Table Of Contents
Application Note
1 Summary
2 Prerequisites
2.1 Access Point (AP) and Wireless Bridge Requirements
2.2 Client Requirements
2.3 Workgroup Bridge (WGB) Requirements
2.4 ACS Requirements
3 Configuring EAP-Cisco Wireless (Cisco LEAP)
3.1 Adding the AP to the ACS server
3.2 Configuring the WEP Key Session Timeout
3.3 Enabling EAP-Cisco (Cisco LEAP) on the Root Bridge or AP
3.4 Configuring EAP-Cisco (Cisco LEAP) Clients
4 Configuring MAC Authentication
4.1 Adding the AP to the ACS
4.2 Adding a MAC address to the ACS
4.3 Configuring MAC Authentication on the Root Bridge or AP
5 Configuring Cisco TKIP Enhancements
5.1 Configuring the Root Bridge or AP
5.2 Configuring the Non-root Bridge or AP Repeater
Appendix A—Verify the Firmware and Driver Versions
A.1 Access Point Verification
A.2 Workgroup Bridge Verification
A.3 Client Verification ACU 4.15
A.4 Client Verification ACU 5.01
A.5 Windows CE Verification
Appendix B—Enable Cisco LEAP for ACU 4.15.006
Application Note
Configuring the Cisco Wireless Security Suite
Revision 2.0
1 Summary
Numerous papers have been written on the topic of IEEE 802.11 security. The major vulnerabilities can be summarized as the following:
•
Weak device-only authentication: Client devices are authenticated not users
•Weak data encryption: Wired Equivalent Privacy (WEP) has been proven ineffective as a means to encrypt data
•No message integrity: The Integrity Check Value (ICV) has been proven ineffective as a means to ensure message integrity
Cisco Systems recognizes that 802.11 security vulnerabilities can be a barrier to wireless LAN deployment. To address these vulnerabilities, Cisco has developed the Cisco Wireless Security Suite to provide robust enhancements to WEP encryption and centralized, user-based, authentication. This paper discusses the following Cisco Wireless Security Suite features and configurations:
•EAP Cisco Wireless (Cisco LEAP) authentication
•MAC address authentication
•Message Integrity Check (MIC) WEP enhancement
•Per packet keying WEP enhancement
2 Prerequisites
2.1 Access Point (AP) and Wireless Bridge Requirements
•Cisco Aironet® 340 or 350 Series Access Points
•Cisco Aironet 350 Series Wireless Bridge
•Minimum of 11.05a AP firmware for Cisco LEAP
•Minimum of 11.06a AP firmware for MAC authentication
•Minimum of 11.10T1 AP firmware for MIC and Per-packet keying
•Minimum of 11.10T1 for Wireless Bridge Cisco LEAP client
•Minimum of 11.21 AP or Wireless Bridge firmware required for joint EAP/MAC authentication for public space deployments
2.2 Client Requirements
•Cisco Aironet 340 or 350 Series network interface cards (NICs)
•Minimum of firmware v4.25.10 for Cisco LEAP
•Minimum of firmware v4.25.23 for Per packet keying
•Minimum of NDIS driver v6.97 for Cisco LEAP
•Minimum of NDIS driver v8.01.06 for MIC
•Minimum of CE driver v1.5, v1.7 recommended
•Aironet Client Utilities v5.01 recommended
2.3 Workgroup Bridge (WGB) Requirements
•Cisco Aironet 340 or 350 Series Workgroup Bridges
•Workgroup Bridge firmware v8.65
2.4 ACS Requirements
•V2.6 or 3.0 is required to run and authenticate Cisco LEAP/ MAC authentication requests
•If authenticating users against a Windows NT/2000 domain, the ACS should already be configured for external DB support
•If authenticating against the local ACS user database, the user database should already be populated
Note: The Cisco LEAP version (draft 8 or draft 10) is a setting on the AP. Cisco recommends that all APs in an ESS run the same version of Cisco LEAP. Clients associating the APs must run the correct version of firmware to interoperate with the Cisco LEAP enabled APs.
Note: At the time of this paper's publication, WEP enhancements are available for Windows versions 95, 98, 2000, Me, XP and NT; Windows CE 2.11 and 3.0; and Macintosh 9.X and 10.X and above based clients.
For instructions on upgrading AP firmware, refer to http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch5.htm
For instructions on upgrading client drivers and firmware, refer to http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg/win_ch2.htm
For instructions on installing Cisco Secure ACS v2.6, refer to http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/jacsnt26.htm
For instructions on configuring Cisco Secure ACS External DB support, refer to
Version 2.6:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/userdb.htm#xtocid171962
Version 3.0:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/q.htm
For instructions on adding users to the local ACS database, refer to
Version 2.6:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/userdb.htm#xtocid171961
Version 3.0:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/u.htm
ACS v2.6 Release Notes:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/index.htm
ACS V3.0 Release Notes:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/rn301.htm
Cisco Aironet AP 350 Release Notes:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350rn/index.htm
Cisco Aironet Client Release Notes:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/index.htm
Cisco Aironet Wireless Software (CCO Software Center)
http://www.cisco.com/public/sw-center/sw-wireless.shtml
3 Configuring EAP-Cisco Wireless (Cisco LEAP)
This section covers basic configurations of Cisco LEAP on the ACS server, the AP, and various clients, including non-root bridges, workgroup bridges, and AP repeaters.
3.1 Adding the AP to the ACS server
1. From the ACS main menu click on the NETWORK CONFIGURATION button.
2. Click on the ADD ENTRY button.
3. Configure the DNS name of the AP, the IP address of the AP, the RADIUS shared secret and the Authentication method, as outlined in Figure 1.
4. Make sure to select RADIUS (Cisco Aironet) in the AUTHENTICATE USING drop down menu.
5. To complete, click the SUBMIT+RESTART button.
Figure 1 Add AP to ACS
3.2 Configuring the WEP Key Session Timeout
802.1X specifies a reauthentication option. The Cisco LEAP algorithm utilizes this option to expire the current WEP session key for the user and issue a new WEP session key. It is important to note that although reauthentication is an option, it is disabled by default. The following is the configuration to enable 802.1X WEP Key timeout.
To determine the timeout value to use, please refer to the WEP timeout document at http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1515_pp.htm
1. From the ACS main menu, click on the GROUP SETUP button. Refer to Figure 2.
2. Select the group to modify the WEP Key/Session timeout. For most cases, the Default group is the one to modify.
3. Click on the EDIT SETTINGS button.
4. Scroll down to the IETF RADIUS ATTRIBUTES section.
5. For value [027]Session-Timeout, select the checkbox and configure the WEP key timeout value in seconds. Refer to Figure 3.
6. Click on the SUBMIT+RESTART button to finish.
Figure 2 ACS Group Setup
Figure 3 RADIUS Session Timeout
3.3 Enabling EAP-Cisco (Cisco LEAP) on the Root Bridge or AP
1. Browse to the AP or Wireless Bridge
2. From the SUMMARY STATUS page, click on SETUP.
3. In the SERVICES menu, click on SECURITY.
4. Click on AUTHENTICATION SERVER (refer to Figure 4).
5. Select the version of 802.1X to run on this AP in the 802.1X PROTOCOL VERSION drop down menu. Please note that Draft 7 is no longer supported.
6. Configure the IP address of the ACS in the SERVER NAME/IP test box
7. Verify the SERVER TYPE drop down menu is set to RADIUS.
8. Change the PORT text box to 1645. This is the correct IP port number to use with the ACS.
9. Configure the SHARED SECRET text box with the value used on the ACS.
10. Select the EAP AUTHENTICATION checkbox.
11. Modify the TIMEOUT text box if so desired. This is the timeout value for an authentication request for the ACS. If the ACS in use exceeds this value, the AP will round robin to the next configured ACS. As seen in Figure 4, the AP supports up to four RADIUS servers or ACSs.
12. Click OK when finished.
Figure 4 ACS Server Configuration
13. The AP should return to the SECURITY SETUP screen.
14. Click on RADIO DATA ENCRYPTION (WEP).
15. Configure a broadcast WEP key by typing in a 40- or 128-bit key value in the WEP KEY 1 text box. Refer to Figure 5. If you are using Broadcast Key Rotation, refer to Section 5.1.
16. Select the authentication types to use. Make sure that at a minimum, the NETWORK-EAP check box is selected.
17. Verify the USE OF DATA ENCRYPTION drop down menu is set to OPTIONAL or FULL ENCRYPTION. Optional allows the use of non-WEP and WEP clients on the same AP. Be aware that this is an insecure mode of operation. Use FULL ENCRYPTION when possible.
18. Click the OK button to finish.
Figure 5 Encryption Configuration
3.4 Configuring EAP-Cisco (Cisco LEAP) Clients
3.4.1 Configuring the WGB 350 Series
1. Browse to the WGB.
2. Verify the SSID is correct.
3. Click on ALLOW CONFIG CHANGES.
4. In the CONFIGURATION box, click on SECURITY.
5. In the LOGIN USER NAME text box, configure the user name to use for Cisco LEAP authentication. Refer to Figure 6.
6. Click on the SAVE button.
7. In the LOGIN PASSWORD text box, configure the appropriate password.
8. Click on the SAVE button.
9. For the AUTHENTICATION MODE, click on EAP.
10. Verify association to the AP by clicking on ASSOCIATION in the STATISTICS box.
Figure 6 Workgroup Bridge Security Configuration
3.4.2 Configuring ACU 4.15
1. Open the Aironet Client Utilities (ACU).
2. Select the COMMANDS drop down menu.
3. Click on EDIT PROPERTIES...
4. Select the NETWORK SECURITY tab. Refer to Figure 7.
5. If the LEAP radio button is grayed out, refer to Appendix B.
6. Click the LEAP radio button.
7. Click the ENABLE WEP check box
8. To disconnect from the WLAN when the client logs off, check the DISASSOCIATE AFTER LOGOFF check box.
9. If required to reboot, do so.
Figure 7 Client LEAP Configuration
3.4.3 Configuring ACU 5.01
1. Open the ACU
2. Click on the PROFILE MANAGER toolbar button.
3. Click the ADD button to create a new profile (Figure 8).
4. Enter profile name in the text box and click the OK button.
5. Enter in the appropriate SSID in the SSID1 textbox (Figure 9).
6. Click the NETWORK SECURITY tab (Figure 10).
7. Click the NETWORK SECURITY TYPE drop down menu.
8. Select LEAP.
9. Click the CONFIGURE button (Figure 11).
10. Configure the passwords settings as needed.
11. Click the OK button.
12. Click the OK button on the NETWORK SECURITY screen.
Figure 8 Profile Manager Screen
Figure 9 Profile Entry
Figure 10 Security Configuration
Figure 11 Cisco LEAP Password Settings
3.4.4 Configuring a Non-root Bridge
Configure the non-root bridge for Cisco LEAP in the same manner as a root bridge, as detailed in Section 3.3, then perform the following additional steps:
1. Browse to the Wireless Bridge
2. Click on SETUP.
3. In NETWORK PORTS, under BRIDGE RADIO, select IDENTIFICATION.
4. Configure the correct LEAP username and password (Figure 12).
5. Click the OK button.
Figure 12 Non-root Bridge LEAP Client Configuration
3.4.5 Configuring an AP Repeater
Configure the AP repeater for LEAP in the same manner as a root bridge, as detailed in Section 3.3, then perform the following additional steps:
1. Browse to the Wireless Bridge
2. Click on SETUP.
3. In NETWORK PORTS, under REPEATER RADIO, select IDENTIFICATION.
4. Configure the correct LEAP username and password (Figure 13).
5. Click the OK button.
Figure 13 AP Repeater LEAP Configuration
3.4.6 Configuring Windows CE
1. Launch the Aironet Client Utilities on the Windows CE device (Figure 14).
2. Select LEAP from the Property scroll box.
3. Select ENABLED from the VALUE drop down menu.
4. Click the OK button.
Figure 14 Windows CE 3.0 ACU
4 Configuring MAC Authentication
MAC authentication is a means for centrally authenticating devices that do not support 802.1X. MAC authentication is an inherently weak form of authentication, as the MAC addresses are transmitted unencrypted across the wireless medium. With MAC authentication, an eavesdropper can easily spoof a MAC address and gain entry into the network.
Note: If the ACS server used for MAC authentication is also used for LEAP authentication, MAC addresses must be stored in cleartext (PAP passwords) exclusively. A strong CHAP/MS-CHAP password, differing from the MAC address is required as well. Failure to use a different, strong CHAP/MS-CHAP password will allow unauthorized users to use a MAC address as a LEAP user name and password to gain access to the network.
4.1 Adding the AP to the ACS
Refer to Section 3.1. The process is the same.
4.2 Adding a MAC address to the ACS
The ACS can authenticate MAC addresses sent from an AP. A properly configured AP will attempt to authenticate a MAC address using Secure-PAP authentication with the ACS. The MAC addresses are entered into the ACS as users, with the username and password being the MAC address.
1. From the ACS main menu, click on the USER SETUP button.
2. In the USER text box, type the MAC address to add to the user database. Use no dashes, periods, or any other delimiter.
3. At the USER SETUP screen, enter the MAC address in the SECURE-PAP PASSWORD text box. Refer to Figure 15.
4. Select the SEPARATE (CHAP/MS-CHAP) checkbox.
5. Enter a strong password for CHAP/MS-CHAP. This should not match the MAC address.
6. Click the SUBMIT button.
Figure 15 MAC Address Setup in ACS
4.3 Configuring MAC Authentication on the Root Bridge or AP
There are two modes for MAC authentication.
1. MAC authentication only
This mode allows for MAC address authentication as a means of augmenting Open, Shared Key, or Network-EAP authentication.
2. MAC authentication to coexist with EAP authentication
This mode allows for MAC address authentication or EAP (non-Network-EAP) to authentication the device or user. The AP will first attempt MAC authentication, and if that fails, attempt EAP authentication for Open and Shared Key clients.
4.3.1 Configuring MAC authentication only
1. Browse to the AP.
2. From the SUMMARY STATUS page, click on SETUP.
3. In the ASSOCIATIONS box, click on ADDRESS FILTERS.
4. Click the YES radio button to LOOKUP MAC ADDRESS ON AUTHENTICATION SERVER. Refer to Figure 16.
5. Click the NO radio button for IS MAC AUTHENTICATION ALONE SUFFICIENT FOR A CLIENT TO BE FULLY AUTHENTICATED?
6. Click on the AUTHENTICATION SERVER link.
Figure 16 Address Filter Configuration
7. Add the ACS for MAC authentication. Configure the SERVER NAME/IP, SERVER TYPE, PORT, SHARED SECRET, and TIMEOUT. Refer to Figure 17.
Note: The same ACS that does LEAP authentication can also do MAC authentication.
8. Select the MAC AUTHENTICATION checkbox.
9. Click the OK button. The ADDRESS FILTERS page should reappear.
10. Click the OK button.
Figure 17 ACS Server Configuration
11. Browse to the SETUP page.
12. In the NETWORK PORTS box, click on ADVANCED in the AP RADIO section.
13. The AP RADIO ADVANCED page appears. Refer to Figure 18.
14. Determine which authentication type you wish to use MAC authentication with. It is possible to use MAC authentication with LEAP, Open authentication, and Shared-key authentication.
15. For each desired authentication type, select DISALLOWED in the DEFAULT UNICAST ADDRESS FILTER drop down menu.
16. Click on the OK button to finish.
Figure 18 Enable MAC Authentication per Authentication Type
4.3.2 Configuring MAC Authentication to Coexist with EAP Authentication
This mode of MAC authentication allows both EAP authentication (excluding EAP-Cisco) such as EAP-TLS and EAP-MD5 to coexist together using the same 802.11 authentication type (Open or Shared Key).
Note: This configuration requires that EAP authentication be enabled for proper operation. MAC authentication will not occur unless EAP authentication is enabled, resulting in unauthorized MAC addresses being allowed to associate.
1. Verify MAC authentication is configured as detailed in Section 4.3.1.
2. Browse to the AP.
3. Click on SETUP.
4. In the ASSOCIATIONS box, click on ADDRESS FILTERS (Figure 19)
5. Click the YES radio button for IS MAC AUTHENTICATION ALONE SUFFICIENT FOR A CLIENT TO BE FULLY AUTHENTICATED?
6. Click the OK button.
Figure 19 MAC and EAP Authentication Coexistence
5 Configuring Cisco TKIP Enhancements
This section will cover configuring the message integrity check, per packet keying (WEP key hashing) and broadcast key rotation. The configuration is only required on the access point. The clients require no user configuration. Refer to Section 2 for client requirements to support the MIC and per packet keying.
5.1 Configuring the Root Bridge or AP
1. Browse to the AP or Wireless Bridge
2. Click on SETUP.
3. In the NETWORK PORTS section, for the radio, click on ADVANCED.
4. To enabled the MIC, select MMH in the ENHANCED MIC VERIFICATION FOR WEP drop down menu (Figure 20).
5. To enable per packet keying, select CISCO in the TEMPORAL KEY INTEGRITY PROTOCOL drop down menu.
6. To enable broadcast key rotation, enter the WEP key timeout configured on the RADIUS server in the BROADCAST WEP KEY ROTATION INTERVAL textbox.
Figure 20 Configuring Cisco TKIP Enhancements
5.2 Configuring the Non-root Bridge or AP Repeater
The configuration process is the same as in Section 5.1.
Appendix A—Verify the Firmware and Driver Versions
A.1 Access Point Verification
1. Browse, Telnet or console to the access point.
2. Refer to Figure 21 for HTTP AP firmware version confirmation.
3. Refer to Figure 22 for Telnet/Console AP firmware version confirmation.
Figure 21 AP Firmware Location using HTTP
Figure 22 AP Firmware Location using Telnet/Console
A.2 Workgroup Bridge Verification
1. Browse to the Workgroup Bridge.
2. Refer to Figure 23 for HTTP Workgroup Bridge firmware version confirmation.
Figure 23 Workgroup Bridge Firmware Location using HTTP
A.3 Client Verification ACU 4.15
1. Open the Aironet Client Utilities (ACU).
2. Select the COMMANDS drop-down menu.
3. Click on STATUS.
4. Refer to Figure 24 for ACU Client firmware and driver version confirmation.
5. In the STATUS window, click on OK to close the window.
6. Select the HELP drop down menu.
7. Click on ABOUT AIRONET CLIENT UTILITY.
8. Refer to Figure 25 for the ACU version.
A.4 Client Verification ACU 5.01
1. Open the Aironet Client Utilities (ACU).
2. Click on the STATUS toolbar button.
3. Refer to Figure 24 for ACU Client firmware and driver version confirmation.
4. In the STATUS window, click on OK to close the window.
5. Click on the ABOUT toolbar button.
6. Refer to Figure 25 for the ACU version.
Figure 24 Client Radio Firmware and NDIS Driver Version
Figure 25 Client ACU Version
A.5 Windows CE Verification
1. Launch the Aironet Client Utilities on the Windows CE device (Figure 26).
Figure 26 Windows CE ACU
Appendix B—Enable Cisco LEAP for ACU 4.15.006
If the ACU was installed without enabling Cisco LEAP, the LEAP option is disabled. To enable LEAP, the ACU must be reconfigured. The following will re-enable LEAP.
1. Open the Windows CONTROL PANEL.
2. Click on ADD/REMOVE PROGRAMS.
3. Scroll to the AIRONET CLIENT UTILITIES.
4. Click on the CHANGE/REMOVE button. Refer to Figure 27.
5. At the WELCOME window, select the MODIFY radio button and click NEXT>. Refer to Figure 28.
6. Select the LEAP radio button and click the NEXT> button.
7. Select which components to install and click the NEXT> button.
8. Select the Start Menu folder to install ACU into, and click the NEXT> button.
9. If prompted to restart the system, do so.
Figure 27 Change ACU Configuration
Figure 28 Modify ACU Configuration
