Security

Data Datagram Transport Layer Security

A data Datagram Transport Layer Security (DTLS) is a security protocol that

  • encrypts CAPWAP data packets sent between an access point and a controller

  • uses separate UDP ports for control (5246) and data (5247) packets,

  • is a standards-track IETF protocol that can encrypt both control and data packets based on TLS, and

  • supports v1.2 as the latest version available.

Feature history for data DTLS

Feature name

Release information

Feature description

Data Datagram Transport Layer Security

Cisco IOS XE Gibraltar 16.7.1

The data Datagram Transport Layer Security (DTLS) is a standards-track IETF protocol that can encrypt both control and data packets based on TLS.

CAPWAP control and data packets

CAPWAP control packets are management packets that are exchanged between a controller and an AP. CAPWAP data packets encapsulate forwarded wireless frames.

If an AP does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established.

DTLS handshake

If an AP supports Data DTLS

  • It enables data DTLS after receiving the new configuration from the controller

  • The AP performs a DTLS handshake on port 5247 and after successfully establishing the DTLS session, and

  • All the data traffic (from the access point to the controller and the controller to the access point) is encrypted.


Note


The throughput is affected for some APs that have data encryption enabled.


The controller does not perform a DTLS handshake immediately after processing client-hello with a cookie, if the following incorrect settings are configured:

  • ECDHE-ECDSA cipher in ap dtls-cipher and RSA-based certificate in “wireless management trustpoint”.

  • RSA cipher in ap dtls-cipher and EC-based certificate in “wireless management trustpoint”.

This is applicable when you move from CC > FIPS > non-FIPS mode.


Note


If the DHCP lease time of the AP is less and the DHCP pool is small, the AP join may fail or a failure in establishing the Data Datagram Transport Layer Security (DTLS) session may occur. In such scenarios, associate the AP with a named site-tag and increase the DHCP lease time for at least eight days.


Configure data DTLS (GUI)

Complete this task to enable DTLS data encryption for the APs on the controller.

Procedure


Step 1

Click Configuration > Tags and Profile > AP Join.

Step 2

Click Add to create a new AP Join Profile or click an existing profile to edit it.

Step 3

Click CAPWAP > Advanced.

Step 4

Check Enable Data Encryption check box to enable Datagram Transport Layer Security (DTLS) data encryption.

Step 5

Click Update & Apply to Device.


The DTLS data encryption for the APs on the controller is enabled.

Configure data DTLS (CLI)

Complete this task to enable DTLS data encryption for the access points on the controller.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure an AP profile and enter AP profile configuration mode.

Example:

Device(config)# ap profile ap-profile-name

Note

 

Use the default AP profile (default-ap-profile) or create a named AP profile, as shown in the example.

Step 3

Enable link encryption on your profile.

Example:

Device(config-ap-profile)# link-encryption

Answer Yes, when the system prompts you with this message:

Enabling link-encryption will reboot the APs with link-encryption.
                        Are you sure you want to continue? (y/n)[y]:

Note

 

If you set stats-timer as zero (0) under the AP profile, then the AP will not send the link encryption statistics.

Step 4

Return to privileged EXEC mode.end

Example:

Device(config-ap-profile)# end

Step 5

(Optional) Display the DTLS session established for the AP that has joined this controller.

Example:

Device# show wireless dtls connections

Step 6

(Optional) Display the link encryption-related statistics (whether link encryption is enabled or disabled) counter received from the AP.

Example:

Device# show ap link-encryption

The DTLS data encryption for the access points on the controller is now enabled.

Device# configure terminal
Device(config)# ap profile ap-profile-name
Device(config-ap-profile)# link-encryption
Device(config-ap-profile)# end
Device# show wireless dtls connections
Device# show ap link-encryption

802.1X authentication

IEEE 802.1X port-based authentication is a network security protocol that

  • prevents unauthorized devices from accessing the network

  • utilizes EAP authentication models to ensure secure communication, and

  • integrates with devices like routers, switches, and access points based on configuration.

Feature history

Table 1. Feature history for 802.1X authentication

Feature name

Release information

Feature description

802.1X authentication

Cisco IOS XE 16.9.1

IEEE 802.1X port-based authentication is a network security protocol that utilizes EAP authentication models to ensure secure communication, and integrates with devices like routers, switches, and access points based on configuration.

Access ports with dual port authentication

Cisco IOS XE 17.17.1

The access ports with dual port authentication feature supports dual Ethernet ports on Cisco Catalyst 9136 APs and Cisco Wireless 9178I APs.

Currently, Cisco Wave 2 and Wi-Fi 6 (802.11AX) APs support 802.1X authentication with switch ports for EAP-FAST, EAP-TLS, and EAP-PEAP methods. Configuration and credential provision to APs can be done through the controller.


Note


If the AP is dot1x EAP-FAST, upon reboot, it should perform an anonymous PAC provision using ADH cipher suites to establish an authenticated tunnel. Authentication will fail if RADIUS servers do not support ADH cipher suites.

EAP-FAST protocol

In the EAP-FAST protocol developed by Cisco, to establish a secured TLS tunnel with RADIUS, the AP requires a strong shared key (PAC), provided via in-band or manual out-band provisioning.

  • The EAP-FAST type configuration requires 802.1x credentials configuration for AP, since AP will use EAP-FAST with MSCHAP Version 2 method.

  • Cisco 7925 phones do not support Local EAP.

  • In Cisco Wave 2 APs, for 802.1x authentication using EAP-FAST after PAC provisioning (caused by the initial connection or after AP reload), ensure that you configure the switch port to trigger re-authentication using authentication timer restart num or authentication timer reauthenticate num.

  • Starting from Cisco IOS XE Amsterdam 17.1.1, TLS 1.2 is supported in the EAP-FAST authentication protocol that requires strong security measures.

EAP-TLS/EAP-PEAP Protocol

The EAP-TLS protocol or EAP-PEAP protocol provides certificate based mutual EAP authentication.

In EAP-TLS, both the server and the client side certificates are required, where the secured shared key is derived for the particular session to encrypt or decrypt data. In EAP-PEAP, only the server-side certificate is required, and the client authenticates using a password-based protocol in a secured channel.

The EAP-PEAP type configuration requires Dot1x credentials configuration for the AP, and the AP also needs to go through LSC provisioning. AP uses the PEAP protocol with MSCHAP Version 2 method.

802.1X authentication limitations

The 802.1X authentication limitations are:

  • An AP loses its 802.1X credentials and configuration when migrating from a Cisco AireOS controller to a Cisco Catalyst 9800 controller. To rest ore them, the AP must join the new Catalyst 9800 controller. The controller pushes the necessary credentials and configuration for authentication on the switchport. You can either temporarily disable 802.1X authentication on the switchport to allow the AP to connect and receive its configuration, or use MAC Authentication Bypass (MAB) to provide network access to the AP for staging. After staging, you need to reload the AP or restart 802.1X authentication on the switch to complete the setup.

  • 802.1X is not supported on dynamic ports or Ethernet Channel ports.

  • 802.1X is not supported in a mesh AP scenario.

  • There is no recovery from the controller on credential mismatch or the expiry/invalidity of the certificate on AP. The 802.1X authentication has to be disabled on the switch port to connect the AP back to fix the configurations.

  • There are no certificate revocation checks implemented on the certificates installed in AP.

  • You can provision only one Locally Significant Certificate (LSC) for the AP. Use the same certificate for both CAPWAP DTLS session establishment and 802.1X authentication with the switch. If you disable the global LSC configuration on the controller, the AP deletes the already provisioned LSC.

  • If the AP has clear configurations applied, it will lose the 802.1X EAP Type configuration and the LSC Certificates. The AP should undergo the staging process again if 802.1X is required.

  • 802.1X for trunk port APs on multi-host authentication mode is supported. Network Edge Authentication Topology (NEAT) is not supported on COS APs.

  • The DHCP requests are sent in incremental periodic value of: "2, 3, 4, 6, 8, 11, 15, 20, 27, 30, 30, 30, 30, 30...". The Cisco Catalyst 9100 Access Points perform an interface reset after a 100-second timeout, which in turn resets the timers on the associated switch port to which they are connected.

Topology

This topic explains how an AP acts as an 802.1X supplicant and how a switch uses a RADIUS server that supports EAP-FAST, EAP-TLS, and EAP-PEAP to authenticate it.

Summary

When dot1x authentication is enabled on a switch port, the connected device must authenticate itself to send and receive data other than 802.1X traffic.

  • For EAP-FAST authentication, configure the RADIUS server's credentials at the controller and pass them to the AP through a configuration update request.

  • For EAP-TLS or EAP-PEAP, the APs use certificates provided by the local CA server.

Workflow

Figure 1. Topology for 802.1X authentication

Configuring 802.1X authentication type and LSC AP authentication type (GUI)

Complete this task to configure 802.1X authentication type and LSC AP authentication type.

Procedure


Step 1

Choose Configuration > Tags & Profiles > AP Join.

Step 2

On the AP Join Profile page, click Add.

The Add AP Join Profile page is displayed.

Step 3

In the AP > General tab, navigate to AP EAP Auth Configuration.

Step 4

From the EAP Type drop-down list, choose the EAP type as EAP-FAST, EAP-TLS, or EAP-PEAP to configure the dot1x authentication type.

Step 5

From the AP Authorization Type drop-down list, choose either CAPWAP DTLS + or CAPWAP DTLS.

Step 6

Click Save & Apply to Device.


The 802.1X authentication type and LSC AP authentication type are configured.

Configure 802.1X authentication type and LSC AP authentication type (CLI)

Complete this task to configure 802.1X authentication type and LSC AP authentication type.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Specify a profile name.

Example:

Device(config)# ap profile ap-profile-name

Step 3

Configure the dot1x authentication type.

Example:

Device(config-ap-profile)# dot1x {max-sessions | username | eap-type | lsc-ap-auth-state}

Here

  • max-sessions: Configures the maximum 802.1X sessions initiated per AP.

  • username: Configures the 802.1X username for all APs.

  • eap-type:: Configures the dot1x authentication type with the switch port.

  • lsc-ap-auth-state: Configures the LSC authentication state on the AP.

Step 4

Configure the dot1x authentication type as EAP-FAST, EAP-TLS, or EAP-PEAP.

Example:

Device(config-ap-profile)# dot1x eap-type {EAP-FAST | EAP-TLS | EAP-PEAP} 

Step 5

Configure the LSC authentication state on the AP.

Example:

Device(config-ap-profile)# dot1x lsc-ap-auth-state {CAPWAP-DTLS | Dot1x-port-auth | Both}

Here

  • CAPWAP-DTLS: Uses LSC only for CAPWAP DTLS.

  • Dot1x-port-auth: Uses LSC only for dot1x authentication with port.

  • Both: Uses LSC for both CAPWAP-DTLS and Dot1x authentication with port.

Step 6

Exit the AP profile configuration mode and enter the privileged EXEC mode.

Example:

Device(config-ap-profile)# end

The 802.1X authentication type and LSC AP authentication type have been configured.

Device# configure terminal
Device(config)# ap profile ap-profile-name
Device(config-ap-profile)# dot1x eap-type
Device(config-ap-profile)# dot1x eap-type EAP-TLS
Device(config-ap-profile)# dot1x lsc-ap-auth-state Dot1x-port-auth 
Device(config-ap-profile)# end 

Configure the 802.1X username and password (CLI)

Complete these steps to configure the 802.1X username and password.

Procedure


Step 1

Choose Configuration > Tags & Profiles > AP Join.

Step 2

On the AP Join page, click the name of the AP Join profile or click Add to create a new one.

Step 3

Click the Management tab and then click Credentials.

Step 4

Enter the local username, password details, and choose the appropriate local password type.

Step 5

Enter 802.1X username and password details.

Step 6

Choose the appropriate 802.1X password type.

Step 7

Enter the time in seconds after which the session should expire.

Step 8

Enable local credentials or 802.1X credentials, or both, as required.

Step 9

Click Update & Apply to Device.


The configuration of the 802.1X username and password is complete.

Configure the 802.1X username and password (CLI)

Complete these steps to configure the 802.1X username and password.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Specify a profile name for the AP.

Example:

Device(config)# ap profile ap-profile-name

Step 3

Configure the dot1x authentication type.

Example:

Device(config-ap-profile)# dot1x {max-sessions | username | eap-type | lsc-ap-auth-state}

Here

  • max-sessions: Configures the maximum 802.1X sessions initiated per AP.

  • username: Configures the 802.1X username for all APs

  • eap-type:: Configures the dot1x authentication type with the switch port.

  • lsc-ap-auth-state: Configures the LSC authentication state on the AP.

Step 4

Configure the dot1x password for all the APs.

Example:

Device(config-ap-profile)# dot1x username username password {0 | 8} password 

Here

  • 0: Specifies an unencrypted password will follow.

  • 8: Specifies an AES encrypted password will follow.


The configuration of the 802.1X username and password is complete.

Device# configure terminal
Device(config)# ap profile ap-profile-name
Device(config-ap-profile)# dot1x eap-type
Device(config-ap-profile)# dot1x username username password 0 password

Enable 802.1X on the switch port (CLI)

Complete these steps to enable 802.1X on the switch port.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Enable AAA.

Example:

Device(config)# aaa new-model

Step 3

Create authentication methods to determine user privilege for accessing the privileged command level, enabling the device to communicate with the AAA server.

Example:

Device(config)# aaa authentication dot1x {default | listname} method1[method2...]

Step 4

Enable AAA authorization for network services on 802.1X.

Example:

Device(config)# aaa authorization network group

Step 5

Enable 802.1X port-based authentication, globally.

Example:

Device(config)# dot1x system-auth-control

Step 6

Enter the interface configuration mode and specify the interface to be enabled for 802.1X authentication.

Example:

Device(config)# interface type slot/port

Step 7

Enable 802.1X port-based authentication on the interface.

Example:

Device(config-if)# authentication port-control {auto | force-authorized | force-unauthorized}

Here are the options:

  • auto: Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The Device requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the Device by using the supplicant MAC address.

  • force-authorized: Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. This is the default setting.

  • force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The Device cannot provide authentication services to the supplicant through the port.

Step 8

Enable 802.1X authentication on the port with default parameters.

Example:

Device(config-if)# dot1x pae [supplicant | authenticator | both]

Step 9

Enter the privileged EXEC mode.

Example:

Device(config-if)# end

802.1X is enabled on the switch port.

Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication dot1x default group radius
Device(config)# aaa authorization network group
Device(config)# dot1x system-auth-control
Device(config)# interface fastethernet2/1
Device(config-if)# authentication port-control auto
Device(config-if)# dot1x pae authenticator
Device(config-if)# end

Verify 802.1X on the switch port

To display the authentication state of 802.1X on the switch port, use the following command:
Device# show dot1x all
Sysauthcontrol             Enabled
Dot1x Protocol Version     2
Dot1x Info for FastEthernet1
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both 
HostMode                  = MULTI_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

Verify the authentication type

To display the authentication state of an AP profile, use the following command:
Device#show ap profile default-ap-profile detailed
        AP Profile Name        : default-ap-profile
        Description            : default ap profile
        …
        Dot1x EAP Method       : [EAP-FAST/EAP-TLS/EAP-PEAP/Not-Configured]
        LSC AP AUTH STATE      : [CAPWAP DTLS / DOT1x port auth / CAPWAP DTLS + DOT1x port auth
      

Feature History for Access Point Client ACL Counter

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 2. Feature History for Access Point Client ACL Counter

Release

Feature

Feature Information

Cisco IOS XE Dublin 17.13.1

Access Point Client ACL Counter

The AP Client ACL Counter feature provides a statistical count for client ACL rules. This feature allows you to count the number of packets that hit a specific rule in the client ACL.

Information About Access Point Client ACL Counter

From the Cisco IOS XE Dublin 17.13.1 release, the AP Client ACL Counter feature provides a statistical count for client ACL rules. Until the Cisco IOS XE Dublin 17.12.1 release, there was no per-rule counter to determine which rule was passing or dropping the packets.

Use this feature to enable the counter in the AP to count the number of packets that hit a specific rule in the client ACL, using the following AP commands:

  • [no] debug flexconnect access-list counter [all | vlan-acl | client-acl]

  • [no] debug flexconnect access-list event [all | vlan-acl | client-acl]

  • To clear ACL counters use the following command:

    • clear counters access-list client <MAC> all

AP Client ACL Counter is supported in the FlexConnect mode and local switching central authentication sub-mode.