Cisco wireless security

Similar Messages

• Cisco wireless and Apple Mac woes

  Hello all,
  I've been working with Cisco wireless and WLC's for a couple of years now but the recent onslaught of Apple Mac's is giving me heart burn.  I've seen this at numerous sites now and need to throw it to eht community for guidance.
  Basically we have had a number of instances where the Macs just fall off the wifi.  Sometimes it's when they wake from sleep and other times when roaming between AP's (1131s with same SSID's).  Our standard install is WPA2 and per ap local authentication.  PC's work fine and never an issue.
  We have completed a survey with a spectrum analyser and no RF interefence is present nor errors on the radio interface.
  Questions:
  - Is there a preferred Cisco config/setup for Mac's to work reliably?  I've heard loads of rumors but nothing concrete and nor can I find anything specific.
  - Should I be setting up WDS in case there is an authenticating issue.
  - For those who are Mac gurus and happen to be reading. What Mac options we should look at?
  This has all come to a head because the clients IT company who recommended the Macs (different from us doing the network infrastructure) are insisting that the problem is Cisco incompatibility and that we should rip out the Cisco kit and install airports (what tha!!!).
  Thanks in advance for any pointers.
  For those who like a config here it is .... Vanilla stuff really
  Building configuration...
  Current configuration : 2236 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP4
  no logging console
  enable secret xxxxxxxxxxxxxxxxx
  no aaa new-model
  dot11 syslog
  dot11 ssid Home
     vlan 1
     authentication open
     authentication key-management wpa
     guest-mode
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxx
  dot11 ssid avnet
     vlan 2
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxxxxxx
  username abcd password 1234
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  ssid Home
  mbssid
  speed  basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
  channel 2412
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 80 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address 192.168.10.54 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.10.1
  no ip http server
  no ip http secure-server
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end

  Yeah!! even i have come across multiple issue with MAC and Cisco.. these are the below settings which i normally do on the cisco gears and most of the times this solved the issue..
  on the IOS AP disable Aironet Extentions and set the poer local and ofdm to max
  no dot11 extension aironet
  power local cck max
  power local ofdm max
  end
  On the WLC, disable Aironet IE..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Cisco wireless control system

  we are using cisco wireless control system i need block some MAC address or devices how can i do it

  Hi,
  Yes you can block the specific client using MAC Address filtering option in WCS
  This option is avialbe in Configure> Security >MAC Filtering
  here you can create new template as per your requirement
  Go through below link for detail knowledge.
  http://www.cisco.com/c/en/us/td/docs/wireless/wcs/7-0/configuration/guide/WCS70cg/7_0temp.html#wp1095263

• Cisco Wireless Control System need wireless Lan Controller ?

  Cisco Wireless Control System need wireless Lan Controller , for Rogue detection

  Hi Joao,
  The WCS is used in conjuntion with the WLC (Wireless Lan Controller) for Rogue Detection. It is not a must for this function but more of an add-on :)
  The Cisco WCS is an optional network component that works in conjunction with Cisco Aironet Lightweight Access Points, Cisco wireless LAN controllers and the Cisco Wireless Location Appliance.
  From this doc;
  http://www.cisco.com/en/US/products/ps6305/index.html
  Overview of WCS
  The Cisco Wireless Control System (WCS) is a Cisco Unified Wireless Network Solution management tool that adds to the capabilities of the web user interface and command line interface (CLI), moving from individual controllers to a network of controllers. WCS includes the same configuration, performance monitoring, security, fault management, and accounting options used at the controller level and adds a graphical view of multiple controllers and managed access points.
  WCS runs on Windows 2003 and Red Hat Enterprise Linux ES 4.0 and AS 4.0 servers. On both Windows and Linux, WCS can run as a normal application or as a service, which runs continuously and resumes running after a reboot.
  The WCS user interface enables operators to control all permitted Cisco Unified Wireless Network Solution configuration, monitoring, and control functions through Internet Explorer 6.0 or later. Operator permissions are defined by the administrator using the WCS user interface Administration menu, which enables the administrator to manage user accounts and schedule periodic maintenance tasks.
  WCS simplifies controller configuration and monitoring while reducing data entry errors with the Cisco Unified Wireless Network Controller autodiscovery algorithm. WCS uses the industry-standard SNMP protocol to communicate with the controllers.
  From this good doc;
  http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a00806b7270.html#wp1131195
  Detect and Locate Rogue Access Points
  From this WCS doc;
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806f070a.shtml#new5
  Rogue Detection under Unified Wireless Networks
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
  Hope this helps!
  Rob

• Configuration File goes bad in Cisco AnyConnect Secure Mobility Client.

  Hi everyone
  We are running a Cisco ISE Version: 1.3.0.876 Patch 1 for 802.1X deployment (Wired + Wireless) with posture assessment where the supplicant for the endpoint is Cisco Anyconnect Secure Mobility Client v4.0.00061.
  Symptoms:
  The Configuration is working fine both Wired and Wireless, but the issue is that some user suddenly start to have issue connecting Wireless with the Cisco Anyconnect dislpaying System Scan: Bypassing Anconnect Scan
  (Some info are masked)
  and When I digged into this found that the configuration.xml files in the path: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigFiles is renamed automatically into configuration_bad.xml.
  Workaround:
  Copy and paste a normal configuration.xml into the same path again.
  Restart the Cisco anyconnect services or restart the Endpoint.
  Question:
  So was wondering if anybody has a clue why this configutatyion.xml turned into bad??
  I'm goin to dig into the Event Viewer for logs about this before going to Cisco TAC

  first poster -
  "Downloads from random internet sites are 5-10 times faster than anything from a server on the VPN."
  Your corporate network may just have too little bandwidth, your taking a poor internet route between carriers (ISP's are often maxed out believe it or not), there is a speed an duplex problem or you have a bad MTU. test all of them. your pc's MTU should be 1300. MAX on all interfaces. use the setmtu.exe tool.
  Jcohen - if you disable the IPS on the ASA does the slow transfer problem go away?

• Windows 2k8 Radius Server with Cisco Wireless Controllers

  We currently are using a Cisco 4400 wireless controller with an older Cisco Secure ACS appliance that is going EOL.  My hope was to just connect our 4400 Wireless Controller to a Windows Server 2008 Radius Server (Just using Microsoft's Network Policy Server) but have not had any luck in getting this to work.  Does anyone have an easy to follow set of instructions on configuration of Microsoft Windows Server 2008 NPS for use with Cisco Wireless Controllers?  Any advise would be greatly appreciated.
  Thank You,
  Jim

  Hi NPT,
  Here is the post which may help you!!
  https://supportforums.cisco.com/message/3073519
  Regards
  Surendra

• Wireless Security & Methods

  Hi,
  I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
  We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
  But having fixed WEP, and mac registrations is not very practical.
  Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
  Any recommendation is welcome.
  Of course with this we would like to bring up our level of security.
  Thanks a lot for all,
  Best Regards,
  Jorge

  An ACS server can be used to do authentication based on user logon to AD.
  So it would only require a single login if your wireless adapter supports it.
  You would just need to enable the wireless vlan to do 802.1x (EAP-FAST) authentication.
  This document would answer some of your questions.
  http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa09186a00802030dc.html

• Wireless Security & Authentication methods

  Hi,
  I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
  We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
  But having fixed WEP, and mac registrations is not very practical.
  Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
  Any recommendation is welcome.
  Of course with this we would like to bring up our level of security.
  Thanks a lot for all,
  Best Regards,
  Jorge

  802.1x/EAP authentication is the most popular authentication method in wireless. The following documents explain how to configure EAP authentication.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml

• Wireless Security Solution

  I have heard a lot of talk about Wireless Security. And have at least a working knowledge of the two possible solutions, VPN and EAP. However, how to choose the best possible solution? VPN is expensive and still leaves me vulnerable to Impersonation attacks. EAP is cheaper but nonetheless leaves me vulnerable to Brute Force attacks. Of course the chances of someone walking into our building(s) and stealing a laptop with VPN software on it are probably greater than any of the aforementioned threats. I guess what I'm looking for is a "voice from above" to guide me on which solution I can take to my superiors and say "This is what we are going to do" and why solution X is better than solution Y.
  Thanks!
  STU...

  Stu,
  VPN vs WLAN: To what degree do you want to geographically control access? If WLAN is
  attractive because you’re looking at a LAN bridging solution, then VPN is over-kill. But if the distances are great (connecting from home) WLAN is out. In WLAN terms how big is your proposed "cell" (800m) or is the reach of users measured in miles? I can share with you an outline of WAP security controls for WLAN if what you’re leaning toward is a LAN-bridging solution. That should help you get your arms around security for a Cisco-centric WLAN solution. I do security 100% of the time, and I just finished due-diligence for WAP WLAN bridging.
  -Mark

• Issues reconnecting with cisco anyconnect secure mobility client when plugged in via ethernet

  Hi,
  I have a laptop running Windows 8 x64 with the Cisco AnyConnect Secure Mobility Client version 3.1.02040.  Ethernet and Wireless enabled.  by default, ethernet works primarily until the system detects that ethernet is down, i.e. undocked from docking station, it should switch to wireless.
  Problem:  When connected to vpn via ethernet card, it connects without any issues, but when i disconnect it takes a few seconds to disconnect, like 10+ seconds.  I try to reconnect to vpn but it says something is wrong with the vpn client and to restart the OS.  I restart and my system just takes forever to restart and eventually it will restart, but the OS will generate a MS crash dump. 
  If i undock my laptop and connect to vpn via my wireless card, everything works fine.  i can disconnect from vpn and it does it in a few seconds, I can reconnect without any issues.
  please advise...thanks.
  dan

  anyone found the fix for this?

• Wireless security with zero client configuration

  Dears,
  i have a client that needs to have 802.1x based wireless security with zero configuration at his smart-phone devices , just needs to select the ssid prompt for authentication ,login by his domain account and that's it .
  is it possible ?

  You can find examples on the Internet depending on what Radius server your using.
  Here are some:
  http://www.labminutes.com/sec0095_acs_wireless_dot1x_peap_eap_tls_machine_authentication_2
  http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Cisco Wireless NAC Appliance - Design Practices ??

  Hi,
  I have a new Cisco WIreless NAC appliance, the purpose of which is to manage the Guest users access to network. I have been searching for some best practices related to the design of this appliance but havent found one.
  Can anybody help me in sharing his design experience or any docuement which would be guiding in deciding over the design / placement of this NAC device in network.
  Thank You.

  Hi,
  there is nothing such as "Wireless Nac appliance".
  The question is "do you have the NAC Guest Server" or the "Nac appliance Server and Nac appliance Manager (CAS/CAM)" ?
  Because those are just not the same at all.
  Then on the wireless side, do you have autonomous APs or a WLC ?
  Sorry to ask, but there's just so many possibilities you could be asking that we need to clarify.
  My bet is that you are either looking for this :
  http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  or for this :
  http://www.cisco.com/en/US/partner/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html#wp1092277
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Cisco Wireless Cable Modem & Time Capsule

  Hi,
  I am having problem extending the cisco wireless modem using time capsule.
  1) I am trying to wireless extend the range in time capsule but it hit error like "can't extend this wireless".
  2) Since I hit error in 1), I try the Join wirelss setup. I can successfull join the wireless network but I could not use the ethernet port.
  Any advise, please.

  If you have not already done so, perform a Factory Default Reset on the Time Capsule (TC) to get it back to a known state.
  Resetting an AirPort Base Station or Time Capsule FAQ
  Then before you hook up the Time Capsule, make sure that the Ethernet port is working correctly on the AirPort Express (AX) by connecting a laptop to the Ethernet connection. Turn off the wireless on the laptop and see if you can get an Internet connection. If you can, the AX and the Ethernet port are working correctly.
  Connect an Ethernet cable from the AX to the WAN port (circle of dots or world icon) on the TC
  Open AirPort Utility, select the TC, and click Manual Setup
  Click the Time Capsule tab below the icons to assign a name to the TC, device password and adjust Time Zone settings
  Click the Wireless tab
  Wireless Mode = Create a wireless network
  Wireless Network Name = Same name as the Cisco network if you want more coverage under that name
  Check mark next to Allow this network to be extended
  Radio Mode = Auto
  Channel = Auto
  Wireless Security = Exact same setting that the Cisco network is using...if you want more coverage...etc.
  Wireless Password + Same password as the Cisco network
  Confirm Password
  Click the Intenet icon, then the Internet Connection Tab
  Connect Using = Ethernet
  Connection Sharing = Off (Bridge Mode)
  Update to save settings, wait a minute or two, then power off the entire network and restart again, starting with modem, then Cisco, then AX, then TC, then other devices.
  If you want the TC to provide a different wireless network than the Cisco, then assign a different name to the Wireless Network Name on the TC.

• Window 8 WiFi problem with Cisco wireless network

  Anyone encounter a Windows 8 WiFi authentication problem with Cisco wireless network?
  We are using WLC 5508, 7.2.111, and AP 3602i with WPA2.
  Sent from Cisco Technical Support iPad App

  This problem occurred with Soney, and Dell models.  Lenovo with Windows 8 factory installed is working fine.
  Won't make any difference as these laptop's wireless NIC cards are different.
  Can you try with OPEN authentication.  If the Sony and/or Dell laptop works, then you start cranking up the security and/or encryption settings until you break them.
  I'm with Scott here:  It's got to be a wireless NIC card driver.
  As what George has stated, post the debug of the failed attempts.

• WRT160N keeps disabling wireless security

  Hello,
  I've had a WRT160N v3 for a couple of years, and I've noticed that the wireless security setting is often set to disabled when I go into the configuration, even though I've set to enabled previously.   It goes like this....
  I've setup the router to have WPA2 Personal security enabled, with a passphrase.  I have several devices that use wireless that connect to it everyday.  I recently received a new device, so I went into the Linksys configuration to get my passphrase, and the Security is set to disabled.  So, I enable it again, configure a the device, and have no problems. 
  This has happened many times.  I just happen to be in the router configuration and check the wireless security tab, and it is set to disabled. 
  My first thought was that maybe there had been a power loss (although, I can't remember the last power outage we had in my area).  However, every other setting was retained, so I can't see why this would be the only one that changes (and it's a rather important setting).  Additionally, I was configuring a blue-ray player last night, trying to see if it was better with a wired setting from another Access Point, and the setting was disabled, so I enabled it again.  I made changes to the BR player, then changed it back to a wireless connection.  I checked the security setting on the Linksys, and AGAIN it was disabled.
  I have the latest firmaware installed.
  Does anyone have advice?
  Thanks!

  Hi oook,
  I have Ver.3.0.03 Build 3 (the latest).  I had updated it last year when it was released.  I'm not trying to do any port forwarding, though. 
  oook wrote:
  Let me know the firmware version of the router? Here is the link to check the router's firmware version: http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&vw=1&articleid=4046
  So before upgrading the firmware of your router, your computer must have an active Internet connection to download the firmware file. Once the firmware is downloaded, you can proceed with the firmware upgrade even without Internet connection.
  Here is the link from where you can download the firmware: http://homesupport.cisco.com/en-us/support/routers/WRT160N
  Here is the link for the steps to upgrade the firmware: http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&login=1&vw=1&app=search&articleid=4030&userrole=Linksy...
  After upgrading the firmware reset and reconfigure the router once and then try to do the port forwarding...