Configuring Wireless Security : EAP

LP IRM – Nice Sophia-Antipolis

TP#004.4

Configuring Wireless security : EAP

Table of Contents

Configuring LEAP/EAP using Local RADIUS Authentication...... 1

Step 1 Configure the AP WEP keys or cipher...... 2

Step 2 Configure RADIUS server (destination authentication server)...... 2

Step 3 Configure local RADIUS server (authenticator)...... 3

Step 4 Configure users (supplicant)...... 3

Step 5 Configure authentication on AP...... 4

Step 6 Verify the LEAP configuration...... 4

Step 7 Configure authentication on client (LEAP on the ADU)...... 4

Step 8 Verify the wireless connection...... 5

Configuring LEAP/EAP using Local RADIUS Authentication

Objective

In this lab, the student will learn about the second generation of Wireless LAN security and how to implement LEAP on a Wireless LAN for secure client authentication.

The main steps to this lab are:

1. Configure AP WEP Key or Cipher

2. Configure RADIUS Server

3. Configure Local RADIUS Server

4. Configure Users

5. Configure and verify LEAP/EAP Authentication on the AP

6. Configure LEAP/EAP on the client (408py) through ADU

7. Monitor the connection, login, and authentication statistics

Scenario

One way to secure wireless LANs and improve network security is to use authentication for accessing the AP. Wireless clients can use Extensible Authentication Protocol (EAP) to authenticate to a wireless LAN. 802.1x local RADIUS authentication is available on the 1240 APs. This allows LEAP/EAP to be used without requiring an external Radius Server.

Topology

Note Detail of the PC below:

●408px (where x=1,3,5,7,9 ) is a Windows 2003Svr

●408py (where y=2,4,6,8,10 ) is a XP Pro

Preparation

The student PC should be connected to the AP through an (isolated wired network or) crossover cable.

The AP should be set to factory defaults.

Team / x= / y= / AP Name / SSID / AP address / 408px address / 408py address
12 / 1 / 2 / ap12 / tp12 / 10.0.12.101/24 / 10.0.12.x/24 / 10.0.12.y/24
34 / 3 / 4 / ap34 / tp34 / 10.0.34.101/24 / 10.0.34.x/24 / 10.0.34.y/24
...

Tools and Resources

Each team will need:

• One AP (with 4 antennas plugged-in !!!!!!)

• The AP power supply or source

• A PC that is connected to the same wired network as the AP (with one crossover cable)

• A wireless PC or laptop as a client

Additional Materials

ide_book09186a0080147d69.html

See your instructor for:

for this kind of documents

for networking and performance tools

for Cisco, NetGear and 3Com softwares, drivers, docs, ...

Preparation

Prior to this lab, the Cisco Aironet AP should be configured to allow clients to associate. The IP address, hostname and SSID should be configured on the AP.

Step 1 Configure the AP WEP keys or cipher

In order to enable Cisco LEAP on the AP, WEP Encryption or a Cipher must be enabled.

a. From the SECURITY>Encryption Manager page of the AP, configure the Encryption Key 1.

b. Click on the WEP Encryption radio button.

c. Select Mandatory.

d. Click Apply-All interfaces.

e. The Cipher option can be used for greater security. What options are available ? Try classifying them into WEP, WPA, WPA-2 categories

______|______

Step 2 Configure RADIUS server (destination authentication server)

RADIUS is rather a protocol (Remote Access Dial-In Services) than a server itself. By the way, same applies to LDAP. But by language extension, one call RADIUS server any database containing user accounts that can be remotly requested using a RADIUS protocol speaking plugin:

●For instance a Windows Active Directory with Internet Access Server plugin enabled.

●A flat file or dbm file used as repository for FreeRadius

●... most of todays directories are both Radius and Ldap enabled.

Usually, a Radius server, as it is the central repository for the user accounts of a company, must ensure the service (of authentication server) with high-availability. In this aim, the service has to be implemented with distributed redondancy.

A backup Radius server is embedded in the AP in case your company does not have a Radius server but still wants to use EAP. As we do not have a central Radius server, we will directly configure this embedded Radius server as your backup one.

In this schema:

●the supplicant is your wireless client with appropriate ADU profile

●the authenticator is the AP (as a sort of intermediate Radius client of the Radius server)

●the authentication server is the AP too, more precisely the RADIUS server embedded inside your AP is the destination authentication server for himself

Complete the following steps to configure the Backup RADIUS Server from the SECURITY>Server Manager Page:

a. In the Backup RADIUS Server frame, enter the IP address of the Local RADIUS server in the Server Name/IP entry field. This will be the IP address of the AP where the local RADIUS database is running (should be 10.0.XY.101)

b. Enter the Shared Secret key of iforgot
NoteThis shared secret is used for authentication when the AP will act as an intermediate authenticator talking with the authentication server.

c. Click Apply.

Step 3 Configure local RADIUS server (authenticator)

Complete the following steps to configure a Local RADIUS Server from the SECURITYLocal RADIUS Server Page:

a. Click on the GENERAL SET-UP tab.

b. In the Network Access Serversframe, enter the IP address of the Local RADIUS server in the Server Name/IP entry field. This will be the IP address of the AP where the local RADIUS database is running, 10.0.XY.101

c. Enter the Shared Secret key of iforgot

d. Click Apply.

Step 4 Configure users (supplicant)

Usually, you define your OS users' account in a directory like AD or an openldap server. You may have to consider using a different directory in order to store remote access user accounts and passwords that are different from the other ones.

Explain why it is better to consider using a separate repository for network access users' account ?

______

In our case, we will define the users' account locally, which is not relevant if you think to deploy more than three access points.

Complete the following steps to configure users from the SECURITY Local RADIUS Server Page:

a. Continue from the GENERAL SET-UP tab.

b. Enter the following users in the Individual Users frame:

User / Username / Password / Encryption
1 / aaauser / aaapass / text
2 / Cisco1 / ciscopass / text
3 / Administrateur / Cisco-CCNA / text

c. Click Apply.

Step 5 Configure authentication on AP

Cisco use a proprietary patented EAP protocol called LEAP. Remember you must then use specific Cisco hardware and client software to deploy it.

What are the other EAP standard protocols ?

______

In order to enable Cisco LEAP on the AP, complete the following steps to configure the Authentication Method:

a. On the SECURITY>SSID Manager page of the AP, create a new SSID oftpXY.

b. Check the Network EAP box with <NO ADDITION>.

c. Uncheck the Open Authentication box.

Click the Apply button.

You should be prompted with a message warning similar to this one.

Step 6 Verify the LEAP configuration

From the SECURITY Home page of the AP, verify Network EAP is checked and the only SSID is tpXY. Also verify the Server Based Security is configured with a RADIUS type, EAP enabled and Radio0-802.11G Encryption Settings is set to Cipher (WEP128bits).

Step 7 Configure authentication on client (LEAP on the ADU)

In order to enable the EAP in the Aironet Desktop utility, complete the following steps:

a. On 408py, configure the TCP/IP settings for the Wireless Network Connection

b. Go to the Security tab in the Aironet Desktop Utility on 408py and each of the wireless client computers.

c. Check 802.1x and select the LEAP from the 802.1x EAP Type: drop down list and click Configure.

d. Click on Use Saved User Name and Password.

i. Enter aaauser for the User Name.

ii. Enter aaapass for the Password.

iii. Enter aaapass for the Confirm Password.

iv. Uncheck the two checkboxes at the bottom of the LEAP Settings window like No network connection ...

v. Click OK.

e. In the profile manager, select the profile which LEAP is configured on and click OK. If a save username and password was not configured, an authentication screen should come up asking for a user ID and password. Type in the following.

i. The username for authentication is aaauser.

ii. The password for authentication is aaapass.

f. A LEAP Authentication Status windows describing the process will be displayed and then, the ADU icon should change to green once the authentication is complete.

g. Modify the 802.1x method in order the LEAP process uses the Windows User Name and Password
Describe the mandatory steps through the ADU interface:

______

Note Remember it is more safe to use OS user account on one hand and network user account in a different directory on the other hand.

h. Modify the 802.1x method in order the LEAP process prompts the user for its name and password.

Describe the mandatory steps through the ADU interface:

______

i. Debug/Trace on AP's side:
Add appropriate debug option in order to see all the authentication process. Write down the commands you've found and some comments

______

i. Debug/Trace on client's side:
Set appropriate EAPOL and RASTLS debug option on Windows using following commands:

c:\> netsh ras set tracing eapol enabled

c:\> netsh ras set tracing rastls enabled

in order to see all the authentication process logged in SystemRoot\Tracing.
Write down the outputs and some comments

______

Step 8 Verify the wireless connection

From the ASSOCIATION page of the AP, verify the association state. This should display all of the connected clients.

a. From 408px or 408py browse to the AP ASSOCIATION page to verify the connection.

b. What are the three authentication states?

______

From the EVENT LOG Page of the AP, check the association logs.

From the SECURITY>Local RADIUS Server Page of the AP, click on the STATISTICS tab.

Verify the User Information for authentication successes, failures, and blocks.

Try using the debug commands

c. If the configuration was saved to flash, erase the startup configuration and reload the AP.

apXY#erase startup-config

apXY#reload