Console Server. Con. Cisco Aironet Port Figure 1: Aironet configuration

Similar documents
Wireless Filtering and Firewalling

7 Filtering and Firewalling

Configuring the WMIC for the First Time

Configuring the Access Point/Bridge for the First Time

EAP FAST with the Internal RADIUS Server on the Autonomous Access Point Configuration Example

Integration Guide. Trakker Antares 2400 Family and Cisco Aironet 123X

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

Integration Guide. CK30/CK31 and Cisco Aironet 1231/1242

LEAP Authentication on a Local RADIUS Server

Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

Approved APs: AP 1121, 1131, 1231, 1232, 1242, BR 1310

Lab Configuring LEAP/EAP using Cisco Secure ACS (OPTIONAL)

Securing a Wireless LAN

Prof. Bill Buchanan Room: C.63

Configuring a Wireless LAN Connection

Configuring a Basic Wireless LAN Connection

8 VLANs. 8.1 Introduction. 8.2 vlans. Unit 8: VLANs 1

Configuring Repeater and Standby Access Points

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Using Cisco Workgroup Bridges

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Prof. Bill Buchanan Room: C.63

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Field Verified. Configuration Guide. Cisco. 1100, 1200 and 1300 Series APs using the Wireless LAN Services Module (WLSM)

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

3 Wireless Emulator (Challenges)

Configuring VLANs CHAPTER

Securing Wireless LAN Controllers (WLCs)

HPE IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples

Security Setup CHAPTER

Contents. Introduction

Cisco Unified Communications Manager Express 7921 Push-to-talk

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Workgroup Bridges. Cisco WGBs. Information About Cisco Workgroup Bridges. Cisco WGBs, page 1 Third-Party WGBs and Client VMs, page 9

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Configuring RADIUS Servers

Lab 5.6b Configuring AAA and RADIUS

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Lab Configuring and Verifying Extended ACLs Topology

Configuring Multiple SSIDs

2 Wireless Networks. 2.1 Introduction. 2.2 IEEE b. Unit 2: Wireless Networks 1

Chapter 6 Global CONFIG Commands

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Object Groups for ACLs

accounting (SSID configuration mode) through encryption mode wep

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Configuring Authentication Types

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10

Configuring OfficeExtend Access Points

Configure Flexconnect ACL's on WLC

Configuring Cipher Suites and WEP

This document is a tutorial related to the Router Emulator which is available at:

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

CCNA MCQS with Answers Set-1

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Configuring WEP and WEP Features

C H A P T E R Overview Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide OL

Object Groups for ACLs

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Configuring VLANs CHAPTER

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Configuring Spanning Tree Protocol

RG-WLAN Series Access Point. Web-Based Configuration Guide, Release 11.1(5)B8

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Configuring RADIUS and TACACS+ Servers

Lab 8.5.2: Troubleshooting Enterprise Networks 2

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

EAP Authentication with RADIUS Server

Firewall Authentication Proxy for FTP and Telnet Sessions

EnGenius Quick Start Guide

ISR Wireless Configuration Example

Configuring Authentication Proxy

Author: Bill Buchanan. Wireless LAN. Unit 2: Wireless Fundamentals

cable modem dhcp proxy nat on Cisco Cable Modems

CCNA Exam File with Answers. Note: Underlines options are correct answers.

Wireless LAN Controller Web Authentication Configuration Example

PT Activity: Configure AAA Authentication on Cisco Routers

RG-WLAN Series Access Point. Web-Based Configuration Guide, Release 11.1(5)B3

Lab Configuring Dynamic and Static NAT (Solution)

Configuring the CSS as a Client of a TACACS+ Server

Lab - Troubleshooting ACL Configuration and Placement Topology

Lab 1.3.2: Review of Concepts from Exploration 1 - Challenge

Access Point as a Workgroup Bridge Configuration Example

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Bridging Traffic CHAPTER3

Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)

Hot Standby Access Points

Wireless Domain Services FAQ

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Cisco IOS Firewall Authentication Proxy

Configuring Authentication Proxy

Cisco IOS Wireless LAN Command Reference

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

Transcription:

Lab details At present C.6 has three Cisco Aironet 1200 access points, and three Linksys access points. The Cisco Aironets can be accessed through a console server using the console address and a specific TCP port. There are also 12 Cisco 350 Aironet wireless clients, and eight Belkin wireless clients. Con Console Server Con Cisco Aironet 1200 192.168.1.100 Port 2001 Con Cisco Aironet 1200 192.168.1.100 Port 2002 Cisco Aironet 1200 192.168.1.100 Port 2003 Figure 1: Aironet configuration Thus the access is: Cisco Aironet 1 Address: 192.168.1.100 Port: 2001 Cisco Aironet 2 Address: 192.168.1.100 Port: 2002 Cisco Aironet 3 Address: 192.168.1.100 Port: 2003 Make sure that your Ethernet connection is enabled, and do not create your wireless network on the 192.168.1.0 network. Thus you will be assigned one of the groups, and you should create wireless networks with five wireless clients. The details are: Group 1: SSID: APskills1 IP address of Access Point: 192.168.0.110 Range of addresses: 192.168.0.1 to 192.168.0.5 Group 2: SSID: APskills2 IP address of Access Point: 192.168.0.110 Range of addresses: 192.168.0.1 to 192.168.0.5 Group 3: SSID: APskills3 IP address of Access Point: 192.168.0.110 Range of addresses: 192.168.0.1 to 192.168.0.5 Author: W.Buchanan 1

Open authentication 1. For this part of the lab, you should setup a network for five wireless clients, and will be assigned one of the access points to connect to. Initially use HyperTerminal or TELNET to connect, such as shown in Figure 2 and Figure 3. Figure 2: Connection details Figure 3: Connection details Author: W.Buchanan 2

2. Assign each you wireless clients a static IP address which relates to the subnet, such as shown in Figure 4. 3. The configure the access point with: Figure 4: Client details hostname ap int bvi1 ip address 192.168.0.110 255.255.255.0 interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills authentication open guest-mode end 4. Next, if you have a Cisco 350 wireless client, setup the SSID and Client name as shown in Figure 5 and 6, and define the WEP encryption key, as shown in Figure 7. From the clients, ping each node on the network, and, on the wireless access point, determine the associations with: ap#sh dot assoc 802.11 Client Stations on Dot11Radio0: SSID [APskills]: MAC Address IP address Device Name Parent State 0009.4388.7123 192.168.0.1 350-client Bill self Assoc 5. Check that the device is associated, such as shown in Figure 8. Author: W.Buchanan 3

Figure 5: Creating a new profile Figure 6: Cisco wireless client details Figure 7: WEP client details Author: W.Buchanan 4

Figure 8: Association Checking basic details 6. The Cisco wireless client have additional details, such as: A Site survey (Figure 9). Testing link strength (Figure 10). Statistics of the connection (Figure 11). Link status (Figure 12). What the signal strength: Which channel is the client connect to: What is the IP address of the access point: Link speed: Bytes transmitted: Rating of signal strength against signal quality (poor, fair, good or excellent): SSID mismatches: Ack packets transmitted: Author: W.Buchanan 5

Figure 9: Association Figure 10: Association Author: W.Buchanan 6

Figure 11: Connection details Figure 12: Link status Author: W.Buchanan 7

LEAP 7. The access point can be setup so that it authenticates the user onto the network. One method, recommended by Cisco Systems, is LEAP which supports a username and a password, which is authenticated by a local or a remote RADIUS server. In this case a local RADIUS server, running on the access point, is used to authenticate the user. A basic configuration of the access point is: hostname ap aaa new-model hostname ap aaa new-model aaa group server radius rad_eap server 192.168.1.110 auth-port 1812 acct-port 1813 aaa group server radius rad_mac aaa group server radius rad_acct aaa group server radius rad_admin aaa group server radius dummy server 192.168.1.110 auth-port 1812 acct-port 1813 aaa group server radius rad_pmip aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group rad_acct aaa session-id common int bvi1 ip address 192.168.1.110 255.255.255.0 radius-server local nas 192.168.1.110 key sharedkey user aaauser password aaauser user bbbuser password bbbuser radius-server host 192.168.1.110 auth 1812 acct 1813 key sharedkey interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40!!!!! remember to change the SSID to your requirement ssid APskills authentication network-eap eap_methods guest-mode end Author: W.Buchanan 8

8. This sets up two users of aaauser and bbbuser, with a shared key between the access point and the local RADIUS server of sharedkey. Next setup the wireless clients to connect to the network by defining LEAP security, such as shown in Figure 13 and Figure 14. Figure 13: Defining LEAP Figure 14: LEAP settings Author: W.Buchanan 9

9. Next, show the associations: ap#sh dot assoc 802.11 Client Stations on Dot11Radio0: SSID [APskills] : MAC Address IP address Device Name Parent State 0009.4388.7123 192.168.0.1 350-client BIll self EAP-Assoc 0009.7cd1.9062 192.168.0.2 350-client XP3 self EAP-Assoc Do the clients connect to the network: What are the associations on the access point? List their details: How do the associations differ from before: 10. If you managed to successful connect to the network, next change the user ID for the LEAP details, such as shown in Figure 15. Do the clients connect to the network: Redefine the LEAP details so that the client re-associates. Is it successful: Figure 15: LEAP settings Author: W.Buchanan 10

Filtering (continued from previous week) 11. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.0.110-000d.65a9.cb1b ARPA BVI1 Internet 192.168.0.101 1 0060.b39f.cae1 ARPA BVI1 Internet 192.168.0.103 2 0009.7c85.87f1 ARPA BVI1 Internet 192.168.0.115 1 0090.4b54.d83a ARPA BVI1 ap# Determine all the mac addresses on your network: Block the access of one computer to another. What is the access-list used: Is the access blocked, and can the other nodes still access each other: 12. Next remove the access list with: no access-list 1101 and now add a new one which block access from one computer to two of the hosts on the network. Author: W.Buchanan 11

Is the block successful: IP filtering 13. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [<700-799> <1100-1199>] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled in this case an example of the ARP cache is: ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.0.110-000d.65a9.cb1b ARPA BVI1 Internet 192.168.0.101 1 0060.b39f.cae1 ARPA BVI1 Internet 192.168.0.103 2 0009.7c85.87f1 ARPA BVI1 Internet 192.168.0.115 1 0090.4b54.d83a ARPA BVI1 ap# Determine all the mac addresses on your network: IP: 192.168.0.1 MAC address: IP: 192.168.0.2 MAC address: IP: 192.168.0.3 MAC address: IP: 192.168.0.4 MAC address: IP: 192.168.0.5 MAC address: Block the access of one computer to another. What is the access-list used: What is the output from the show arp command on the wireless access point: Author: W.Buchanan 12

Is the access blocked, and can the other nodes still access each other: 14. Next remove the access list with: no access-list 1101 and now add a new one which blocks access from one computer to two of the hosts on the network. Is the block successful: 15. Next, remove the access list, and bar a node access to the complete network. Is the block successful: IP filtering 16. The access point supports IP-based access-lists. For example, the following blocks a host at 192.168.0.1 access to 192.168.0.110, and is applied to the D0 port: ip access-list extended Test deny ip host 192.168.0.1 host 192.168.0.110 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills authentication open guest-mode end Apply this configuration. Can the 192.168.0.1 node communicate with the wireless access point: 17. Write an access-list which blocks access from 192.168.0.1 to 192.168.0.3, and also blocks access from 192.168.0.2 to 192.168.0.4. The rest of the communications should be ALLOWED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). What is the access-list: Do the blocks work, and can the other nodes still communicate: Author: W.Buchanan 13

18. Write an access-list which allows access from 192.168.0.1 access to 192.168.0.3, and also allows access from 192.168.0.2 to 192.168.0.4. The rest of the communications should be BLOCKED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). What is the access-list: Do the allows work, and are the other nodes blocked: TCP filtering 19. Along with IP filtering, it is possible to filter for the TCP port. For example the following blocking of any source host to any destination on port 80: ip access-list extended Test deny tcp any any eq 80 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 ssid APskills authentication open guest-mode end 20. Test the above script and make sure that none of the nodes can access the web server on the access point: Is web access blocked: 21. Modify the access-list so that the node which has an IP address of 192.168.0.2 cannot access the web server on the access point: Is web access blocked: 22. Using the client and the server program, write an access-list which will block communications between two of the nodes on the network for client-server communications on port 1001: Is the access blocked: 23. Remove the previous access-list, and determine if the nodes can now connect to each other on port 1001: Author: W.Buchanan 14

Is the access allowed: ICMP filters 24. It is possible to block ICMP in the filtering, such as blocking a ping from 192.168.0.1 to 192.168.0.110: ip access-list extended Test deny icmp 192.168.0.111 0.0.0.0 192.168.0.110 0.0.0.0 permit ip any any Is it possible to ping the access-point (192.168.0.110) from 192.168.0.1: Is it possible to ping the access-point (192.168.0.110) from other nodes: 25. Now block ping access from 192.168.0.1 to 192.168.0.2. Is it possible to ping the access-point (192.168.0.111) from 192.168.0.112: Is it possible to ping all the other nodes: Tutorial For a network which has an access point at 192.168.0.110 and five wireless clients from 192.168.0.1 to 192.168.0.5, with an SSID of APskills, complete the following: 26. Create a firewall that blocks ping access to all other nodes on the network. Test it, and then restore ping access. 27. Create a firewall that bars TELNET access from 192.168.0.2 to the wireless access point. All other nodes should be able to telnet into the access point. Next do the opposite where only the node 192.168.0.2 is allowed to TELNET into the access point, and the rest are not. 28. Create a firewall that bars SNMP access from all the nodes on the network to the wireless access point. All other nodes should be able to telnet into the access point. 29. Enable the small-servers on the wireless access point, and access the time server port (port 7), and prove that it works from each of the clients. Implement a firewall on the wireless access point to bar time server access from 192.168.0.1 to the access point. Make sure that all the other nodes can still access the port. 30. Create a network of wireless clients where the access point has an address of 192.168.0.110, and create a firewall which blocks all the address which have even numbered IP addresses access to the web server on the access point, such as: Author: W.Buchanan 15

192.168.0.2 cannot access the wireless access point web server. 192.168.0.4 cannot access the wireless access point web server. And so on. What is the access-list: Does it work: 31. Create a network of wireless clients where the access point has an address of 192.168.0.110, and create a firewall which blocks all the address which have odd numbered IP addresses access to the web server on the access point, such as: 192.168.0.1 cannot access the wireless access point web server. 192.168.0.3 cannot access the wireless access point web server. And so on. What is the access-list: Does it work: 32. Create a network of wireless clients, which have the address: 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.64, and 192.168.0.65. Define a firewall rule that hosts with an IP address above 192.168.0.64 are allowed access to the web server on the access point, but ones below this are barred. What is the access-list: Does it work: For a network which has an access point at 192.168.5.254 and five wireless clients from 192.168.5.1 to 192.168.5.253, with an SSID of APskills, complete the following: 33. Create a firewall rule which allows hosts with address from 192.168.5.128 to 192.168.5.254 access to the Web server on the access point, and bars the rest of the nodes access to the Web server on the access point. 34. Create a firewall rule which allows hosts with address from 192.168.5.64 to 192.168.5.254 access to the Web server on the access point, and bars the rest of the nodes access to the Web server on the access point. Author: W.Buchanan 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback