Wireless Access Points (Part 2)

Transcription

1 Wireless Access Points (Part 2) Details The lab is a virtual simulation of the Cisco Aironet 1200 Wireless Access Point (WAP). Initially the screen should be as in Figure 1. Figure 1: Initial startup screen All rights reserved. 1

2 Tutorial 2 This tutorial outlines some of the key configurations for a wireless access point. DHCP 1. It is possible to run a DHCP server to assign IP parameters to wireless nodes: (config)# ip dhcp pool socpool (config-dhcp)# network (config-dhcp)# lease 10 (config-dhcp)# exit -config Sets the range of addresses to be allocated, and sets the lease for 10 days Using the information from above what are the following: Why would the WAP run a DHCP server: In the above example, what will be the first IP address allocated: In the above example, what will be the last IP address allocated: In the DHCP it is also possible to exclude addresses from the pool: (config)# ip dhcp? (config)# ip dhcp excluded-address? (config)# ip dhcp excluded-address ? (config)# ip dhcp excluded-address config and for defining the ping timeout for DHCP: (config)# ip dhcp? (config)# ip dhcp ping? (config)# ip dhcp ping timeout? (config)# ip dhcp ping timeout 400 -config Other settings for DHCP are: All rights reserved. 2

3 (config)# ip dhcp pool socpool (config-dhcp)# dns-server (config-dhcp)# netbios-name-server (config-dhcp)# domain-name xyz.com -config Host table A local hosts table is useful in defining logical names for remote ports. For example to enable the host table for three remote hosts: (config)# ip? (config)# ip host? (config)# ip host mars? (config)# ip host mars (config)# ip host jupiter (config)# ip host saturn ( config)# end # show hosts -config CDP CDP (Cisco Discovery Protocol) is used to discover Cisco devices which connect to a given port. It is set globally on the device with cdp run, and then the timers are set as: (config)# cdp? (config)# cdp holdtime? (config)# cdp holdtime 120 (config)# cdp timer? (config)# cdp timer 50 (config)# end Using the show cdp command, determine the settings for CDP: To enable CDP on the WAP: (config)# cdp run (config)# end To enable CDP on an interface: (config)# int fa0 (config-if)# cdp? All rights reserved. 3

4 (config-if)# cdp enable (config-if)# end 2. To show CDP information: # show cdp? # show cdp neighbors # show cdp neighbors detail # show cdp neighbors traffic 3. To remove CDP from an interface the no command is inserted in front of the command which is to be removed: (config)# int fa0 (config-if)# no? (config-if)# no cdp enable (config-if)# end View the running-config, and verify that CDP has been removed from the port: Logging The logging facility in the wireless access point is important as it can be used to determine intrusions and also log warning/errors. The following defines logging: (config)# logging on (config)# logging buff? (config)# logging buff 8192 What is the minimum and maximum size of the buffer: There are several types of logging facilities including warning, debugging and critical. To set these for different logging facilities: (config)# logging buff? (config)# logging buff warning (config)# logging console critical (config)# logging monitor critical (config)# logging trap warning How many security levels, and what are they: All rights reserved. 4

5 The logging to the local buffer is fine for short-term logging, but eventually it will run out of space (or may be deleted by mistake). This is good practice is to log to a server or to a syslog server (with the logging host command), such as: (config)# logging buff? (config)# logging (config)# logging host SNMP The SNMP (Simple Network Management Protocol) is a powerful method of gaining information on the operation of the network. The snmp-server command is used to enable SNMP monitoring. The snmp-server community command is used to initialise SNMP, and set the community string (which is basically used as a type of password for the SNMP access). For example to define the read-only string to public: (config)# snmp-server? (config)# snmp-server community? (config)# snmp-server community public? (config)# snmp-server community public RO The RO defines read-only access, while RW defines read-write access. To setup the SNMP contact, the location: (config)# snmp-server? (config)# snmp-server contact fred smith (config)# snmp-server location room c6 SNMP contains a database of monitored network conditions, such as the number of errors in data packets, the IP addresses of the interfaces, and so on. It can also be setup to trigger on certain traps, such as on syslog traps. To enable all of SNMP traps so that all the data is monitored: (config)# snmp-server? (config)# snmp-server enable? (config)# snmp-server enable traps? (config)# snmp-server enable traps (config)# exit Which traps are available: Then to send these traps to a remote host (to All rights reserved. 5

6 (config)# snmp-server host? (config)# snmp-server host (config)# snmp-server host public To determine the status of the SNMP communications: # show snmp and to display the SNMP engine and remote engines: # show snmp engine and to display the SNMP group: # show snmp group SNMP uses an MIB database (Figure 1) to store its values. To display its contents: # show snmp mib As you will see, the MIB has a massive number of entries, and shows the power of the SNMP protocol. Which entry is likely to define the receiving power of the antenna: Which entry is likely to define the number of VLANs: Which entry is likely to define the system uptime: To show the currently pending SNMP requests: # show snmp pending To show the SNMP sessions: # show snmp sessions All rights reserved. 6

7 ICMP: IcmpInMsgs. IcmpInErrors. Etc. SNMP SNMP agent agent MIB TCP: tcprtoalgorithm. tcprtomin. tcprtomax. Etc. System: sysobjectid. sysuptime. syscontact. sysname. syslocation. UDP: udpindatagrams. udpnoports. udpinerrors. Etc. At (address translation): attable. Ip: ipforwarding. ipdefaultttl. ipinreceives. ipinhdrerrors. Etc. Interfaces: ifnumber. iftable. SNMP: snmpinpkts. snmpoutpkts. Etc. Figure 2: SNMP structure Hot standby The hot standby function is used to provide a backup to another access point, and is configured in the same way, so that it is fails, the hot standby device can become active, and associates the active clients, automatically. The only setting that will differ is the IP address of the device. In the following configuration, the MAC address of the device to be monitored is 1111.abcd.ef10. The timeout period in which the device will determine if the monitored device has stopped working is five seconds, and the poll time is two seconds: (config)# iapp? (config)# iapp standby? (config)# iapp standby mac? (config)# iapp standby mac 1111.abcd.ef10 (config)# iapp standby timeout? (config)# iapp standby timeout 5 (config)# iapp standby polltime? (config)# iapp standby polltime 2 What is the minimum and maximum timeout values: What is the minimum and maximum poll time values: All rights reserved. 7

8 And then to display the IAPP settings: # show iapp # show iapp? # show iapp rogue-ap-list # show iapp standby-parms # show iapp statistics Are there any rogue access points: Are the hot standby parameters correctly defined: Line console and VTY commands The CONSOLE connection on the wireless access point is typically used to gain access to the device when there is no network connection, and allows a high-level of access to the device. Thus is should be protected with a strong password. In the following, the console port is configured with a password of fred, and the timeout for a session of 50 seconds, and an executive timeout of 15 minutes: (config) # line? (config) # line con 0 (config-line) #? (config-line) # login (config-line) # password? (config-line) # password fred (config-line) # timeout? (config-line) # timeout login? (config-line) # timeout login response? (config-line) # timeout login response 50 (config-line) # exec-timeout 15 (config-line) # exit TELNET is an important protocol as it allows a remote connection from a terminal. The number of telnet sessions can be limited with the start and end terminal definition. In the following case, the number of terminal sessions is 16 (0 to 15), and freddy is assigned as the password: (config) # line vty 0 15 (config-line) # login (config-line) # password freddy (config-line) # logging synchronous (config-line) # timeout login response 50 (config-line) # exec-timeout 15 (config-line) # exit All rights reserved. 8

9 When the user logs in through TELNET they will be accessed for their password: User Access Verification Password: freddy Services There are many services that can be run on a wireless access point. These include a passwordencryption service, the DHCP service, and so on. (config) # service? List some of the available services: Password encryption service One useful service is for password encryption. Initially it can disabled with: (config) # no service password-encryption (config) # line con 0 (config-line) # login (config-line) # password fred (config-line) # exit What is the line for defining the password: Now enable the password encryption service and view the difference: (config) # service password-encryption (config) # line con 0 (config-line) # login (config-line) # password fred (config-line) # exit What is the line for defining the password: An important service is the one to timestamps the log and debug activities. For this: All rights reserved. 9

10 (config) # service timestamps? (config) # service timestamps log? (config) # service timestamps log datetime (config-line) # exit For this we can either define the timestamps as the current Date/Time or in terms of the UpTime. There are a number of TCP and UDP small server applications, such as ECHO, Discard, Daytime, and so on. These are enabled by default. Thus to view them in the runningconfig: What are the lines relating to tcp-small-servers and udp-small-servers: If we contain the wireless access point on the Daytime port (13), it produces the following: telnet Monday, March 1, :46:32-UTC These can cause security problems, as they allow a method of an intruder to gain access to the device, thus to stop them: (config) # no service tcp-small-servers (config) # no service udp-small-servers (config-line) # exit Are there lines relating to tcp-small-servers and udp-small-servers: Now if we were to access to the wireless access point we get: telnet Connecting To Could not open connection to the host, on port 13: Connect failed Thus, we have closed-off a port, which reduces the opportunities for someone to connect to the access point. Other services, such as finger, have particular problems related to security, but as they are disabled by default, they are not a particular problem. The DHCP service is enabled by default. If it is to be disabled, then: (config) # no service dhcp (config) # exit All rights reserved. 10

11 Banners and HTTP settings The banners can be set for different modes, such as Login, Exec, and for a message-of-the-day (MOTD), such as: (config) # banner? (config) # banner login hello (config) # banner motd system failure (config) # banner exec hello me (config) # exit What are the lines relating to the banners: To get rid of the banners: (config) # no? (config) # no banner login (config) # no banner motd (config) # no banner exec (config) # exit Are the lines relating to the banners gone: The HTTP service is important as it allows remote access through a Web browser. We can enable the server and define the username and password with: (config) # username? (config) # username fred password bert (config) # ip http? (config) # ip http server (config) # ip http authentication? (config) # ip http authentication local (config) # exit then, when the user tries to access to the wireless access point they will not be allowed to connect, unless the have the correct username and password, such as: All rights reserved. 11

12 which should give one of the following: Often a new HTTP port is required (to stop users from trying to access the Web page). Thus to change the port: (config) # ip http? (config) # ip http port? (config) # ip http port 8080 (config) # exit Now we cannot access the Web page with the standard port (80), and we must change the address with a colon to define the port, such as: All rights reserved. 12

13 We can also provide a helper-path with: (config) # ip http help-path (config) # exit Configuring as a repeater A repeater access point does not connect to a wired LAN, and basically forwards the data packets to another repeater or to a wireless access point which is connected to a wired network. With a repeater, of course, the Ethernet port will not operate. The repeater access point typically associates with an access point with has the best connectivity, whoever they can be setup to connect to a specific access point. In the following case, the access point will associate with the parent with the specified MAC address ( ): (config)# interface d0 (config-if)# ssid napier (config-ssid)# infrastructure-ssid (config-ssid)# exit (config-if)# station-role repeater (config-if)# dot11 extensions aironet (config-if)# parent (config-if)# parent aaaa.bbbb (config-if)# end In most cases the Cisco Aironet extensions must be enabled. All rights reserved. 13

14 Clock commands The main commands for clock are: # clock? # clock set? # clock set 11:00? # clock set 11:00 11? # clock set 11:00 11 jun? # clock set 11:00 11 jun 2006 History commands The main commands for history are: # clock? # terminal? # terminal history? # terminal history size? # terminal history size 100 # show history All rights reserved. 14

15 Tutorial 2 1. Complete the following challenges and note down the time you took to complete them: Chall. Description Time taken 10 DHCP Notes 11 Host Table 12 CDP 13 Banners and HTTP 14 CON and VTY 15 Clock 16 Logging 17 Services 18 SNMP 19 Hot standby 20 Repeater All rights reserved. 15