access point examines frames:
Local mode access point: 802.11 management frames
Monitor mode access point: 802.11 management and data frames
Compares to signature
Detects possible attack
Sends alert to controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 54
Locating a Rogue Access Point
Most Likely Location
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 55
Component Functions
in a wIPS Deployment
Cisco WCS
Cisco MSE (running wireless IPS service)
Cisco controller
Local mode access point
wIPS monitor mode access point
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 57
Integrated Deployment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 58
Overlay Deployment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 59
Detecting Rogue APs with wIPS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 60
Rogue Detector Access Point
Rogue detector access point listens to the wired I/F for MAC address from rogue access point or rogue client.
Notifies controller if MAC detected.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 61
Exam Taking Tips!
IAUWS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 62
Exam Taking Tips
Eliminate options—look for subtleties
Look for the best answer
Budget time—total and individual
Sw/Hw context—v5.2, not later
Make an intelligent guess
Provide feedback during exam
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 63
Exam Format
• Question formats
Declarative
Procedural
Complex procedural (simulation)
Drag and drop
• Avoided question formats:
Memorization of command syntax or interface/menus
Trick questions
Test Practical Implementation Skills
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 64
Exam Format—Declarative
Which of the following is an 802.11b speed?
A. 6 Mbps
B. 11 Mbps
C. 18 Mbps
D. 48 Mbps
A Declarative Exam Item Tests Simple Recall of Pertinent Facts:
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 65
Exam Format—ProceduralA Procedural Exam Item Tests the Ability to Apply Knowledge to Solve a Given Issue:
s0 Which two access list statements are necessary on s0 of the Guilford router to allow FTP access to the Greene Division server from the Internet while blocking all other traffic? (Select two)Pickens Division
10.10.126.0/24Greene Division10.11.127.252/24
Gates Server10.11.128.252/24
Internet
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 66
Exam Format—SimulationA Complex Procedural Exam Item Tests the Ability to Apply Multiple Knowledge Points to Solve a Given Issue:
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 67
Exam Format—Drag and DropA Drag and Drop Tests the Ability to Relate Concepts:
Internetwork
Session
Link
Presentation
OSI Model
TCP/IP Model
Click and drag the correct Layer to the Network Model to which it applies
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 68
IAUWS Exam Practice
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 69
Practice Item #1
Which EAP frame does Cisco WLC generate to begin the EAP process?
A. EAP Identity RequestB. EAP Start RequestC. EAP Start Response D. EAP Identity Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 70
Practice Item #1 — Solution
Which EAP frame does Cisco WLC generate to begin the EAP process?
A. EAP Identity Request B. EAP Start RequestC. EAP Start Response D. EAP Identity Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 71
Practice Item #2
Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant?
A. GTCB. TLSC. MD5D. MSCHAPv2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 72
Practice Item #2 — Solution
Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant?
A. GTC B. TLSC. MD5D. MSCHAPv2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 73
Practice Item #3
Which inner method is used in EAP-FASTv1 during phase two?
A. GTCB. TLSC. MD5D. MSCHAPv2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 74
Practice Item #3 — Solution
Which inner method is used in EAP-FASTv1 during phase two?
A. GTCB. TLSC. MD5D. MSCHAPv2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 75
Practice Item #4
What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers?
A. CAPWAPB. EoIPC. GRED. LWAPP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 76
Practice Item #4 — Solution
What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers?
A. CAPWAPB. EoIPC. GRED. LWAPP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 77
Practice Item #5
What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute?
A. Enable Session TimeoutB. DHCP RequiredC. Allow WLAN OverrideD. Allow AAA Override
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 78
Practice Item #5 — Solution
What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute?
A. Enable Session TimeoutB. DHCP RequiredC. Allow WLAN OverrideD. Allow AAA Override
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 79
Practice Item #6
Which version of the Cisco Compatible Extensions introduced PEAP-GTC?
A. v1B. v2C. v3D. v4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 80
Practice Item #6 — Solution
Which version of the Cisco Compatible Extensions introduced PEAP-GTC?
A. v1B. v2C. v3D. v4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 81
Practice Item #7
What communication method is used between the Cisco NAM and the controller?
A. CAPWAPB. PEAPC. SSHD. SNMP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 82
Practice Item #7 — Solution
What communication method is used between the Cisco NAM and the controller?
A. CAPWAPB. PEAPC. SSHD. SNMP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 83
Practice Item #8
With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN?
A. Access SwitchB. Cisco NASC. Cisco NAMD. WLAN Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 84
Practice Item #8 — Solution
With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN?
A. Access SwitchB. Cisco NASC. Cisco NAMD. WLAN Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 85
Practice Item #9
In PEAP phase one, which combination of certificates is used?
A. client user certificate and Cisco Secure ACS no certificateB. client user certificate and Cisco Secure ACS server
certificateC. client no certificate and Cisco Secure ACS no certificateD. client no certificate and Cisco Secure ACS server
certificate
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 86
Practice Item #9 — Solution
In PEAP phase one, which combination of certificates is used?
A. client user certificate and Cisco Secure ACS no certificateB. client user certificate and Cisco Secure ACS server
certificateC. client no certificate and Cisco Secure ACS no certificateD. client no certificate and Cisco Secure ACS server
certificate
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 87
Practice Item #10
Which standard signature on the controller is not discovered by an access point in local mode?
A. broadcast deauthenticationB. EAPOLC. Management frame floodD. null probe response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 88
Practice Item #10 — Solution
Which standard signature on the controller is not discovered by an access point in local mode?
A. broadcast deauthenticationB. EAPOLC. Management frame floodD. null probe response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 89
• Receive 25 Cisco Preferred Access points for each session evaluation you complete.
• Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.
• Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
• Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Complete Your Online
Session Evaluation
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRT-3214 9090
Visit the Cisco Store for Related Titles
http://theciscostores.com