Console Server. Con. Cisco Aironet Port Figure 1: Aironet configuration

Transcription

1 Lab details At present C.6 has three Cisco Aironet 1200 access points, and three Linksys access points. The Cisco Aironets can be accessed through a console server using the console address and a specific TCP port. There are also 12 Cisco 350 Aironet wireless clients, and eight Belkin wireless clients. Con Console Server Con Cisco Aironet Port 2001 Con Cisco Aironet Port 2002 Cisco Aironet Port 2003 Figure 1: Aironet configuration Thus the access is: Cisco Aironet 1 Address: Port: 2001 Cisco Aironet 2 Address: Port: 2002 Cisco Aironet 3 Address: Port: 2003 Make sure that your Ethernet connection is enabled, and do not create your wireless network on the network. Thus you will be assigned one of the groups, and you should create wireless networks with five wireless clients. The details are: Group 1: SSID: APskills1 IP address of Access Point: Range of addresses: to Group 2: SSID: APskills2 IP address of Access Point: Range of addresses: to Group 3: SSID: APskills3 IP address of Access Point: Range of addresses: to Author: W.Buchanan 1

2 Open authentication 1. For this part of the lab, you should setup a network for five wireless clients, and will be assigned one of the access points to connect to. Initially use HyperTerminal or TELNET to connect, such as shown in Figure 2 and Figure 3. Figure 2: Connection details Figure 3: Connection details Author: W.Buchanan 2

3 2. Assign each you wireless clients a static IP address which relates to the subnet, such as shown in Figure The configure the access point with: Figure 4: Client details hostname ap int bvi1 ip address interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills authentication open guest-mode end 4. Next, if you have a Cisco 350 wireless client, setup the SSID and Client name as shown in Figure 5 and 6, and define the WEP encryption key, as shown in Figure 7. From the clients, ping each node on the network, and, on the wireless access point, determine the associations with: ap#sh dot assoc Client Stations on Dot11Radio0: SSID [APskills]: MAC Address IP address Device Name Parent State client Bill self Assoc 5. Check that the device is associated, such as shown in Figure 8. Author: W.Buchanan 3

4 Figure 5: Creating a new profile Figure 6: Cisco wireless client details Figure 7: WEP client details Author: W.Buchanan 4

5 Figure 8: Association Checking basic details 6. The Cisco wireless client have additional details, such as: A Site survey (Figure 9). Testing link strength (Figure 10). Statistics of the connection (Figure 11). Link status (Figure 12). What the signal strength: Which channel is the client connect to: What is the IP address of the access point: Link speed: Bytes transmitted: Rating of signal strength against signal quality (poor, fair, good or excellent): SSID mismatches: Ack packets transmitted: Author: W.Buchanan 5

6 Figure 9: Association Figure 10: Association Author: W.Buchanan 6

7 Figure 11: Connection details Figure 12: Link status Author: W.Buchanan 7

8 LEAP 7. The access point can be setup so that it authenticates the user onto the network. One method, recommended by Cisco Systems, is LEAP which supports a username and a password, which is authenticated by a local or a remote RADIUS server. In this case a local RADIUS server, running on the access point, is used to authenticate the user. A basic configuration of the access point is: hostname ap aaa new-model hostname ap aaa new-model aaa group server radius rad_eap server auth-port 1812 acct-port 1813 aaa group server radius rad_mac aaa group server radius rad_acct aaa group server radius rad_admin aaa group server radius dummy server auth-port 1812 acct-port 1813 aaa group server radius rad_pmip aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group rad_acct aaa session-id common int bvi1 ip address radius-server local nas key sharedkey user aaauser password aaauser user bbbuser password bbbuser radius-server host auth 1812 acct 1813 key sharedkey interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40!!!!! remember to change the SSID to your requirement ssid APskills authentication network-eap eap_methods guest-mode end Author: W.Buchanan 8

9 8. This sets up two users of aaauser and bbbuser, with a shared key between the access point and the local RADIUS server of sharedkey. Next setup the wireless clients to connect to the network by defining LEAP security, such as shown in Figure 13 and Figure 14. Figure 13: Defining LEAP Figure 14: LEAP settings Author: W.Buchanan 9

10 9. Next, show the associations: ap#sh dot assoc Client Stations on Dot11Radio0: SSID [APskills] : MAC Address IP address Device Name Parent State client BIll self EAP-Assoc cd client XP3 self EAP-Assoc Do the clients connect to the network: What are the associations on the access point? List their details: How do the associations differ from before: 10. If you managed to successful connect to the network, next change the user ID for the LEAP details, such as shown in Figure 15. Do the clients connect to the network: Redefine the LEAP details so that the client re-associates. Is it successful: Figure 15: LEAP settings Author: W.Buchanan 10

11 Filtering (continued from previous week) 11. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of b54.d83a access to 0060.b39f.cae1: access-list 1101 deny b54.d83a b39f.cae access-list 1101 permit ffff.ffff.ffff ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet d.65a9.cb1b ARPA BVI1 Internet b39f.cae1 ARPA BVI1 Internet c85.87f1 ARPA BVI1 Internet b54.d83a ARPA BVI1 ap# Determine all the mac addresses on your network: Block the access of one computer to another. What is the access-list used: Is the access blocked, and can the other nodes still access each other: 12. Next remove the access list with: no access-list 1101 and now add a new one which block access from one computer to two of the hosts on the network. Author: W.Buchanan 11

12 Is the block successful: IP filtering 13. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [< > < >] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of b54.d83a access to 0060.b39f.cae1: access-list 1101 deny b54.d83a b39f.cae access-list 1101 permit ffff.ffff.ffff ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled in this case an example of the ARP cache is: ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet d.65a9.cb1b ARPA BVI1 Internet b39f.cae1 ARPA BVI1 Internet c85.87f1 ARPA BVI1 Internet b54.d83a ARPA BVI1 ap# Determine all the mac addresses on your network: IP: MAC address: IP: MAC address: IP: MAC address: IP: MAC address: IP: MAC address: Block the access of one computer to another. What is the access-list used: What is the output from the show arp command on the wireless access point: Author: W.Buchanan 12

13 Is the access blocked, and can the other nodes still access each other: 14. Next remove the access list with: no access-list 1101 and now add a new one which blocks access from one computer to two of the hosts on the network. Is the block successful: 15. Next, remove the access list, and bar a node access to the complete network. Is the block successful: IP filtering 16. The access point supports IP-based access-lists. For example, the following blocks a host at access to , and is applied to the D0 port: ip access-list extended Test deny ip host host permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills authentication open guest-mode end Apply this configuration. Can the node communicate with the wireless access point: 17. Write an access-list which blocks access from to , and also blocks access from to The rest of the communications should be ALLOWED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). What is the access-list: Do the blocks work, and can the other nodes still communicate: Author: W.Buchanan 13

14 18. Write an access-list which allows access from access to , and also allows access from to The rest of the communications should be BLOCKED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). What is the access-list: Do the allows work, and are the other nodes blocked: TCP filtering 19. Along with IP filtering, it is possible to filter for the TCP port. For example the following blocking of any source host to any destination on port 80: ip access-list extended Test deny tcp any any eq 80 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 ssid APskills authentication open guest-mode end 20. Test the above script and make sure that none of the nodes can access the web server on the access point: Is web access blocked: 21. Modify the access-list so that the node which has an IP address of cannot access the web server on the access point: Is web access blocked: 22. Using the client and the server program, write an access-list which will block communications between two of the nodes on the network for client-server communications on port 1001: Is the access blocked: 23. Remove the previous access-list, and determine if the nodes can now connect to each other on port 1001: Author: W.Buchanan 14

15 Is the access allowed: ICMP filters 24. It is possible to block ICMP in the filtering, such as blocking a ping from to : ip access-list extended Test deny icmp permit ip any any Is it possible to ping the access-point ( ) from : Is it possible to ping the access-point ( ) from other nodes: 25. Now block ping access from to Is it possible to ping the access-point ( ) from : Is it possible to ping all the other nodes: Tutorial For a network which has an access point at and five wireless clients from to , with an SSID of APskills, complete the following: 26. Create a firewall that blocks ping access to all other nodes on the network. Test it, and then restore ping access. 27. Create a firewall that bars TELNET access from to the wireless access point. All other nodes should be able to telnet into the access point. Next do the opposite where only the node is allowed to TELNET into the access point, and the rest are not. 28. Create a firewall that bars SNMP access from all the nodes on the network to the wireless access point. All other nodes should be able to telnet into the access point. 29. Enable the small-servers on the wireless access point, and access the time server port (port 7), and prove that it works from each of the clients. Implement a firewall on the wireless access point to bar time server access from to the access point. Make sure that all the other nodes can still access the port. 30. Create a network of wireless clients where the access point has an address of , and create a firewall which blocks all the address which have even numbered IP addresses access to the web server on the access point, such as: Author: W.Buchanan 15

16 cannot access the wireless access point web server cannot access the wireless access point web server. And so on. What is the access-list: Does it work: 31. Create a network of wireless clients where the access point has an address of , and create a firewall which blocks all the address which have odd numbered IP addresses access to the web server on the access point, such as: cannot access the wireless access point web server cannot access the wireless access point web server. And so on. What is the access-list: Does it work: 32. Create a network of wireless clients, which have the address: , , , , and Define a firewall rule that hosts with an IP address above are allowed access to the web server on the access point, but ones below this are barred. What is the access-list: Does it work: For a network which has an access point at and five wireless clients from to , with an SSID of APskills, complete the following: 33. Create a firewall rule which allows hosts with address from to access to the Web server on the access point, and bars the rest of the nodes access to the Web server on the access point. 34. Create a firewall rule which allows hosts with address from to access to the Web server on the access point, and bars the rest of the nodes access to the Web server on the access point. Author: W.Buchanan 16