Lab details At present C.6 has three Cisco Aironet 1200 access points, and three Linksys access points. The Cisco Aironets can be accessed through a console server using the console address and a specific TCP port. There are also 12 Cisco 350 Aironet wireless clients, and eight Belkin wireless clients. Con Console Server Con Cisco Aironet 1200 192.168.1.100 Port 2001 Con Cisco Aironet 1200 192.168.1.100 Port 2002 Cisco Aironet 1200 192.168.1.100 Port 2003 Figure 1: Aironet configuration Thus the access is: Cisco Aironet 1 Address: 192.168.1.100 Port: 2001 Cisco Aironet 2 Address: 192.168.1.100 Port: 2002 Cisco Aironet 3 Address: 192.168.1.100 Port: 2003 Make sure that your Ethernet connection is enabled, and do not create your wireless network on the 192.168.1.0 network. Thus you will be assigned one of the groups, and you should create wireless networks with five wireless clients. The details are: Group 1: SSID: APskills1 IP address of Access Point: 192.168.0.110 Range of addresses: 192.168.0.1 to 192.168.0.5 Group 2: SSID: APskills2 IP address of Access Point: 192.168.0.110 Range of addresses: 192.168.0.1 to 192.168.0.5 Group 3: SSID: APskills3 IP address of Access Point: 192.168.0.110 Range of addresses: 192.168.0.1 to 192.168.0.5 Author: W.Buchanan 1
Open authentication 1. For this part of the lab, you should setup a network for five wireless clients, and will be assigned one of the access points to connect to. Initially use HyperTerminal or TELNET to connect, such as shown in Figure 2 and Figure 3. Figure 2: Connection details Figure 3: Connection details Author: W.Buchanan 2
2. Assign each you wireless clients a static IP address which relates to the subnet, such as shown in Figure 4. 3. The configure the access point with: Figure 4: Client details hostname ap int bvi1 ip address 192.168.0.110 255.255.255.0 interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills authentication open guest-mode end 4. Next, if you have a Cisco 350 wireless client, setup the SSID and Client name as shown in Figure 5 and 6, and define the WEP encryption key, as shown in Figure 7. From the clients, ping each node on the network, and, on the wireless access point, determine the associations with: ap#sh dot assoc 802.11 Client Stations on Dot11Radio0: SSID [APskills]: MAC Address IP address Device Name Parent State 0009.4388.7123 192.168.0.1 350-client Bill self Assoc 5. Check that the device is associated, such as shown in Figure 8. Author: W.Buchanan 3
Figure 5: Creating a new profile Figure 6: Cisco wireless client details Figure 7: WEP client details Author: W.Buchanan 4
Figure 8: Association Checking basic details 6. The Cisco wireless client have additional details, such as: A Site survey (Figure 9). Testing link strength (Figure 10). Statistics of the connection (Figure 11). Link status (Figure 12). What the signal strength: Which channel is the client connect to: What is the IP address of the access point: Link speed: Bytes transmitted: Rating of signal strength against signal quality (poor, fair, good or excellent): SSID mismatches: Ack packets transmitted: Author: W.Buchanan 5
Figure 9: Association Figure 10: Association Author: W.Buchanan 6
Figure 11: Connection details Figure 12: Link status Author: W.Buchanan 7
LEAP 7. The access point can be setup so that it authenticates the user onto the network. One method, recommended by Cisco Systems, is LEAP which supports a username and a password, which is authenticated by a local or a remote RADIUS server. In this case a local RADIUS server, running on the access point, is used to authenticate the user. A basic configuration of the access point is: hostname ap aaa new-model hostname ap aaa new-model aaa group server radius rad_eap server 192.168.1.110 auth-port 1812 acct-port 1813 aaa group server radius rad_mac aaa group server radius rad_acct aaa group server radius rad_admin aaa group server radius dummy server 192.168.1.110 auth-port 1812 acct-port 1813 aaa group server radius rad_pmip aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group rad_acct aaa session-id common int bvi1 ip address 192.168.1.110 255.255.255.0 radius-server local nas 192.168.1.110 key sharedkey user aaauser password aaauser user bbbuser password bbbuser radius-server host 192.168.1.110 auth 1812 acct 1813 key sharedkey interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40!!!!! remember to change the SSID to your requirement ssid APskills authentication network-eap eap_methods guest-mode end Author: W.Buchanan 8
8. This sets up two users of aaauser and bbbuser, with a shared key between the access point and the local RADIUS server of sharedkey. Next setup the wireless clients to connect to the network by defining LEAP security, such as shown in Figure 13 and Figure 14. Figure 13: Defining LEAP Figure 14: LEAP settings Author: W.Buchanan 9
9. Next, show the associations: ap#sh dot assoc 802.11 Client Stations on Dot11Radio0: SSID [APskills] : MAC Address IP address Device Name Parent State 0009.4388.7123 192.168.0.1 350-client BIll self EAP-Assoc 0009.7cd1.9062 192.168.0.2 350-client XP3 self EAP-Assoc Do the clients connect to the network: What are the associations on the access point? List their details: How do the associations differ from before: 10. If you managed to successful connect to the network, next change the user ID for the LEAP details, such as shown in Figure 15. Do the clients connect to the network: Redefine the LEAP details so that the client re-associates. Is it successful: Figure 15: LEAP settings Author: W.Buchanan 10
Filtering (continued from previous week) 11. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.0.110-000d.65a9.cb1b ARPA BVI1 Internet 192.168.0.101 1 0060.b39f.cae1 ARPA BVI1 Internet 192.168.0.103 2 0009.7c85.87f1 ARPA BVI1 Internet 192.168.0.115 1 0090.4b54.d83a ARPA BVI1 ap# Determine all the mac addresses on your network: Block the access of one computer to another. What is the access-list used: Is the access blocked, and can the other nodes still access each other: 12. Next remove the access list with: no access-list 1101 and now add a new one which block access from one computer to two of the hosts on the network. Author: W.Buchanan 11
Is the block successful: IP filtering 13. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [<700-799> <1100-1199>] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled in this case an example of the ARP cache is: ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.0.110-000d.65a9.cb1b ARPA BVI1 Internet 192.168.0.101 1 0060.b39f.cae1 ARPA BVI1 Internet 192.168.0.103 2 0009.7c85.87f1 ARPA BVI1 Internet 192.168.0.115 1 0090.4b54.d83a ARPA BVI1 ap# Determine all the mac addresses on your network: IP: 192.168.0.1 MAC address: IP: 192.168.0.2 MAC address: IP: 192.168.0.3 MAC address: IP: 192.168.0.4 MAC address: IP: 192.168.0.5 MAC address: Block the access of one computer to another. What is the access-list used: What is the output from the show arp command on the wireless access point: Author: W.Buchanan 12
Is the access blocked, and can the other nodes still access each other: 14. Next remove the access list with: no access-list 1101 and now add a new one which blocks access from one computer to two of the hosts on the network. Is the block successful: 15. Next, remove the access list, and bar a node access to the complete network. Is the block successful: IP filtering 16. The access point supports IP-based access-lists. For example, the following blocks a host at 192.168.0.1 access to 192.168.0.110, and is applied to the D0 port: ip access-list extended Test deny ip host 192.168.0.1 host 192.168.0.110 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills authentication open guest-mode end Apply this configuration. Can the 192.168.0.1 node communicate with the wireless access point: 17. Write an access-list which blocks access from 192.168.0.1 to 192.168.0.3, and also blocks access from 192.168.0.2 to 192.168.0.4. The rest of the communications should be ALLOWED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). What is the access-list: Do the blocks work, and can the other nodes still communicate: Author: W.Buchanan 13
18. Write an access-list which allows access from 192.168.0.1 access to 192.168.0.3, and also allows access from 192.168.0.2 to 192.168.0.4. The rest of the communications should be BLOCKED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). What is the access-list: Do the allows work, and are the other nodes blocked: TCP filtering 19. Along with IP filtering, it is possible to filter for the TCP port. For example the following blocking of any source host to any destination on port 80: ip access-list extended Test deny tcp any any eq 80 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 ssid APskills authentication open guest-mode end 20. Test the above script and make sure that none of the nodes can access the web server on the access point: Is web access blocked: 21. Modify the access-list so that the node which has an IP address of 192.168.0.2 cannot access the web server on the access point: Is web access blocked: 22. Using the client and the server program, write an access-list which will block communications between two of the nodes on the network for client-server communications on port 1001: Is the access blocked: 23. Remove the previous access-list, and determine if the nodes can now connect to each other on port 1001: Author: W.Buchanan 14
Is the access allowed: ICMP filters 24. It is possible to block ICMP in the filtering, such as blocking a ping from 192.168.0.1 to 192.168.0.110: ip access-list extended Test deny icmp 192.168.0.111 0.0.0.0 192.168.0.110 0.0.0.0 permit ip any any Is it possible to ping the access-point (192.168.0.110) from 192.168.0.1: Is it possible to ping the access-point (192.168.0.110) from other nodes: 25. Now block ping access from 192.168.0.1 to 192.168.0.2. Is it possible to ping the access-point (192.168.0.111) from 192.168.0.112: Is it possible to ping all the other nodes: Tutorial For a network which has an access point at 192.168.0.110 and five wireless clients from 192.168.0.1 to 192.168.0.5, with an SSID of APskills, complete the following: 26. Create a firewall that blocks ping access to all other nodes on the network. Test it, and then restore ping access. 27. Create a firewall that bars TELNET access from 192.168.0.2 to the wireless access point. All other nodes should be able to telnet into the access point. Next do the opposite where only the node 192.168.0.2 is allowed to TELNET into the access point, and the rest are not. 28. Create a firewall that bars SNMP access from all the nodes on the network to the wireless access point. All other nodes should be able to telnet into the access point. 29. Enable the small-servers on the wireless access point, and access the time server port (port 7), and prove that it works from each of the clients. Implement a firewall on the wireless access point to bar time server access from 192.168.0.1 to the access point. Make sure that all the other nodes can still access the port. 30. Create a network of wireless clients where the access point has an address of 192.168.0.110, and create a firewall which blocks all the address which have even numbered IP addresses access to the web server on the access point, such as: Author: W.Buchanan 15
192.168.0.2 cannot access the wireless access point web server. 192.168.0.4 cannot access the wireless access point web server. And so on. What is the access-list: Does it work: 31. Create a network of wireless clients where the access point has an address of 192.168.0.110, and create a firewall which blocks all the address which have odd numbered IP addresses access to the web server on the access point, such as: 192.168.0.1 cannot access the wireless access point web server. 192.168.0.3 cannot access the wireless access point web server. And so on. What is the access-list: Does it work: 32. Create a network of wireless clients, which have the address: 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.64, and 192.168.0.65. Define a firewall rule that hosts with an IP address above 192.168.0.64 are allowed access to the web server on the access point, but ones below this are barred. What is the access-list: Does it work: For a network which has an access point at 192.168.5.254 and five wireless clients from 192.168.5.1 to 192.168.5.253, with an SSID of APskills, complete the following: 33. Create a firewall rule which allows hosts with address from 192.168.5.128 to 192.168.5.254 access to the Web server on the access point, and bars the rest of the nodes access to the Web server on the access point. 34. Create a firewall rule which allows hosts with address from 192.168.5.64 to 192.168.5.254 access to the Web server on the access point, and bars the rest of the nodes access to the Web server on the access point. Author: W.Buchanan 16