Professional Documents
Culture Documents
LANs
Module Number:
Name:
Module Leader:
Contact:
MSN Messenger Contact:
Skype:
WWW:
Test site:
C072047
Wireless LANs
Prof WJ Buchanan, School of Computing
w.buchanan@napier.ac.uk, Room: C.63
w_j_buchanan@hotmail.com
billatnapier
http://networksims.com
http://networksims.com/simtests.html
Module Specification 1
Module Definition
Module Number:
Name:
Module Leader:
Contact:
MSN Messenger Contact:
Lectures:
Practical:
Student Centered Learning:
Syllabus:
C072047
Wireless LANs
Prof WJ Buchanan, School of Computing
w.buchanan@napier.ac.uk, Room: C.63
w_j_buchanan@hotmail.com
24 hours
12 hours
114 hours
Radio
Fundamentals
(Spread
spectrum,
Modulation, Radio Wave Propagation), Ad-hoc
networks,
Wireless
Topologies,
Antennas,
Encryption (WEP, TKIP, and so on) and
Authentication (such as EAP, LEAP, Port-based
filtering, and so on), Site Security, Troubleshooting,
Emerging Technologies, Voice over Wireless,
GSM/3G Networks, Location-finding, RFID, Cisco
Wireless Tools, Wireless Certification.
Assessment:
1. Coursework assessment [50%].
2. On-line test [50%]. 10% for passing Cisco Certification, 40% for Napier Test.
Learning Outcomes:
-
Demonstrates analytical and synthesis skills in defining the key stages in the
development of a wireless solution from its specification and design to its
evaluation.
Provides an in-depth understanding of the key principles involved in the
operation of a wireless system.
Demonstrates key practical skills in the implementation, evaluation and
debugging of wireless systems.
Reference book:
WWW:
http://www.dcs.napier.ac.uk/~bill/wire.html
http://buchananweb.co.uk/wire.html
Software:
Networksims.com
Week Date
1
1 Oct
2
8 Oct
3
15 Oct
4
22 Oct
5
29 Oct
6
5 Nov
7
12 Nov
8
19 Nov
9
26 Nov
10
3 Dec
11
10 Dec
12
17 Dec
Holidays
13
7 Jan
14
14 Jan
15
21 Jan
-
Academic
1: Radio Wave Fundamentals
2: Wireless Fundamentals
3: Ad-hoc and Infrastructure Networks
4: Encryption
5: Authentication
6: Antennas
7: Filtering/8. VLANs
Napier Test (40%)
Cisco
Lab/Tutorial
Emerging Technologies
Cisco Exam (10%)
Coursework/Practical (50%)
Access Point Tutorial 1. This gives a tutorial example for the configuration of a Cisco Aironet 1200 Wireless Access Point (WAP).
Ad-hoc networks. This provides a practical foundation on the configuration and evaluation of ad-hoc networks.
Infrastructure networks. This provides a practical foundation in the configuration of wireless networks using Linksys and Cisco Aironet WAPs.
Radio Configuration Settings. This provides a practical foundation in the range of additional settings on a WAP, such as the RTS.
Encryption. This provides a practical foundation in encryption using simple techniques such as WEP, and more up-to-date techniques such as TKIP.
Authentication/EAP. This provides a practical foundation to the configuration of authentication in wireless systems, included techniques such as LEAP.
Configuring Services. This provides a practical foundation to the configuration of services on a WAP, including TELNET, HTTP, and so on.
Filtering/Blocking. This provides a practical foundation in the methods used to filter and block traffic on a wireless network.
VLANs. This provides a practical foundation in how wireless networks can be segmented in order to enhance security.
Date
1 Oct
Teaching
1: Radio Wave Fundamentals
8 Oct
2: Wireless Fundamentals
15 Oct
3: Infrastructure Networks
22 Oct
4: Encryption
29 Oct
5: Authentication
5 Nov
6: Antennas
12 Nov
7: Filtering/ 8. VLANs
19 Nov
26 Nov
10
3 Dec
11
10 Dec
12
17 Dec
13
7 Jan
Cisco Academy/Additional
Material
Cisco Academy/Additional
Material
Cisco Academy/Additional
Material
Revision/Cram (Cisco Exam)
14
14 Jan
15
21 Jan
Completed
Week
1
Date
1 Oct
Lab
8 Oct
15 Oct
22 Oct
29 Oct
Wireless Topologies
5 Nov
Access Points
12 Nov
Bridges
19 Nov
Antennas
26 Nov
Security
10
3 Dec
Applications
11
10 Dec
Site Survey
12
17 Dec
Troubleshooting
Completed
Wireless LANs 5
Week
1
Date
2 Oct
Lab
9 Oct
16 Oct
23 Oct
30 Oct
6 Nov
13 Nov
20 Nov
27 Nov
10
4 Dec
11
11 Dec
12
18 Dec
Completed
Wireless LANs
CO72047
Prof Bill Buchanan
8
Details
The details of the test are at:
http://www.dcs.napier.ac.uk/~bill/wirelesslan_exam.htm
There are 50 questions in the test, and an outline of the questions are:
Wireless network operation
1. Define the usage of handshaking in wireless networks, using RTS/CTS.
2. Define the usage of the fragment threshold, and how it affects traffic.
3. Define the usage of the preamble.
4. Understands the reasons for using spread-spectrum in wireless communications.
5. Identifies the usage of the world-mode in wireless communications.
6. Defines how antenna diversity is used to improve wireless communications.
7. Identifies the radio frequency used in RF wireless networks.
8. Calculates the time to transmit a wireless data frame for a given frame size.
9. Calculates the time to transmit wireless data for given parameters.
WEP/TKIP encryption
10. Defines the number of encryption keys that are possible with WEP encryption.
11. Identifies the size on an ASCII key for 64-bit or 128-bit WEP.
12. Defines the weakness of the IV in WEP.
13. Identifies the maximum number of IV values.
14. Defines the result of text string with an X-OR function with a defined key.
15. Calculates the time for an IV to repeat for a given bit rate and data frame time.
16. Outlines the basics of a man-in-the-middle attack on WEP.
Authentication/801.1X
17. Outlines the weakness of open authentication.
18. Defines the layered model of 802.1X.
19. Defines the operation of TKIP.
20. Outlines how TKIP overcomes the weaknesses of WEP.
21. Defines the operation of LEAP.
22. Defines the operation of EAP-TLS.
23. Defines how a RADIUS server is used in authentication.
24. Defines the management types used with the IEEE 802.11 data frame format.
Wireless LANs 7
RF and Antennas
25. Calculates the time taken for an EM wave to travel a given distance.
26. Calculates the dB value for a given input power and output power.
27. Calculates the overall gain for an amplifier, with losses.
28. Calculates the dBm value for a given power level.
29. Calculates output power for a given input power, and cable losses, for a given
cable length.
30. Calculates the output power in dBm for a given input power, overall gain for an
amplifier, with losses.
31. Defines isotropic radiators.
32. Approximates the size of a dipole antenna for a given frequency (based on l/2).
33. Calculates the dBi of a dipole antenna with a given dBd value.
34. Defines the usage of polarization.
35. Identifies a typical radiation pattern for a given antenna type.
36. Defines antenna beamwidth.
Cisco IOS configuration
37. Defines Cisco IOS commands involved in SNMP communications.
38. Defines Cisco IOS commands involved in generating encryption keys.
39. Defines Cisco IOS command involved in SSH communications.
40. Defines Cisco IOS commands to display connected radio devices.
41. Defines Cisco IOS commands involved with LEAP authentication.
42. Defines Cisco IOS commands involved with WEP encryption.
43. Defines Cisco IOS commands involved with TKIP encryption.
44. Defines Cisco IOS commands involved with shared-key authentication.
45. Defines Cisco IOS commands for local authentication.
Future/other wireless/VLAN
46. Defines the operation of UWB.
47. Defines the type of modulation in UWB.
48. SSID associations.
49. VLAN broadcasts.
50. Defines the usage of WiMax.
Wireless LANs
CO72047
Semester 1, 2006/2007
Prof WJ Buchanan, C63, School of Computing
Coursework specification
The coursework will account for 50% of the module. An outline specification is:
Title:
Objective:
Outline:
Introduction. This should define the aims of the coursework, and provide
background material. [5%]
Design. This section should present a possible wireless design for an
organisation network which supports up to 100 simultaneous users. This design
should include encryption, authentication and the required firewalling/ filtering.
Further details of the security constraints will be given in the lecture [25%]
Implementation. This section should provide a prototype of the proposed
wireless system including sample configurations, and an explanation of their
operation. [35%]
Conclusions. This should outline the main conclusions of the report. [15%]
Presentation/references. This relates to the layout and format of the report. Any
references should be given using the APA referencing standard. Do not copy any
material directly from a source. [20%]
Wireless LANs 9
The report should be up to 12 pages long, and can include other associated material.
Outline Requirements
The organisation wants to implement a wireless network for their employees, of
which the main requirements are:
10
Three main groups: Sales, Production and Engineering. Each group has 60 users,
and they should be authenticated onto the network.
The access point selected is a Cisco Aironet 1200.
The physical span of the network is similar to the corridor on C-floor beside the
C.6 lab and along the link corridor that runs along past C.27/C.28.
The Sales and Production departments should not be able to access the Web
server on any access points, but Engineering can.
The Sales department should not be able to ping any of the network, while the
Production department can ping for the access point, while the Engineering
department can ping any part of the network.
The Engineering department should be able to access SNMP information on the
access point and the router, but no other device. Sales and Production should not
be able to access any SNMP information.
Users in Engineering should be allowed to log into any access points, in a secure
way.
There should be a Web server for each of the main groups, and access should
only be allowed for each group. Access should be barred to the server which is
not defined for the department.
Access to external systems should be allowed for incoming and outgoing emails.
Overall, the network should be fairly secure and robust, in case of failures.
Wireless
LANs
Notes
Wireless LANs 11
Radio Fundamentals
1.1 Introduction
As microelectronic has made devices smaller, users now have powerful processing
devices in the palm of their hands, and there is thus an increasing need for
connections to networks to be wire-less. Unfortunately many networks still rely on
cables as they provide a degree of physical security, as the signals are contained
within the cables. They are also fairly robust, and operate without errors for many
years. Networks have thus grown into vast infrastructures of nodes connected to
switches, which are then connected to routers. Each of these connect using a vast
array of cables. The physical and logical configuration of the network can thus be
well managed, and controlled. For many reasons, such as bandwidth requirements,
robustness and security, it is sensible to have fixed networks at the core of any
networked system, but the actual connectivity of devices is likely to move away from
fixed connections towards mobile ones. This new type of connection is likely to
create many new issues, which must be overcome become wireless networking
becomes the standard way to connect to a network. The four major ones are:
Security. The signals from a wireless adaptor are available to anyone within the
wireless domain, and can thus be subjected to security breaches. The most basic
form of encryption for wireless is 40-bit WEP which can be easily decrypted. The
128-bit method is better, but it still can be cracked by military-level equipment.
Along with the problems of security is a problem with intruders using a wireless
connection to connect to the Internet. They can thus access the Internet for free, or
use it to hide their activities.
Authentication. This has become a key issue, and requires the authentication of
users and systems, so that access, and access to services, can be carefully
controlled.
Robustness. Wireless networks tend to be less robust than fixed networks,
especially as they tend to be reliant on access points and antennas, which may be
subjected to vandalism, or could be affected by other nearby equipment.
Bandwidth. It would never be possible for wireless networks to compete in
bandwidth performance with fiber optic cables, as radio waves have a limited
bandwidth of twice the frequency bandwidth of the system. This is mainly due to
the limitation in the available radio system, where, currently, many of the radio
bands have been used by other applications, such as for satellite TV, and with
military devices. Thus, a system which spans from 2GHz to 2.2GHz, has a
frequency bandwidth of 200MHz. The actual data rate bandwidth of this type of
system is typically twice the frequency bandwidth, which will be 400Mbps. Fiber
optic cables support rates of many Gbps.
Most wireless networks use a shared radio environment, where the devices can
transmit and received at a distance of up to 450 meters in an open environment. The
12
wireless network implements most of the data link and physical layer functions, and
its main functions are to:
1. Provide a path for data to flow.
2. Allow the sharing of the common medium.
3. Allow synchronization and error control to minimize errors on data
transmission.
4. Allow routing mechanisms to efficiently determine the best route for the data.
5. Allow an interface to network-based application software.
The applications of wireless technology is likely to increase over the forthcoming
years, especially with the increasing processing power of mobile devices, but typical
applications include:
(1.1)
where f is the frequency (Hz), and is the wavelength of the wave (m). c is defined as
the speed of light and is approximately 300,000,000 (3x108) m/s. For example, if the
frequency of the wave is 2.4GHz, then, in free-space, its wavelength will be:
Wireless LANs 13
c
3 10 8
=
= 12.5cm
f 2.4 10 9
(1.2)
E (Electric field)
Direction of
propagation
Figure 1.1: EM wave propagation
f=
Frequency (Hz)
Wavelength (m)
c=f
c = 3 x 108 m/s
1.3 EM Spectrum
The EM spectrum covers a number of wave classifications for the wave. Figure 1.3
shows the general classifications. The lowest frequency of EM waves is radio waves
which range up to 1GHz, and includes AM radio, FM radio, TV and cell phone
technologies. Generally this spectrum is congested with applications, and it has been
relatively simple to implement electronic devices which use these applications. The
microwave spectrum then sits above this spectrum, and has been used for
applications such as RADAR and microwave ovens. A small gap exists for IMS
(Industrial, Medical and Scientific), which has been allocated for new wireless LAN
standards. The characteristics of each of the wave differs, for example radio waves
propagate fairly well in free space, and can travel long distances, whereas
microwaves tend to be used in line-of-sight applications as the wave cannot bend
round large objects. Infra-red waves are generally associated with heat radiation and
are also used for fibre optic communications, also infrared and ultra-violet can be
used for laser-type applications, such as line-of-sight optics, and, because of their
14
inherently higher bandwidth carrying capabilities, can be used to transmit high data
rates over relatively short distances.
Radio Waves
Microwaves
Infra-red
Ultra-violet
X-rays
Gamma
rays
Wavelength (m)
103 102 101
101 102 103 104 105 106 107 108 109 1010 1011 1012
Infrared
Radio waves
FM radio
(88108MHz)
Microwaves
Wireless Comms
(2.4 and 5GHz)
AM radio
(535kHz
1.7MHz)
Ultraviolet
Light
Xrays
TV
(174220MHz)
GPS
(1.21.5GHz)
Cell phone
(800/900MHz)
106 107 108 109 1010 1011 1012 1013 1014 1015 1016 1017 109 1010 1011 1012
Frequency (Hz)
Figure 1.3: EM Spectrum
Generally, the higher the frequency of the wave, the higher the available bandwidth
capacity there is to transmit data. An estimatation of the available bandwidth is:
Bav =
f
bps
10
(1.3)
Thus, for example, the available bandwidth for a few radio wave are:
Radio Wave (AM)
Radio Wave (TV)
Radio Wave (Mobile phone)
Microwave (IEEE 802.11b)
Infra-red
f=1.7MHz, Bav=170kbps.
f=200MHz, Bav =20Mbps.
f=900MHz, Bav =90Mbps.
f=2.4GHz, Bav =240Mbps.
f=1013Hz, Bav =1Tbps.
This available bandwidth, though, is often split between different channels, such as
in IEEE 802.11b where there are around 14 channels, thus the available bandwidth is
a maximum of 17Mbps. Unfortunately the actual bandwidth depends on other
factors, especially noise and multipath, where the signal level must be much higher
than the noise for the communications to be received reliably. The larger the power
transmitted, normally, the larger the further the signal can be transmitted without it
being affected by noise. Figure 1.4 shows some of the EM waves and a typical noise
floor. New communication techniques, such as UWB (Ultra wideband), spreads their
signal across a wide band of frequencies. Thus the power level of UWB does not
Wireless LANs 15
affect other communications as its power in any of the bands is generally lower than
the noise floor.
Power level
FM radio
(88108MHz)
AM radio
(535kHz
1.7MHz)
GPS
(1.21.5GHz)
TV
(174220MHz)
Cell phone
(800/900MHz)
Noise floor
Wireless Comms
(2.4 and 5GHz)
UWB pulse
is spread
across the frequency
spectrum
106
107
108
109
(1GHz)
1010
Frequency (Hz)
16
cell to the next. This is the technique that mobile phones and wireless networks (IEEE
802.11) use to connect devices to a wireless infrastructure. Along with the different
channels, it is also possible to add an identifier name, that the clients associate with.
Metal
Metal
Reflection
from metal
objects
Absorption
(due to density)
NonNonconductor
conductor
Fading
Rx
Tx
1
2
2
3
3
1
2
3
3
1
Wireless LANs 17
Data Rate:
Media Access Protocol:
Range:
RF Technology:
Modulation:
Output Power:
Sensitivity:
18
Wireless LANs 19
FHSS
Ch01
Ch02
Ch03
Ch74
CH1 - 22MHz
2400MHz
1MHz
Non
overlapping
channels
DSSS
CH7 - 22MHz
Ch75
CH13 - 22MHz
CH2 -22MHz
2483.5MHz
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
20
Wireless Networks
2.1 Introduction
This unit outlines some of the issues involved in wireless networks, and which must
be considered in their design and deployment. As the world moves, slowly, towards
a massive wireless network, it is important that many of the limiting factors are
thought-about at this stage, as they may limit their eventual development. Overall
there are many problems, but data security and authentication are two of the major
ones, especially from a corporate point-of-view. These areas will be looked in a Unit
4 and Unit 5.
A key factor in the adoption of wireless networks is the standardization of them
by international standards bodies, as this allows consumers to purchase equipment
from different manufacturers without having to worry that they will not be able to
interconnect, or that they will be incompatible in any way. The leading standards
organisation for Layer 1 and Layer 2 communications are the IEEE who developed
the famous IEEE 802 standard for which IEEE 802.3 was used to define the standards
for Ethernet. It is the 802 standard that that has provide the foundation for
networking, and without it the Internet could not have developed so quickly. For
wireless networks they have defined a number of standards such as:
Wireless LANs 21
11Mbps
Available
bandwidth
CCK
Max bandwidth
5.5Mbps
DQPSK
2Mbps
DBPSK
100m
200m
300m
Distance
22
400m
1Mbps
6Mbps
Available
throughput
8Mbps
Linear increase in
actual throughput
against required
throughput
More collisions
and errors are
occurring, thus
data frames are
being deleted, causing
wasted bandwidth.
2Mbps
2Mbps
4Mbps
8Mbps
10Mbps
Wireless LANs 23
operates in the wireless access point and identifies the devices which are allowed
to transmit at any given time. Each node then, with the contention-free (CF)
period, the node polls each of the enabled PCF to determine if they wish to
transmit data frames. No other device is allowed to transmit while another node
is being polled. Thus, PCF will be contention-free and enables devices to transmit
data frames synchronously, with defined time delays between data frame
transmissions.
Listen for no activity
1
ACK
ACK
time-out
2
Figure 2.3
CSMA/CA
24
routing protocols, which will be covered in a later unit, it is possible to span large
physical areas, where node pass data from one to the next. There major problem is
that the routing becomes extremely complex as the network span increases. There are
also security issues with ad-hoc routing in ad-hoc networks.
In both ad-hoc and infrastructure networks, clients can be setup only to connect
to one type or another, or to any of them (although, this is not recommended for
security). Ad-hoc networks have advantages in situations when no network infrastructure currently exists, or is possible. Examples of this include emergency
situations, such as where the network infrastructure has been destroyed, or, in
mobile situations, where nodes are moving. Unfortunately, there are many issues in
ad-hoc networks which make them difficult to control, especially from a security and
authentication point-of-view. Thus infrastructure networks have become the most
common type, as they are easier to control the access of nodes to the network, and to
filter their traffic. Ad-hoc networks, though, should not be dismissed and have their
applications, and may also provide a model of the Internet of the future, but, while
both modes are supported by wireless clients, it gives an alternative design method.
Ad-hoc
Infrastructure
Figure 2.4 Infrastructure network
Wireless LANs 25
SSID
defines the
connected nodes
SSID
defines the
connected nodes
Ad-hoc
Infrastructure
Figure 2.5 SSID for a wireless network
L
Figure 2.6 Span of networks
26
dot11radio0
(or d0)
bvi 1 port is used
to configure both ports
with the same address
con
e0 (or fa0)
## config
config tt
(config)#
(config)# int
int bvi1
bvi1
(config-if)#
(config-if)# ip
ip address
address 192.168.0.1
192.168.0.1 255.255.255.0
255.255.255.0
(config-if)#
exit
(config-if)# exit
Antenna
connector
2.5.1
Station-role
The wireless access point can either be a root device, where, on one side, it connects
to a fixed network, or a repeater device, which does not connect to the fixed network,
as illustrated in Figure 2.8. These are defined from within the D0 port configuration.
Another important configuration is the default-gateway which is used in order to
redirect any data packets which are not destined for the local network. For this the
wireless access point sends these data packets which have an unknown destination
to the default gateway, which will, hopefully, find a destination for them, or at least
know of another router who might be able to help on routing the packets. In most
cases the default-gateway is defined as the IP address of the router port which
connects to the Ethernet connection of the wireless access point. An example
configuration is:
# config t
(config)# ip default-gateway 192.168.1.254
Wireless LANs 27
Fixed network
Root
## config
config tt
(config)#
(config)# int
int dot11radio0
dot11radio0
(config-if)#
(config-if)# station
station role
role root
root
(config-if)#
station
role
(config-if)# station role repeater
repeater
(config-if)#
(config-if)# end
end
Repeater
2.5.2
Channel setup
The channel setting is an important one, as it defines the basic identification of the
communications channel. In Europe there are 14 channels available which limits the
number of simultaneous connections, where each channel is numbered from 1 to 14,
each of which has their own transmission/reception frequency, as illustrated in
Figure 2.9. Careful planning of these channels is important, especially in creating
wireless domains which are overlapping as this allows users to roam around the
physical space. The example in Figure 2.9 shows that it is possible to achieve good
coverage, without overlapping domains with the same frequency, with just three
channels.
13
13
Figure 2.9
channel 12412
channel 22417
channel 32422
channel 42427
channel 52432
channel 62437
channel 72442
channel 82447
channel 92452
channel 102457
channel 112462
channel 122467
channel 132472
channel 142484
Channels in an area
28
<1-2472>
2.5.3
SSID
The radio SSID (Service Set ID) uniquely identifies a wireless network within a
limited physical domain. It is setup within the access point with:
# config t
(config)# dot11 ssid fred
(config-ssid)# guest-mode
(config-ssid)# exit
(config)# int d0
(config-if)# ssid fred
(config-if-ssid)# guest-mode
which sets up an SSID of fred, and allows guest-mode. Along with the SSID it is also
possible to define a beacon time where a beacon signal is sent out at a given time
interval, such as:
# config t
(config)# int d0
(config-if)# beacon ?
dtim-period
dtim period
period
beacon period
(config-if)# beacon period ?
<20-4000> Kusec (or msec)
(config-if)# beacon period 1000
which defines the beacon period of 1000 ms (1 second). The beacon allows the access
point to send out details such as:
Beacon interval. This defines the time between the beacon transmissions.
Capability Information. This defines the capability that is supported, such as
whether WEP or TKIP must be used.
Parameter Sets. This defines signalling information, such as for FHSS and DSSS.,
and radio channel information. A beacon belonging which is in a frequency
hopping network indicates the hopping pattern and dwell time.
SSID. The defines the SSID of the connection, so that the client can detect the
range of SSIDs to connect to. For security, some SSIDs are not sent as a beacon.
Supported rates. This defines the rates that are supported suc has 1, 2, and 5.5, 11
and 52 Mbps data rates are available.
Timestamp. This allows for time synchronisation between the access point and
the client.
2.5.4
Fragment threshold
A wireless data frame can have up to 2312 data bytes in the data payload. This large
amount could hog the bandwidth, and not give an even share to all the nodes on the
network, as illustrated in Figure 2.10. Researchers have argued that creating smaller
data frames, often known as cells, is more efficient in using the available bandwidth,
and also for switching data frames. Thus wireless systems provides a fragment
Wireless LANs 29
threshold, in which the larger data frames are split into smaller parts, as illustrated in
Figure 2.11. An example of the configuration is:
# config t
(config)# int dot11radio0
(config-if)# fragment-threshold ?
<256-2346>
(config-if)# fragment-threshold 700
Data packets are split into 1500 byte data frames (MTU)
2.5.5
RTS/CTS threshold
The RTS threshold prevents the Hidden Node problem, where two wireless nodes are
within range of the same access point, but are not within range of each other, as
illustrated in Figure 2.12. As they do not know that they both exist on the network,
they may try to communicate with the access point at the same time. When they do,
their data frames may collide when arriving simultaneously at the access point,
which causes a loss of data frames from the nodes. The RTS threshold tries to
30
overcome this by enabling the handshaking signals of Ready To Send (RTS) and
Clear To Send (CTS). When a node wishes to communicate with the access point it
sends a RTS signal to the access point. Once the access point defines that it can then
communicate, it sends a CTS signal. The node can then send its data, as illustrated in
Figure 2.13. The RTS threshold determines the data frame size that is required, in
order for it send an RTS to the access point. The default value is 4000.
# config t
(config)# int dot11radio0
(config-if)# rts ?
retries
RTS max retries
threshold RTS threshold
(config-if)# rts threshold ?
<0-2347> threshold in bytes
(config-if)# rts threshold 2000
Figure 2.12
RTS (Ready To
Send)
RTS (Ready To
Send)
CTS (Clear To
Send)
Data transmitted
Figure 2.13
RTS/CTS operation
RTS retries defines the number of times that a node can transmit an RTS signal before
it stops sending the data frame. Values range from 1 to 128. For example:
Wireless LANs 31
# config t
(config)# int dot11radio0
(config-if)# rts retries ?
<1-128> max retries
(config-if)# rts retries 10
2.5.6
Power settings
The power of the access point and also of the clients are important as they will
define the coverage of the signal, and must also be within the required for health
safety limits. Thus, the more radio power that is used to transmit the signal, the
wider the scope of the wireless network. Unfortunately, the further that the signal
goes, the more chance that an intruder can pick up the signal, and, possibly, gain
access to its contents, as illustrated in Figure 2.14. To control this power, the access
point can set up its own radio power, and also is able to set the power transmission
of the client adapter. An example in setting the local power, and the power of the
client:
(config)# int dot11radio0
(config-if)# power local ?
<1-50>
One of: 1 5 20 30 50
maximum Set local power to allowed maximum
(config-if)# power local 30
(config-if)# power client ?
<1-50>
One of: 1 5 20 30 50
maximum Set client power to allowed maximum
(config-if)# power client 10
The
Thepower
powerofofthe
theaccess
accesspoint
pointand
andalso
also
of
the
client
are
important
as
they
of the client are important as theywill
will
define
definethe
thecoverage
coverageof
ofthe
thesignal,
signal,and
andmust
must
also
alsobe
bewithin
withinthe
therequired
requiredsafety
safetylimits.
limits.
Figure 2.14 Power transmission
One the client, especially with portable devices, the power usage of the radio port is
important. Thus there are typically power settings, such as:
32
CAM (Constant awake mode). Used when power usage is not a problem.
PSP (Power save mode). Power is conserved as much as possible. The card will
typically go to sleep, and will only be awoken by the access point, or if there is
activity.
FastPSP (Fast power save mode). This uses both CAM and PSP, and is a
compromise between the two.
2.5.7
Authentication algorithm
This sets whether the client adapter uses an open system (where any node can
connect to the access point without providing any authentication details), or uses
authentication (such as using usernames and passwords or digital ceritificates). This
area will be covered in a future unit. An example of open authentication is:
# config t
(config)# dot11 ssid fred
(config-if-ssid)# authentication ?
client
LEAP client information
key-management key management
network-eap
leap method
open
open method
shared
shared method
(config-if-ssid)# authentication open
(config-if-ssid)# exit
(config)# int d0
(config-if)# ssid fred
2.5.8
Maximum associations
A particular problem in wireless networks is that the access point may become
overburdened with connected clients. This could be due to an attack, such as DoS
(Denial of Service), or due to poor planning. To set the maximum number of
associations, the max-associations command is used within the SSID setting:
# config t
(config-if)# ssid fred
(config-if-ssid)# max ?
<1-255> association limit
(config-if-ssid)# max 100
(config)# exit
(config)# int dot11radio0
(config-if)# ssid fred
2.5.9
Speed
In some network it is necessary to define the transmission speeds for the nodes,
especially to limit their transmission rates. For this the speed command can be used
to fix the transmit speed with:
(config)# int dot11radio0
(config-if)# speed ?
1.0
Allow 1 Mb/s rate
Wireless LANs 33
11.0
Allow 11 Mb/s rate
2.0
Allow 2 Mb/s rate
5.5
Allow 5.5 Mb/s rate
basic-1.0
Require 1 Mb/s rate
basic-11.0 Require 11 Mb/s rate
basic-2.0
Require 2 Mb/s rate
basic-5.5
Require 5.5 Mb/s rate
range
Set rates for best range
throughput Set rates for best throughput
<cr>
(config-if)# speed 1.0
2.5.10 Preamble
Preamble is sent out by a client to tell other clients that it is about to transmit. This
can either be set to long (which is the default) or short. A long preamble allows for
interoperatively with 1Mbps and 2Mbps DSSS specifications. The shorter allows for
faster operations (as the preamble is kept to a minimum) and can be used where the
transmission parameters must be maximized, and that there are no interoperatablity
problems. To set short preamble:
# config t
(config)# int dot11radio0
(config-if)# preamble-short
(config-if)# end
Figure 2.15
Preamble
2.6 Reference
D0 commands:
access-expression
antenna
arp
bandwidth
beacon
bridge-group
broadcast-key
carrier-delay
cdp
channel
countermeasure
crypto
34
custom-queue-list
default
delay
description
dot11
dot1x
encryption
exit
fair-queue
fragment-threshold
help
hold-queue
infrastructure-client
ip
keepalive
l2-filter
load-interval
logging
loopback
mac-address
max-reserved-bandwidth
mtu
no
ntp
packet
parent
payload-encapsulation
power
preamble-short
priority-group
random-detect
rts
service-policy
shutdown
snmp
speed
ssid
station-role
timeout
traffic-class
transmit-interface
tx-ring-limit
world-mode
SSID commands:
accounting
authentication
exit
guest-mode
infrastructure-ssid
ip
max-associations
no
vlan
wpa-psk
radius accounting
authentication method
Exit from ssid sub mode
guest ssid
ssid used to associate to other infrastructure devices
IP options
set maximum associations for ssid
Negate a command or set its defaults
bind ssid to vlan
Configure Wi-Fi Protected Access pre-shared key
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
Wireless LANs 35
3.1 Introduction
This unit provides a foundation in some of the key issues related to wireless
networks, especially related to the infrastructure of the network. The basic elements
of any type of network infrastructure is:
36
Core. Provides optimal transport between sites, which provides fast wide-area
connections between geographically remote sites within an organization.
Normally these are point-to-point links between routers. Typically connections
are T1/T3, ATM, Frame Relay and SMDS, and are often provided by
telecommunications provider. The core layer provides low latency connections
between remote sites, and does not generally implement any filtering of the
traffic (such as with firewalls or ACLs). If possible, there should be redundant
paths which can be switched-in when a route becomes unavailable, or slows
down. Redundant paths can also be used to share traffic loads. Along with this
there should be rapid convergence of the network.
Distribution. Provides policy-based connectivity, which connects multiple LANs
into a larger network infrastructure, such as an organiaational backbone, such as
between buildings. Typically, connections to the LANs are with Fast Ethernet, or
even Gigabit Ethernet, and to the core layer with ATM, FDDI and SMDS. This
layer also provides the demarcation point between the access and core layers and
thus helps to define the operation of the core, and isolate it from the access layer.
At this layer data packets can be filtered using a policy-based system (such as
with a firewall). At this level campus-wide networks would be implemented,
with the possibility of campus-wide servers, and to improve robustness, it is
unlikely that nodes would connect directly onto the distribution layer. In a noncampus-based network, this would be the layer at which remote sites would
connect to each other. Typical functions include: concentration of LANs, access to
core layer, VLAN routing, and media translations (such as between Frame Relay
and Ethernet) and security.
Access. For wireless clients this is the layer at which they normally connect to,
and provides workgroup and user access to the network. There can be some
policy-based filtering of network traffic at this layer, which will refine the access
control implemented at the distribution level. At this layer, the filter will typically
be based on user access (such as whether certain individuals are allowed access
to certain services). The main functions at this layer are: shared bandwidth (using
hubs), switched bandwidth (using switches); MAC-layer filtering (routing based
on MAC address, such as using in a switch or a bridge), isolating broadcast
traffic, creating workgroups, and microsegmentation.
Core
Distribution
Access
Figure 3.1
Wireless LANs 37
At present wireless devices are used mostly for access to the network infrastructure,
but, in the future, once key issues on network throughput, robustness, security and
authentication have been solved, they may move more towards the core of the
network infrastructure. In fact, with the standards for encryption and authentication
being robustly applied in wireless system, they can actually be more secure than in
traditional fixed networks.
It is possible to define up to four parents, so that if one fails to associate, it can use
others. In most cases the Cisco Aironet extensions must be enabled, as it aids the
association process, but this can cause incompatibility problems with non-Cisco
devices.
The repeater will start with the first parent, and, if it cannot connect, it will then try
the next parent, and so on. Overall, repeaters are fairly good at extending the range
of a wireless network, but thus reduce the throughput, as bandwidth is wasted in
relaying data from repeaters. As a best case, the actual throughput will be reduced
by at least half.
38
Fixed network
Root
## config
config tt
(config)#
(config)# int
int dot11radio0
dot11radio0
(config-if)#
(config-if)# station
station role
role root
root
(config-if)#
(config-if)# station
station role
role repeater
repeater
(config-if)#
(config-if)# end
end
Repeater
The hot standby device has a different IP address, as it may cause a conflict when the
two devices are operating at the same time, but, for the sake of seamless operation,
the hot standby device is setup with the following settings by identical:
SSID.
IP subnet Mask.
Default gateway.
Data rates.
Encryption and authentication settings.
Wireless LANs 39
Main
device
Hot standby
Device lists
for activity
Device automatically
associate with the
standby device with
the main one fails
Figure 3.3 Repeater or root
3.5 Bridging
In the same way that an Ethernet bridge works, a wireless bridge can be used to
interconnect two or more networks. They are typically used in hard-to-wire places,
or where cable runs would spoil the look of the environment. The basic modes
include:
A good example of a wireless bridge is the Cisco Aironet 350 workgroup bridge
(WGB) which connects an Ethernet network to a wireless access point. Figure 3.4
shows an example of a remote workgroup which connect to a fixed network using a
wireless bridge. The bridge has the advantage over a repeater in that the bridge can
learn the structure of the network, and the devices which connect, and can thus learn
which data frames to forward over the bridge, and which not to. A repeater,
unfortunately, blindly forwards data frames without checking their destination. If
can be seen in Figure 3.4 that a broadcast is sent over the bridge and onto every
device within the broadcast domain. This domain is bounded by routers, which do
not forward broadcasts. Figure 3.5 shows an example of a point-to-multipoint bridge,
where three bridges are used to bridge three LANs.
40
Hub
(up to eight devices)
Wireless
bridge
Access
point
Broadcast domain
LAN B
LAN A
LAN C
3.6 SWAN
In large campus area networks, it is important that mobile nodes are able to migrate
from one access point to another. If possible they must hand the current context from
one access point to the other.
WLCCP establishes and manages wireless network topologies in a SWAN (Smart
Wireless Architecture for Networking). It securely manages an operational context for
mobile clients, typically in a campus-type network. In the registration phase, it can
automatically create and delete network link, and securely distribute operational
context, typically with Layer 2 forwarding paths.
Wireless LANs 41
With WLCCP, a sole infrastructure node is defined as the central control point within
each subnet, and allows access points and mobile nodes to select a parent node for a
least-cost path to the backbone connection. An example is:
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication login testi group radius
(config)# aaa authentication login testc group radius
(config)# wlccp wds priority 200 interface bvi1
(config)# wlccp authentication-server infrastructure testi
(config)# wlccp authentication-server client any testc
(config-wlccp-auth)# ssid testing
which defines that the authentication of infrastructure devices is done using the
server group testi, and that client devices using the testing SSID are authenticated
using the server group of testc.
t
#
#
#
#
This type of authentication is not the most secure but it offers a simple way to block
access to the access point. Thus, when the user tries to access to the wireless access
point they will not be allowed to connect, unless they have the correct username and
password, such as shown in Figure 3.6. If the user has the correct username and
password, the Web page will show the device settings (left-hand side of Figure 3.7),
otherwise there will be an authentication failure (right-hand side of Figure 3.7).
Figure 3.6
42
Local authentication
Now it is not possible to access the Web page with the standard port (80), and must
change the URL to add a colon to define the port, such as shown in Figure 3.8. Often
a new HTTP port is required (to stop users from trying to access the Web page). Thus
to change the TCP port:
# config t
(config) # ip http port 8080
(config)# ip http max-connections 7
Figure 3.8
Access to the Web server can be restricted by defining an ACL, such as that only one
host is allowed to connect:
(config)#
(config)#
(config)#
(config)#
Wireless LANs 43
Along with this, HTTP is seen as an insecure protocol, such it can be replaced with
HTTPS with:
(config)# ip
% Generating
(config)# ip
<0-65535>
(config)# ip
http secure-server
1024 bit RSA keys ...[OK]
http secure-port ?
Secure port number(above 1024 or default 443)
http secure-port 443
The data transferred between the client and server will then be encrypted. To verify
the details:
ap#sh ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:/c1200-k9w7-mx.1238.JA/html/level/1;zflash:/c1200-k9w7-mx.123-8.JA/html/level/1;flash:/c1200k9w7-mx.123-8.JA/html/level/15;zflash:/c1200-k9w7-mx.1238.JA/html/level/15;flash:/c1200-k9w7-mx.123-8.JA/html;zflash:/c1200-k9w7mx.123-8.JA/html;flash:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 120 seconds
Server life time-out: 120 seconds
Maximum number of requests allowed on a connection: 60
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
ap#sh ip http server conn
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes
10.0.0.1:443
10.0.0.2:1082 266
10.0.0.1:443
10.0.0.2:1083 2493
out-bytes
52587
67032
44
Figure 3.9
HTTPS
3.8 SNMP
SNMP (Simple Network Management Protocol) is a well-supported standard which
can be used to monitor and control devices. It typically runs of hubs, switches and
bridges. Many SNMP devices provide both general network management and device
management through a serial cable, modem, or over the network from a remote
computer. It involves a primary management station communicating with different
management processes. Figure 3.10 shows an outline of an SNMP-based system. A
SNMP agent runs SNMP management software. An SNMP server sends commands
to the agent which responses back with the results. In this figure the server asks the
agent for its routing information and the agent responds with its routing table. These
responses can either be polled (the server sends a request for information) or
interrupt-driven (where the agent sends its information at given events known as
traps). A polled system tends to increase network traffic as the agent may not have
any updated information (and the server must re-poll for the information).
The SNMP (Simple Network Management Protocol) protocol was initially based
on RFC1157 and defines a simple protocol which gives network element
management information base (MIB). There are two types of MIB: MIB-1 and MIB-2.
MIB-1 was defined in 1988 and has 114 table entries, divided into two groups. MIB-2
is a 1990 enhancement which has 171 entries organized into 10 groups (RFC 1213).
Most devices are MIB-1 compliant and newer one with both MIB-1 and MIB-2.
The database contains entries with four fields:
Wireless LANs 45
Access field. Defines whether the value is read-only, read/write, write-only or not
accessible.
Status field. Contains an indication on whether the entry in the MIB is
mandatory (the managed device must implement the entry), optional (the
managed device may implement the entry) or obsolete (the entry is not used).
SNMP is a very simple protocol but suffers from the fact that it is based on
connectionless, unreliable, UDP. The two main version of SNMP are SNMP Ver. 1
and SNMP Ver. 2. SNMP has added security to stop intruders determining network
loading or the state of the network. The SNMP architecture is based on a collection
of:
SNMP-managed devices
(runs managed agent software)
Routing table
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
MIB
MIB
MIB
SNMP
SNMP
server
server
software
software
3.8.1
Protocol specification
46
UDP port 161. For all messages apart from report traps (Trap-PDU).
UDP port 162. Report trap Messages
MIB-2 added a number of groups, including system, interfaces, at, ip, icmp, tcp, udp,
egp, and snmp (see Figure 3.11).
At (address translation):
atTable.
SNMP
SNMP
agent
agent
System:
Interfaces:
sysObjectID.
sysUpTime.
sysContact.
sysName.
sysLocation.
MIB
ifNumber.
ifTable.
Ip:
ipForwarding.
ipDefaultTTL.
ipInReceives.
ipInHdrErrors.
Etc.
ICMP:
IcmpInMsgs.
IcmpInErrors.
Etc.
UDP:
TCP:
tcpRtoAlgorithm.
tcpRtoMin.
tcpRtoMax.
Etc.
udpInDatagrams.
udpNoPorts.
udpInErrors.
Etc.
SNMP:
snmpInPkts.
snmpOutPkts.
Etc.
3.8.2
The RO defines read-only access, while RW defines read-write access. To setup the
SNMP contact, and the location:
(config)# snmp-server contact fred smith
(config)# snmp-server location room c6
Wireless LANs 47
show
show
show
show
3.8.3
snmp
snmp engine
snmp group
snmp mib
The MIB tree structure is defined by a long sequence of numbers separated by dots,
such as .1.3.6.1.2.1.1.4.0 (where the .0 represents an end node). This number is called
an Object Identifier (OID), and is a numerical representation of the MIB tree
structure, where each digit represents a node in this tree structure. The trunk of the
tree is on the left; the leaves are on the right, as illustrated in Figure 3.12 and Figure
3.13. Figure 3.14 shows an example of an access to a Cisco Aironet Wireless Access
Point.
.1 System MIB
.1.3.6.1.2.1.1.4.0
.0 - CCITT
.1 ISO
.3 ISO
.6 DOD
.1 Internet
.1 Directory
.2 Management
.3 Experimental
.4 Private
.1.3.6.1.2.1.1.4.0
sysDescr (1), sysObjectID (2),
sysUpTime (3), sysContact (4),
sysName (5), sysLocation (6),
sysServices (7),
Figure 3.13 SNMP object ID
48
iso(1).
org(3).
dod(6).
internet(1).
mgmt(2).
mib-2(1).
icmp(5).
icmpInMsgs(1).
Description
Hostname
Uptime
System Description
System Contact
System Location
IOS Version
1-Minute CPU Util.
5-Minute CPU Util.
Free memory
IOS feature set
Object ID
.1.3.6.1.2.1.1.5.0
.1.3.6.1.2.1.1.3.0
.1.3.6.1.2.1.1.1.0
.1.3.6.1.2.1.1.4.0
.1.3.6.1.2.1.1.6.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.5
.1.3.6.1.4.1.9.2.1.57.0
.1.3.6.1.4.1.9.2.1.58.0
.1.3.6.1.4.1.9.2.1.8.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.4
Wireless LANs 49
In the case of Figure 3.14, some of the SNMP values and variables are:
Variable = system.sysDescr.0
Value = Cisco Internetwork Operating System Software
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(11)JA, EARLY DEPLOYMENT
RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 23-MayVariable = interfaces.ifNumber.0, Value = 5
Variable = interfaces.ifTable.ifEntry.ifIndex.1,
Variable = interfaces.ifTable.ifEntry.ifIndex.2,
Variable = interfaces.ifTable.ifEntry.ifIndex.3,
Variable = interfaces.ifTable.ifEntry.ifIndex.4,
Variable = interfaces.ifTable.ifEntry.ifIndex.5,
Variable = interfaces.ifTable.ifEntry.ifDescr.1,
Variable = interfaces.ifTable.ifEntry.ifDescr.2,
Variable = interfaces.ifTable.ifEntry.ifDescr.3,
Variable = interfaces.ifTable.ifEntry.ifDescr.4,
Variable = interfaces.ifTable.ifEntry.ifDescr.5,
Dot11Radio0
Value
Value
Value
Value
Value
Value
Value
Value
Value
Value
=
=
=
=
=
=
=
=
=
=
1
2
3
4
5
Dot11Radio0
FastEthernet0
Null0
BVI1
Virtual-
Which shows the interfaces and the description of the system. A sample MIB
infrastructure is shown in Figure 3.15, and the basic sequence of trapping an event,
and reacting to it is shown in Figure 3.16.
50
SNMP
Trap
Trap
Receiver
Rule
Processor
Action
Processor
Alert!
3.9 Appendix
3.9.1
MIB-2: system
These include:
3.9.2
MIB-2: interfaces
Wireless LANs 51
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
3.9.3
MIB-2: at
atTable. This defines the addresses translations table, and each interface contains
one network address to physical address translation:
o atIfIndex. Interface interface.
o atPhysAddress. Physical address of the interface.
o atNetAddress. Network address of the interface.
3.9.4
MIB-2: ip
52
ipForwarding. Defines whether the node is a gateway or not. It can be set to:
forwarding (for a gateway) or not-forwarding.
ipDefaultTTL. IP Time-to-live.
ipInReceives. The total number of IP packets (including ones in error).
ipInHdrErrors. Discarded IP packets, due to header problems.
ipInAddrErrors . Discarded IP packets, due to incorrect addresses (such as
0.0.0.0).
ipForwDatagrams. Number of IP packets which were forwarded.
ipInUnknownProtos. Number of IP packets with an unknown protocol.
ipInDiscards. Discarded packets due to processing problems, such as lack of
buffer memory.
ipInDelivers. Number of successfully IP packets.
ipOutRequests.
ipOutDiscards.
ipOutNoRoutes. Discarded IP packets, due to no router for the packets.
ipFragOKs. Number of completed fragments.
ipFragFails. Number of unsuccessful fragments.
ipFragCreates. Number of fragments created.
ipAddrTable.
ipAddrEntry:
o ipAdEntAddr. Network address.
o ipAdEntIfIndex. Address index.
o ipAdEntNetMask. Subnet mask.
o ipAdEntBcastAddr. Broadcast address.
o ipAdEntReasmMaxSize.
ipRoutingTable:
o ipRouteDest. Destination address. A value of 0.0.0.0 is defined as a default
route.
o ipRouteIfIndex Route index.
o ipRouteMetric1. Route metric 1. If it is not using the value is set to -1.
o ipRouteMetric2.
o ipRouteMetric3.
o ipRouteMetric4.
o ipRouteNextHop.
o ipRouteType. Route types are: other, invalid, direct and indirect.
o ipRouteProto. Protocol types are: other, local, netmgmt, icmp, egp, ggp,
hello, rip, is-is, es-is, ciscoIGRP. bbnSpfIgp, ospf and bgp.
o ipRouteAge.
o ipRouteMask.
o ipRouteMetric5.
ipRouteInfo:
o ipNetToMediaIfIndex. Route index.
o ipNetToMediaPhysAddress. Physical address.
o ipNetToMediaNetAddress. Network address.
o ipNetToMediaType. Set to other, invalid, dynamic or static.
3.9.5
MIB-2: icmp
icmpInMsgs.
icmpInErrors.
icmpInDestUnreachs.
icmpInTimeExcds
icmpInParmProbs
icmpInSrcQuenchs.
icmpInRedirects.
icmpInEchos.
icmpInEchoReps.
icmpInTimestamps.
icmpInTimestampReps.
icmpInAddrMasks.
icmpInAddrMaskReps.
icmpOutMsgs.
icmpOutErrors.
icmpOutDestUnreachs.
icmpOutTimeExcds.
Wireless LANs 53
icmpOutParmProbs.
icmpOutSrcQuenchs.
icmpOutEchos.
icmpOutEchoReps.
icmpOutTimestamps.
icmpOutTimestampReps.
icmpOutAddrMasks.
icmpOutAddrMaskReps.
3.9.6
MIB-2: Tcp
3.9.7
MIB-2: Udp
54
udpInDatagrams.
udpNoPorts.
udpInErrors
udpOutDatagrams
udpTable:
o udpLocalAddress
o udpLocalPort
3.9.8
snmp
snmpInPkts.
snmpOutPkts.
snmpInBadVersions.
snmpInBadCommunityNames.
snmpInBadCommunityUses.
snmpInASNParseErrs.
snmpInTooBigs.
snmpInNoSuchNames.
snmpInBadValues.
snmpInReadOnlys.
snmpInGenErrs.
snmpInTotalReqVars.
snmpInTotalSetVars.
snmpInGetRequests.
snmpInGetNexts.
snmpInSetRequests.
snmpInGetResponses.
snmpInTraps.
snmpOutTooBigs.
snmpOutNoSuchNames.
snmpOutBadValues.
snmpOutGenErrs.
snmpOutGetRequests.
snmpOutGetNexts.
snmpOutSetRequests.
snmpOutGetResponses.
snmpOutTraps.
snmpEnableAuthenTraps.
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
Wireless LANs 55
4.1 Introduction
The key elements of wireless security are:
Authentication. This is used to identify the user, the wireless client and the
wireless access point.
Authorization. This is used to determine the users and wireless devices that have
the authorization to connect to the network.
Accounting. This is used to log information on the usage of the network, and
may set restrictions of the access, and, possibly, charge for the usage.
Assurance. This defines that the data that is received and transmitted has not
been changed in any way.
Confidentiality. This allows the details of the connection to be kept secret. It
typically involves securing the contents of the transmitted data, but may also
include hiding the source and destinations addresses, and the TCP ports used for
the connection, andm in most wireless networks, private key encryption either
with WEP (Wireless Encryption Protocol) or TKIP (Temporal Key Integrity
Protocol), is used to protect the confidentiality.
Data Integrity. This gives an assurance that the data that is transmitted or
retrieved is free from errors, and should be taken as the same as being the
original data. Typically data integrity is achieved at differing levels, such as error
detection bits in the data frame, check sums within the IP and TCP headers, and
also higher-level protocol errors.
56
Gateway
Main
firewall
DMZ
External
devices get
behind the
firewall
Core
network
Wireless
Access
point
Network
access
4.2.1
IEEE 802.11 uses frequencies around the 2.4GHz (for IEEE 802.11b) and 5GHz (for
IEEE 802.11a) radio spectrum. These frequencies can obviously be affected by other
radio equipment, and can obviously be jammed by a radio transmitter which
transmits on the radio frequencies used by a network. It is thus not recommended in
military networks (Figure 4.3), or in safety critical systems.
Wireless LANs 57
4.2.2
Denial-of-service attacks
As wireless access points are fairly public in the way that they can be accessed, they
can be open to attacks from intruders. A common one is a denial-of-service (DOS)
where an intruder continually tries to connect to a WAP, which means that the
device takes as much time to setup the connection as it does with its other
connections (Figure 4.3). The quality of service (QoS) will thus reduce for other
clients which connect to the WAP. In the most extremely case, it may be possible for
an intruder to reduce the data throughput to the WAP to almost zero. Along with a
DOS attack, it is also possible for an intruder, once connected to the WAP, to
continually upload/download files and thus use up much of the available
bandwidth. This is known as deprivation of service (DepS), and also results in a
reduction in the QoS. It can, though, be overcome by not allowing clients to connect,
unless they are a valid device, and also to monitor downloads and bandwidth usage.
A key factor for both the DoS and DepS attacks is for the administrator to setup
system logs which monitor the usage of the wireless network. This includes both
successful and unsuccessful login attempts.
Wireless
Access
point
4.2.3
Spoofing attacks
Many wireless networks use DHCP to allocate network addresses, where a device
passes a MAC address and gains an IP address it has been registered in the DHCP
database. For this only valid MAC addresses will be given an IP address.
Unfortunately this type of authorization can be breached by an intruder who
determines valid MAC addresses, and uses intruder software to pass the valid MAC
address to the WAP (Figure 4.4). It will then be allocated with a valid IP address.
Along with this, it is possible, in some wireless networks, to setup a valid IP address
on the wireless client and allows it to connect to the network.
Along with clients spoofing themselves, another problem can be were a rogue
access point is setup for clients to connect to, as many clients are setup to connect to
the access point with the strong signal strength. The rouge device can thus overcome
any encryption that a client might use.
58
Deprivation of
service
Continual
download
Denial-of-service
Continual
Connection
requests
Connect?
Wireless access point
Users
deprived of
bandwidth
Wireless LANs 59
Wireless Security
IPSec standards
for VPNs
- Limited to IP
- Required for public
access systems.
Encryption
WEP - Wireless
Encryption Protocol
EAPS - Extensible
Authentication Protocol
IEEE 802.11i
4.4 WEP
Wireless encryption, such as WEP and TKIP, only encrypts the data between the
wireless clients, and once on a wired network it will not apply. WEP uses a shared
encryption key which produces an infinitity long bit stream key (using RC4) which is
Exclusive-OR-ed with the data stream. Unfortunately it has many weaknesses. Two
main key sizes are:
60
64-bit WEP. Data encryption with an access point using a 64-bit key.
128-bit WEP. Data encryption with an access point using a 128-bit key.
Figure 4.7 shows that that it is possible to set the encryption key as a pass phase or
manually. For 64-bit encryption, 5 alphanumeric characters or 10 hexadecimal values
are used to define the encryption key, or for 128-bits encryption, the key is specified
with 13 alphanumeric values or a 26 hexadecimal characters. The system will only
use one of the four keys for its encryption. All the stations and connected access
point, if connected, must use the same encryption key. For example a 64-bit key
could be:
Edin1
Whereas 128-bit encryption could use:
Edinburgh Net
This encryption can be optional (only use, if necessary) or mandatory (where it will
only ever use encryption).
40-bit
Keys
(24 bits
for IV)
104-bit
Keys
(24 bits
for IV)
napier01
Generate key
No standard
exists to
define how
the WEP
key is
created
The 64-bit bit encryption uses a 24-bit initialization vector (IV), and a 40-bit secret
shared encryption key (Figure 4.8). WEP then uses the IV to generate the encryption
seed key. From this it uses the RC4 algorithm to generate an infinite pseudo key
(Figure 4.9) which is EX-ORed with the data stream. The IV thus lengthens the
length of the seed value, and changes the key for every data packet.
Unfortunately the IV is a 24-bit value which is sent as cleartext. There are thus
only 224 vectors (16,777,216). Thus, if we use 1500 byte packets, the time to send each
packet is:
Wireless LANs 61
15008/11e6 = 1.1ms
Thus, if the device is continually sending the same vector will repeat after:
1.1ms 16,777,216 = 18,302.4 seconds
which is 5 hours. The intruder then takes the two cipher texts which have been
encrypted with the same key, and performs a statistical analysis on it. Figure 4.104.12 show the method that packages such as AirSnort use to detect the WEP key.
Initialization Vector
Encryption Key
24 bits
40 bits
62
Sender
Receiver
Short-key
Short-key
Short-key
Short-key
Infinite
Infinitepseudo-random
pseudo-randomkey
key
Infinite
Infinitepseudo-random
pseudo-randomkey
key
01111010100101000101. . .
10100101000101010101. . .
X-OR
Data stream:
10100101000101010101. . .
01111010100101000101. . .
1101111110000001000. . .
1101111110000001000. . .
X-OR
Short-key
Short-key
Infinite
Infinitepseudo-random
pseudo-randomkey
key
C D
A B
X-OR
X-OR
10100101000101010101. . .
10100101000101010101. . .
100000010000101010. . .
1101111110000001000. . .
Eavesdropper
can detect the key
if it can read to streams
encoded with the same
key
Eavesdropper
Eavesdropper
Wireless LANs 63
Plaintext
IV=0
IV=1
Cipertext
Hello How
%4$9h-=+
76504fgh==
IV=2
IV= 16,777,214
IV=16,777,215
Eavesdropper stores a
table of known keys for
each IV (15GB)
Figure 4.13
IV vectors
Short-key
Short-key
Infinite
Infinitepseudo-random
pseudo-randomkey
key
Infinite
Infinitepseudo-random
pseudo-randomkey
key
A B
A C
X-OR
10100101000101010101. . .
01111010100101000101. . .
X-OR
1101111110000001000. . .
1101111111000001000. .
1101111111000001000. . .
Man-inMan-inthe-middle
the-middle
64
Figure 4.15
Plaintext
Corresponding cipertext
CRC-32
Figure 4.16
Message
Corresponding cipertext
Cipertext
CRC
Modified Plaintext
Encrypted text
CRC
CRC-32
CRC
Wireless LANs 65
4.4.1
Key entropy
Encryption key length is only one of the factors that can give a pointer to the security
of the encryption process. Unfortunately most encryption processes do not use the
full range of keys, as the encryption key itself is typically generated using an ASCII
password. For example in wireless systems typically use a pass phase to generate the
encryption key. Thus for 64-bit encryption, only five alphanumeric characters (40bits) are used and 13 alphanumeric characters (104 bits) are used for 128-bits
encryption1. These characters are typically defined from well-know words and
phases such as:
Nap1
Whereas 128-bit encryption could use:
NapierStaff1
Thus, this approach typically reduces the number of useable keys, as the keys
themselves will be generated from dictionaries, such as:
About
Apple
Aardvark
and keys generated from strange pass phases such as:
xyRg54d
io2Fddse
will not be common (and could maybe be checked if the standard dictionary pass
phases did not yield a result.
Entropy measures the amount of unpredictability, and in encryption it relates to
the degree of uncertainty of the encryption process. If all the keys in a 128-bit key
were equally likely, then the entropy of the keys would be 128 bits. Unfortunately, do
to the problems of generating keys through pass phrases the entropy of standard
English can be less than 1.3 bits per character, and is typically passwords at less than
4 bits per character. Thus for a 128-bit encryption key in wireless, and using standard
English gives a maximum entropy of only 16.9 bits (1.3 times 13), which is
equivalent, almost to a 17 bit encryption key length. So rather than having
202,82,409,603,651,670,423,947,251,286,016 (2104) possible keys, there is only 131,072
(217) keys.
As an example, lets say an organisation uses a 40-bit code, and that the
organisation has the following possible phases:
In wireless, a 64-bit encryption key is actually only a 40 bit key, as 24 bits is used as an
initialisation vector. The same goes for a 128-bit key, where the actual key is only 104 bits.
66
log10 (20 )
log10 (2 )
= 4. 3
Thus the entropy of the 40-bit code is only 4.3 bits.
Unfortunately many password systems and operating systems such as Microsoft
Windows base their encryption keys on pass-phases, where the private key is
protected by a password. This is a major problem, as a strong encryption key can be
used, but the password which protects it is open to a dictionary attack, and that the
overall entropy is low.
4.4.2
WEP is the basic encryption method used for wireless. For the key to be generated
the user must define a 10-digit hexadecimal code:
# config t
(config)# int dot11radio0
(config-if)# encryption mode wep optional
(config-if)# encryption key 1 size 40bit 1122334455 transmit-key
(config)# exit
Key
Key number 1 (three other
keys are possible)
The same can be done for 128-bit encryption, which is more secure. In this case we
require 26 hexadecimal digits.
# config t
(config)# int dot11radio0
(config-if)# encryption mode wep optional
(config-if)# encryption key 1 size 128bit 12345678901234567890123456
transmit-key
(config)# exit
Wireless LANs 67
The transmit-key option is used to select the key that the access point will use when
transmitting data (only one can be defined at a time, whereas one or more receive
keys can be used. This key must be the same for the one that the clients associate
with, but does not have to be the same as the transmit key for the clients.
4.5 TKIP
To overcome the problems of the WEP encryption method, TKIP (802.11i) adds two
things:
MIC (Message Integrity Check). This adds two new fields: sequence number and
an integrity check field. The access point rejects any sequence numbers which are
out-of-sequence. Also the integrity check has been added which is an improved
version of the IV integrity checker.
Per-packet keys. This produces WEP keys which eliminate IV reuse and weak
IVs.
Figure 4.18 outlines the operation of the existing WEP standard, and Figure 4.19
shows how it has been enhanced, but still keeps compatibility with existing wireless
hardware. It is open to bit-flipping, and a passive attack where the intruder waits for
the IV to repeat, and can then EX-OR the two cipertext streams and can determine
the plaintext.
IV
WEP key
C1=P 1 RC4(k,IV)
C2=P 2 RC4(k,IV)
If RC4(k,IV) are the sam e
then:
RC4
C1 C 2 =P 1 P 2
RC4(k,IV)
Cipertext (C)
P
IV
Plain text
Cipertext
ICV
IV sent in plaintext
Statistical attack/dictionary attack
Figure 4.18 Standard WEP
With TKIP a Packet IV (PIV) is used as a sequence number, and creates a PPK (Perpacket key) along with the shared key and the transmitters address. The sequence
number stops replay attacks as two frames with the same sequence number are
rejected (along with sequence numbers which are less than the expected sequence
number). The transmitter starts the PIV at zero, and then increments it for each
transmitted frame.
The temporal key is 128 bits long, and has a certain lifetime. This is then mixed
up with the 48-bit MAC address of the transmitted, in order that different stations
68
will produce data streams which are different. TKIP uses a re-key facility which
continually refreshes the encryption keys. Initially a master key is passed between
the access point and the station. This is created for each session, and is passed in a
secure way. This master key by the access point to pass the encryption keys. The
station and the access point then generate two temporal keys; one for each direction
of transmission. To avoid the same key for recurring the Packet IV (which is 16-bits)
will rollover each 216 packets. Thus the master key must be regenerated each 216
packets.
16 bits
128 bits
Packet IV
48 bits
Temporal key
Tx Addr
12:34:56:78:90:12
Sequence
number
Key mix
Temporal key
has a certain lifetime
RC4
128 bits
RC4(k,IV)
First 24bits
Cipertext (C)
+
P
PPK (24bits)
Plain text
Cipertext
ICV
TKIP
Master
key
shared secretkey
(generated for each session)
shared secretkey
(generated for each session)
Used to pass
encryption keys
Wireless
Access
Point
Temporal key
(sending)
Temporal key
(sending)
Temporal key
(receiving)
Temporal key
(receiving)
Master key must be
refreshed every 216 packets
16 bits
Packet IV
128 bits
Temporal key
48 bits
Tx Addr
Figure 4.20
TKIP
Wireless LANs 69
4.5.1
Configuring TKIP
TKIP is not a future solution to the problems of wireless security, but is compatible
with existing equipment, and should provide enough security for current standards.
ap(config-if)# encryption mode ?
ciphers Optional data ciphers
wep
Classic 802.11 privacy algorithm
ap(config-if)# encryption mode ciphers ?
aes-ccm
WPA AES CCMP
ckip
Cisco Per packet key hashing
ckip-cmic Cisco Per packet key hashing and MIC (MMH)
cmic
Cisco MIC (MMH)
tkip
WPA Temporal Key encryption
wep128
128 bit key
wep40
40 bit key
ap(config-if)# encryption mode ciphers tkip ?
aes-ccm WPA AES CCMP
wep128
128 bit key
wep40
40 bit key
<cr>
ap(config-if)# encryption mode ciphers tkip ?
ap1200(config-if)# encryption key 1 size 128 12345678901234567890123456
transmit-key
which configures both TKIP and WEP128 (for clients that do not support TKIP).
4.5.2
WPA-PSK
One method of TKIP is WPA-PSK (Pre-shared key), where the users defines a preshare key, which is setup on both the access point and the client. An example setup
of the WPA-PSK on a client (Figure 4.21) with the same shared key of
napieruniversity.
(config)# dot11 ssid texas
(config-ssid)# wpa-psk ascii napieruniversity
(config-ssid)# exit
(config)# int d0
(config-if)# ssid texas
70
4.6 Tutorial
1. Prove that there are 16,777,216 IV values.
2. Show that 128-bit WEP encryption requires 26 hexadecimal digits. Why does it
only require 13 ASCII digits?
3. Show that 64-bit WEP encryption requires 10 hexadecimal digits. Which of the
following of valid 64-bit WEP keys:
napier
university
soc
4. Which of the following of valid hexadecimal 64-bit WEP keys:
napier
aaaaaaaaaa
abcdefghij
5. What is the result of ABC exclusive-ORed () with 1010 1010 1010 1010 1010
1010? What is the result if the same key is used to exclusive-OR the result?
Example: D 1001 1001 gives:
0100 0100
1001 1001
1001 1101
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
Wireless LANs 71
72
Decimal
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Decimal
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Decimal
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Decimal
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
Hex
00
01
02
03
04
05
06
07
08
09
0A
0B
0C
0D
0E
0F
Hex
20
21
22
23
24
25
26
27
28
29
2A
2B
2C
2D
2E
2F
Hex
40
41
42
43
44
45
46
47
48
49
4A
4B
4C
4D
4E
4F
Hex
60
61
62
63
64
65
66
67
68
69
6A
6B
6C
6D
6E
6F
Character
NUL
SOH
STX
ETX
EOT
ENQ
ACK
BEL
BS
HT
LF
VT
FF
CR
SO
SI
Character
SPACE
!
#
$
%
&
/
(
)
*
+
,
.
/
Character
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
Character
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
Binary
00010000
00010001
00010010
00010011
00010100
00010101
00010110
00010111
00011000
00011001
00011010
00011011
00011100
00011101
00011110
00011111
Binary
00110000
00110001
00110010
00110011
00110100
00110101
00110110
00110111
00111000
00111001
00111010
00111011
00111100
00111101
00111110
00111111
Binary
01010000
01010001
01010010
01010011
01010100
01010101
01010110
01010111
01011000
01011001
01011010
01011011
01011100
01011101
01011110
01011111
Binary
01110000
01110001
01110010
01110011
01110100
01110101
01110110
01110111
01111000
01111001
01111010
01111011
01111100
01111101
01111110
01111111
Decimal
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Decimal
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Decimal
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
Decimal
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Hex
10
11
12
13
14
15
16
17
18
19
1A
1B
1C
1D
1E
1F
Hex
30
31
32
33
34
35
36
37
38
39
3A
3B
3C
3D
3E
3F
Hex
50
51
52
53
54
55
56
57
58
59
5A
5B
5C
5D
5E
5F
Hex
70
71
72
73
74
75
76
77
78
79
7A
7B
7C
7D
7E
7F
Character
DLE
DC1
DC2
DC3
DC4
NAK
SYN
ETB
CAN
EM
SUB
ESC
FS
GS
RS
US
Character
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
Character
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
_
Character
p
q
r
s
t
u
v
w
x
y
z
{
:
}
~
DEL
Wireless Authentication
5.1 Introduction
The key elements of security are confidentially, integrity and assurance (CIA), where
sensitive data must be kept securely, typically using encryption. Key factors, though,
are the ownership, and the access rights of data and services. Thus some form of
authentication must be applied to make sure that the users and/or devices that are
accessing services and data have the correct rights. Authentication is thus important
from many aspects, as it can be used to identify these users and devices. The first
generation of wireless networks tended not to use strong authentication, and tended
to use the MAC address of the device to authenticate. Unfortunately this method is
open of MAC and IP address spoofing, where valid MAC and IP addresses are used
to connect to the wireless network. Along with this, an authentication scheme based
purely on the device does not properly authenticate the user, thus many
authentication schemes have some form of user/group identification and verification.
The main methods used for verification include:
Wireless LANs 73
PKI server
Wireless
access point
Centralised
RADIUS or Tacacs+
server
Authenticator
server
Supplicant
Wireless
access point
and
es
s
am
ern sword
s
U as
p
Authenticator
Windows
Domain
server
Figure 5.1
74
Frame
control
Duration/
ID
6
Add 1
(Dest.)
6
Add 2
(Src)
Add 3
(SSID)
xx xx xxxx
Sequence
control
0-2312
Frame
body
Add 4
4
FCS
xx x x xx xx
Subtype
Management:
0000 Association Request
0001 Association Response
0100 Probe request (0x4)
1011 Authentication (0xB)
Control:
1011 RTS
1100 CTS
1101 - ACK
Frame type
00 Management Frame (0x0)
01 Control
10 Data
Protocol version
00 (0x0)
Figure 5.2
Order
0 Not ordered
WEP
0 No WEP
1 - WEP
MoreData
0 No more data
ToDS
PowerManagement
FromDS
Retry
MoreFrag
There are three types of data frames (defined in the frame type bits);
Association Request
Reassociation Request
Probe Request
Beacon
Authentication
0001
0011
0101
1010
1100
Association Response
Reassociation Response
Probe Response
Disassociation
Deauthentication
Wireless LANs 75
A sending client (or DS - Distributed System) defines whether the data frame is
forwarded. If it is not to be forwarded the ToDS and FromDS bits are set to zero. The
MoreFrag bit defines whether the data frame has been fragmented, and the Retry bit
is set when the same data frame has already been sent. A client can define that it has
power management by setting the PowerManagement bit. The MoreData bit is used
by an access point to define that there are more data frames that have been buffered
for a client. If the Order bit is set it defines that the data frames are ordered, while the
WEP bit defines if WEP is used, or not. The main phases of the connection between a
station client and a wireless access point is probe request, authentication, and
association.
Probe response
Authentication
request
Authentication
response
Association
request
Wireless
Access
Point
Association
response
Figure 5.3
Station operations
76
Open authentication. In this type the client is always accepted. The open
authentication is typically used where it does not matter whether the devices are
to be authenticated, or where there are devices which cannot support complex
authentication, such as in hand-held devices. If open authentication is used, any
device can gain access to the network. Each radio port can have multiple SSID
Figure 5.4
Authentication methods
Based on WEP. If WEP is used, the WEP key can be used to authenticate the
client to the access point. If it does not have the correct WEP key it will not be
allowed access to the network.
Shared-key. With this method, the access point and the client have the same
shared key. The access point then sends an authentication response which has a
challenge text. The client then encrypts the challenge with the shared WEP key,
and sends it back to the access point. If it has been correctly encrypted, the access
point sends back an authentication response (success), as illustrated in Figure 5.4.
The major problem with shared-key authentication is that it is vunerable to a
Man-in-the-middle attack, where an intruder can capture both the plain-text
challenge and the cipertext, and XOR them together to generate the key stream,
as illustrated in Figure 5.5. With the data stream, the man-in-the-middle does not
need the shared-key as they can send a message which is XORed with the
random key.
802.1x. This method implements a whole range of authentication methods, such
as TLS, LEAP, EAP-FAST, and so on, and provides a framework for them to exist.
MAC address-based. This is not a standard method used in 802.11, but is
implemented by many vendors. Initially, as illustrated in Figure 5.6, the station
client sends an association request to the access point, which then sends the MAC
address to the RADIUS server, which then checks it gainst the addresses in its
database. If it is successful, it sends a RADIUS-ACCEPT message to the access
point, after which the access point will send an associated response (Success)
message to the station client. The MAC address-based method can be defeated
with a network interface card which can be set to a MAC address which is valid
on the network.
Wireless LANs 77
Probe request
Probe response
Authentication
request
Key: ABCDEF
Authentication
response
Wireless
Access
Point
WEP data
frame
Shared WEP
key is used
to authenticate the
client
Key: ABCDEF
Figure 5.5
Shared-key authentication
RC4
Random key
+
The maninthemiddle
EXORs the two sniffed
strings, and determines
the random key
Figure 5.6
78
ABCDE
#@D.F
Man-in-the-middle attack
Probe request
MAC address
is sent to RADIUS
server
Authentication
response (success)
Wireless
Access
Point
RADIUSaccept
RADIUS
server
Figure 5.7
Note 802.1x Port-based authentication, and is not to be confused with 802.1q with
VLAN tagging and is used to provide a trunk between switches, or with 802.11x
which is any existing or developing standard in the 802.11 family.
2
Wireless LANs 79
Figure 5.7 shows that the 802.1x framework provides an interface between many
different network types and a number of differing authentication methods (such as
LEAP, EAP-TLS, and so on). It can be see that 802.1x gets in-between the Layer 3
protocol and the link layer, which means that the device cannot directly
communicate with the network unless it has been authenticated. The framework
supports a wide range of authentication methods, and also network technologies,
and is seen as a single standard for the future of authenticated systems. As
previously mentioned, 802.1x uses three main entities:
Figure 5.8 shows the basic message flow for 802.1x authentication, where the
supplicant sends its identity to the access point, which is then forwarded to a
RADIUS server. The RADIUS server then authenticates the client, and vice-versa. If
these are successful the RADIUS server sends a RADIUS-ACCEPT message to the
access point, which then allows the client to join the network.
Figure 5.8
80
802.1x layers
Start
Request ID
ID
ID
Broadcast key
RADIUS
server
Key length
Figure 5.9
5.7 EAP
In most cases, a wireless client cannot gain access to the network, unless it has been
authenticated by the access point or a RADIUS server, and has encryption keys
(Figure 5.9). The main versions of EAP are:
5.7.1
EAP-TLS
This is based on a UserID and a digital certificate. With a digital certicate, the client
uses public key encryption, such as RSA, to produce a public and a private key. The
digital certificate for the user, or the device, stores the public key, and this digital
certicate, typically, is stored on a trusted PKI server. When authenticating the client
Wireless LANs 81
Device cannot
access network
until it has been
authenticated and
has encryption keys
Corporate
Corporate
network
network
Local RADIUS
server
RADIUS
server
Figure 5.10
EAP authentication
encrypts a message with the private key, and passes it to the authentication server,
which then takes the digital certicate for the device, and decrypts the encrypted
message with the public key. If the message is decrypted successfully, the digital
certicate has been valided, and the user/device is allowed onto the network (see
Section 5.8 for a further explanation). The details EAP-TLS uses are:
User Authentication:
Key size:
Encryption:
Device Authentication:
Open Standard:
User differentiation:
Certificate:
5.7.2
LEAP
82
converted into password hash3 using MD4, and is thus not possible for an intruder to
listen to the password.
The hashed password is then converted into a Windows NT key, which has the
advantage of being compatible with Microsoft Windows systems. Normally
authentication is achieved using the Microsoft login screen, where the user name and
the Windows NT key are passed from the client to the access point. LEAP is thus
open to attack from a dictionary attack, thus strong passwords should be used. There
are also many programs which can search for passwords and determine their hash
function.
5.7.3
This uses a UserID and a one-time password (Figure 5.11). A OTP allows for a single
password to be passed once, and then consquentive passwords are automatically
generated, and authenticated. The required details for PEAP are:
User Authentication:
Key size:
Encryption:
Device Authentication:
Open Standard:
User differentiation:
Certificate:
Figure 5.11
PEAP authentication
A hash function is a one-way encryption process, and thus the original data cannot be
recovered.
3
Wireless LANs 83
Public key
Some
data
Encrypted
authentication
fred
Encrypted
data
Private
key
Receiver
Sender
Figure 5.12
Adding authentication
Private key
Encrypted
data
Some
data
Encrypted
authentication
Public key
is used to
decrypt
authentication
Digital
certificate
Figure 5.13
84
fred
Authenticating
(config-ssid)# authentication ?
client
key-management
network-eap
open
shared
Wireless LANs 85
NapierSSID
192.168.1.240/24
AAAAAAAAAA (64-bit WEP key)
LEAP
Cisco Aironet 1200
192.168.1.240/24
Wireless
node
192.168.1.115/24
192.168.1.112/24
Figure 5.14
86
192.168.1.111/24
Step 1.
To setup a WEP key of AAAAAAAAAA, and IP address of 192.168.1.240, and open
authentication.
A connection is made with the Access Point, and its SSID (NapierSSID), IP address
and subnet mask can be set. This can be done either with the CLI of:
dot11 ssid NapierSSID
authentication network-eap eap_methods
exit
interface Dot11Radio0
encryption key 1 size 40bit AAAAAAAAAA transmit-key
encryption mode ciphers wep40
channel 1
guest-mode
station-role root
no shutdown
exit
interface BVI1
ip address 192.168.1.240 255.255.255.0
exit
ip http server
3. Next RADIUS is setup as the local server with (using a shared key of sharedkey):
radius-server local
nas 192.168.1.240 key sharedkey
user aaauser password aaapass
user bbbuser password bbbpass
exit
radius-server host 192.168.1.240 auth-port 1812 acct-port 1813 key sharedkey
exit
4. Next the wireless client can be setup by first setting the WEP key (Figure 4.15).
5. Next authentication is defined with LEAP (Figure 4.16), where the username is
defined as aaauser and the password is aaapass.
6. The wireless device should be about to ping itself and the access point, such as:
C:\>ping 192.168.1.240
Pinging 192.168.1.240 with 32 bytes of data:
Wireless LANs 87
Reply
Reply
Reply
Reply
from
from
from
from
192.168.1.240:
192.168.1.240:
192.168.1.240:
192.168.1.240:
bytes=32
bytes=32
bytes=32
bytes=32
time=2ms
time=1ms
time=1ms
time=1ms
TTL=255
TTL=255
TTL=255
TTL=255
from
from
from
from
192.168.1.115:
192.168.1.115:
192.168.1.115:
192.168.1.115:
bytes=32
bytes=32
bytes=32
bytes=32
time<1ms
time<1ms
time<1ms
time<1ms
TTL=128
TTL=128
TTL=128
TTL=128
6. The wireless access point should also be able to show the association such as:
ap#show dot11 assoc
802.11 Client Stations on Dot11Radio0:
SSID [NapierSSID] :
MAC Address
IP address
State
0090.4b54.d83a 192.168.1.115
EAP-Assoc
Others:
Device
Name
Parent
4500-radio
self
Figure 5.14
88
Figure 5.15
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
Wireless LANs 89
Radio and RF
6.1 Introduction
The electromagnetic (EM) spectrum contains a wide range of electromagnetic waves,
from radio waves up to X-rays (as illustrated in Figure 6.1). Included in the spectrum
are radio waves, microwaves, infrared waves, light waves, ultraviolet waves and Xrays. Electromagnetic waves propagate at the speed of light (c) in free-space (3108
m/s 300,000,000 m/s) and vary with their frequency and wavelength. Normally
radio waves are referred to by their frequency, and waves above this are referred to
by their wavelength. The relationship between frequency and wavelength is:
c = f
(6.1)
where c is the speed of light, f is the frequency (Hz) and is the wavelength (m). For
example Radio Forth FM, which has a carrier frequency of 97.3 MHz, has a
wavelength of 3.08 m (300,000,000 divided by 97,300,000). Virgin Radio has a
frequency of 1215 kHz, which gives a wavelength of 246 m (300,000,000 divided by
1,215,000).
The RF (Radio Frequency) spectrum ranges from radio waves to microwave
frequencies. The lower the frequency the better the wave propagates around large
objects, thus AM radio frequencies tend to propagate better than FM radio. Often FM
radio, microwave transmissions and TV signals rely on line-of-sight communications,
as higher-frequency waves cannot bend around large objects. The frequencies used
for IEEE 802.11 communications are 2.4 GHz (12.5 cm) for IEEE 802.11b/11g and
5 GHz (6 cm) for IEEE 802.11a.
Wavelength (m)
103 102 101
101 102 103 104 105 106 107 108 109 1010 1011 1012
Infrared
Radio waves
FM radio
(88108MHz)
Ultraviolet
Microwaves
Wireless Comms
(2.4 and 5GHz)
TV
(174220MHz)
AM radio
GPS
(535kHz
(1.21.5GHz)
1.7MHz)
Cell phone
(800/900MHz)
Light
Xrays
106 107 108 109 1010 1011 1012 1013 1014 1015 1016 1017 109 1010 1011 1012
Frequency (Hz)
Figure 6.1 EM wave spectrum
90
An electromagnetic wave propagates with an electric field (E) and a magnetic field
(H). These are at right angles to each other, and the propagation is at right angles to
both the E and H fields. This is defined by the right-hand rule (as illustrated in
Figure 6.2).
E (Electric field)
H (Magnetic field)
Direction of
propagation
Conforms to righthand
rule:
E Middle finger
H Thumb
Propagation Index finger
Figure 6.2 EM wave propagation
Poutput
(6.2)
Pinput
which is a ratio. If the value is less than unity, there is a loss of power (such as in a
cable loss), and if it is greater than unity there is a gain in power (such as in an
electrical amplifier. Typically gain is defined in a logarithmic scale such as:
Poutput
Gain(dB) = 10 log10
P
input
(6.3)
Thus, for example, if the power output is doubled over the input, then the gain will
be:
2 Pinput
Gain = 10 log10
P
input
= 10 log10 2 = 3.01dB
(6.4)
Wireless LANs 91
(6.5)
(6.6)
Power (dB)
40
30
20
10
Power (ratio)
0
0.01 0.1
10
100
103
104
10
20
92
Wireless LANs 93
A typical low loss cable gives a loss of 6.7 dB per 100 feet (30m). Thus for every 100
feet the signal strength reduces by:
Reduction =
1
10
6.7 / 10
= 0.213
(6.7)
which means that only around 21% of the signal remains after 100 feet.
Diversity. With this the WAP uses the antenna which has the best signal is being
received.
Right. This where the antenna is on the right of the WAP, and is highly
directional.
Left. This where the antenna is on the left of the WAP, and is highly directional.
6.4.1
Multipath path problems have always been one of the major factors in radio
networks. A new range of wireless devices now thrive on multipath propagaition
and use MIMO (Multiple-in, multiple-out) antenna, which allows the access point to
communicate with several antenna, each at the same time. These antenna then can
transmit separate bit steams, and thus multiply the available bandwidth (Figure 6.5).
The 802.11n is one of the first standards and its basic details are:
Frequency:
Max:
Range:
94
802.11n sends information on two or more antennas. These signals then reflect off
objects, creating multiple paths creating multiple paths. Normally these cause
interference and fading, but with MIMO they carry different information, which are
recombined on the receiving side.
2R
P1(area)=R2
P2(area)=(2R)2
=4R2
Power reduces
at a rate of 1/r2
(inverse square law)
Wireless LANs 95
An antenna is measured for its field strength in both the azimuth and the elevation
(as illustrated in Figure 6.7). The azimuth map shows the field strength in the x-y
direction, while the elevation gives the electric field strength above the antenna (x-z
direction).
Elevation
Azimuth
x
Figure 6.7 Measurement of antenna field pattern
Types:
Vertical whip.
Vertical dipole.
Monopole.
Radiation
pattern
Coverage
96
/2
Gain =
Pm
Pi
P
Gain(dB ) = 10 log10 m
Pi
(6.8)
(6.9)
Wireless LANs 97
2P
Gain(dB) = 10 log 10 i
Pi
(6.10)
4P
Gain(dB) = 10 log10 i
Pi
(6.11)
It can be seen that there is an increase in 3dB for every doubling in power. This gain
is often referred to as dBi (isotropic reference) which is the gain related to an perfect
isotropic radiator. Unfortunately isotropic antennas are impossible to produce, thus a
more useful measure is the reference to a dipole antenna, and is defined as dBd
(dipole reference). A dipole antenna has a gain of 2.14dBi, thus a dBd value can be
converted into a dBi value by adding 2.14 onto it. Thus a 1 dBd radiator has a 3.14 dBi
gain.
Power measured
from antenna (Pm)
(6.12)
Power measured
from isotropic
antenna (Pi)
Gain= Pm/Pi
6.8 Polarization
The direction of the electric field defines the polarization direction. This normally lies
along the conducting rod element in the antenna. The polarisation direction should
be at right angles to the line-of-sight direction between the transmitter and the
receiver. Normally, in wireless networks, the polarization is vertical, but it can also
be horizontal (Figure 6.12). A helix antenna creates a circularly polarized wave
(which can, of course, by right handed or left handed polarization).
98
Vertical
polarization
E field
Horizontal
polarization
Rainfall (inch/hr)
0.15
0.7
1.5
6.10 EIRP
The EIRP value of a transmitter measures the maximum power from the transmitter,
and will be given by:
EIRP = transmitter power + antenna gain cable loss
This must be within the maximum limits required by the national laws. For example
a 100mW (20dBi) power source with an antenna with a 6dBi gain will give an EIRP of
26dBi. In most situations an EIRP of 36dBi should not be exceeded. In a site surey of
any deployed wireless network, it must be verfied that the EIRP does not exceed the
regulatory maximum. In Europe the maximum EIRP is 20dBm.
Wireless LANs 99
ANT5959
ANT2410Y-R
ANT4941 ANT3549
ANT1729
Description
2.2 dBi
dipole
antenna
Patch wall
mount
Patch wall
mount
Application
Indoor/outdoor
unobtrusive
medium range
antenna
Indoor
omnidirectional
coverage
Indoor,
unobtrusive,
long-range
antenna (can
also be used as a
medium-range
bridge antenna)
Indoor,
unobtrusive,
medium-range
antenna (can also
be used as a
medium-range
bridge antenna)
Gain
10 dBi
6.5 dBi with two 5.2 dBi with two 5.2 dBi
radiating
radiating
elements
elements
2.2 dBi
9 dBi
6 dBi
800 ft (244 m)
547 ft (167 m)
497 ft (151 m)
497 ft (151 m)
350 ft
(106m)
Access point:
700ft (213 m)
Access point:
542ft (165 m)
230 ft (70 m)
167 ft (51m)
142 ft (44 m)
142 ft (44 m)
Beam width
360 H 80 V
47 H 55 V
80 H 55V
360 H 30 V
360 H 38 V
360 H 65 60 H 60 V
V
75 H 65 V
Cable length
3 ft (0.91 m)
3 ft (0.91 m)
3 ft (0.91 m)
3 ft (0.91 m)
3 ft (0.91 m)
N/A
3 ft (0.91 m)
100
ANT2012
ANT3213
Indoor,
unobtrusive
medium-range
antenna
ANT1728
3 ft (0.91 m)
Fresnel zone depends an elliptical area which defines the region in which there
should not be any objects within the region which could cause a reduction in the
received signal strength (Figure 6.14).
Fresnel
zone
Figure 6.14 Fresnel zone
Overall the Fresnel zone varies as the distance between the antennas and the
operating frequency. The radius of the Fresnel zone (in meters) is given by (Figure
15):
r = 17.32
d
4 f
(6.13)
where
d is the distance (in km).
d (km)
r (m)
For example, if the distance between the antennas is 1km, and the frequency is
2.4GHz, then the maximum Fresnel radius will be:
r = 17.32
1
= 5.58 m
4 2.4
(6.14)
Thus, in this case, it must be sure that there is no obstacles in the path which are
within this region.
(6.15)
where f is the frequency is MHz, and d is the distance in miles. For example with a
frequency of 2.4GHz and a distance of 1mile gives a free-space loss of 104.2dB.
6.14 References
[1]
[2]
http://www.trevormarshall.com/byte_articles/byte1.htm
http://www.cisco.com/univercd/cc/td/doc/pcat/ao____o1.htm
102
W.Buchanan
6.15 Tutorial
1.
1 mW
20mW
150mW
1W
0.1mW
10 dBm
1dBm
-3dBm
20dBm
Determine the output power for the following cables lengths with a 100mW
input power. Assume a cable loss of 6.7 dB per 100 feet (30m).
(i) 200 feet
A dipole antenna is fed with 10mW. What is the maximum output power of the
antenna within the mean beam? [Ans: 2.14dBm]
6.
A dipole antenna is fed with 100mW, with a standard dipole antenna. What is
the maximum EIRP value? [Ans: 22.14dBm]
7.
How long does it take a radio wave to travel 100km? [Ans: 333.3 s]
8.
If two antennas are located at a distance of 5km apart, and are operating at
2.4GHz. What is the Fresnel radius? [Ans: 12.5m]
9.
If two antennas are located at a distance of 5km apart, and are operating at
5GHz. What is the Fresnel radius? [Ans: 8.66m]
10.
11.
12.
If two antennas are place two miles apart and operate at a frequency of 2.4GHz.
What is the free space loss? [Ans: 110.2m]
13.
If two antennas are place two miles apart and operate at a frequency of 2.4GHz.
The power transmitted is 10W (10dB). What is the received power in dBs?
[Ans: -100.2dB]
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
104
W.Buchanan
7.1 Introduction
Security is becoming a major concern in IT, and a major concern in networking and
the Internet, and wireless systems are probably more open to abuse than any other
networking system. Thus they must be designed and implemented carefully in order
that security is not comprised, and that valuable bandwidth is not wasted. With the
Aironet, the traffic can be filtered in a number of ways:
MAC addresses. This filters based on incoming and outgoing MAC addresses in
the data frame.
Source IP address. The address that the data packet was sent from.
Destination IP address. The address that the data packet is destined for.
Source TCP port. The port that the data segment originated from. Typical ports
which could be blocked are: FTP (port 21); TELNET (port 23); and WWW (port
80).
Destination TCP port. The port that the data segment is destined for.
Protocol type. This filters for UDP or TCP traffic.
On Cisco devices, access control lists (ACLs) are typically used to filter traffic.
For example to disallow the node with the mac address of 0090.4b54.d83a access to
0060.b39f.cae1:
(config)# access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0
(config)# access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
where the 0.0.0 element identifies that the MAC address should match the address
exactly, while the ffff.ffff.ffff defines that any address can be apply. The permit at the
end is important as the device will process the access-list rules one at a time, and if it
does not match any of the rules, it will drop the data frame. The access-list is applied
to the radio port with:
(config)# int d0
(config-if)# l2-filter bridge-group-acl
(config-if)# bridge-group input-address-list 1101
where:
l2-filter bridge-group-acl. Defines that a Layer 2 access control list (ACL) filter is
applied to incoming and outgoing data frames.
bridge-group input-address-list 1101. This applies the access list to an interface
(in this case, access list number 1101).
An alternative is to use:
(config-if)# bridge-group 1 output-pattern 1101
In this case an example of the ARP cache is (when the node was connected to the
clients):
ap# show arp
Protocol Address
Internet 192.168.1.110
Internet 192.168.1.101
Internet 192.168.1.103
Internet 192.168.1.115
Age (min)
1
2
1
Hardware Addr
000d.65a9.cb1b
0060.b39f.cae1
0009.7c85.87f1
0090.4b54.d83a
Type
ARPA
ARPA
ARPA
ARPA
Interface
BVI1
BVI1
BVI1
BVI1
where the source is the source address, and source-mask defines the bits which are
checked. For example is we had a network address of 156.1.1.0 with a subnet mask of
255.255.255.0. We could bar all the traffic from the host 156.1.1.10 from gaining access
to the external network with:
(config)# access-list 1 deny 156.1.1.10 0.0.0.0
where the 0.0.0.0 part defines that all the parts of the address are checked. The
source-mask is know as the wild-card mask, where a 0 identifies that the
corresponding bit in the address field should be check, and a 1 defines that it should
be ignored. Thus if we wanted to bar all the hosts on the 156.1.1.0 subnet then we
could use:
(config)# access-list 1 deny 156.1.1.0 0.0.0.255
Once the access-list is created it can then be applied to a number of ports with the
command, such as:
(config)# interface D0
106
W.Buchanan
which will bar all the access from the 156.1.1.0 subnet from the D0 port on incoming
traffic (Figure 7.1).
156.1.1.2
E0
156.1.1.2
D0
156.1.1.130
161.10.11.12
161.10.11.13
ACLs should be placed in the optimal place, so that they reduce the amount of
unwanted traffic on the network/Internet. As a standard ACL cannot determine the
destination address, it should be places as near as the destination that is barred, as
possible. If it was placed at the source it would block other traffic, which is not
barred (Figure 7.2).
156.1.1.2
156.1.1.2
156.1.1.130
161.10.11.12
E0
161.10.11.13
!
interface E0
ip address 120.11.12.13 255.255.255.0
ip access-group 1 in
!
access-list 1 deny 156.1.1.0 0.0.0.255
access-list 1 permit any
7.3.1
which applies the named standard ACL on the incoming port of E0.
108
W.Buchanan
For example:
(config)# access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0
(config)# access-list 100 permit ip any any
This creates an access-list group with a value of 100. The first line has the syntax
which defines that the source host of 156.1.1.134 is not allowed to access the
destination of 156.70.1.1, and the last part (0.0.0.0) defines that the firewall should
match all of the bits in the destination address. Thus, in this case, the host with an IP
address of 156.1.1.134 is not allowed to access the remote computer of 156.70.1.1. It
can access any other computer thought, as the second line allows all other accesses.
We can expand this to be able to check a whole range of bits in the address. This
is achieved by defining a wild-card mask. With this we use 0s in the positions of the
address that we want to match, and 1s in the parts which are not checked. Thus if
we wanted to bar all the hosts on the 156.1.1.0 subnet from accessing the 156.70.1.0
subnet we would use the following (Figure 7.3):
(config)# access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255
(config)# access-list 100 permit ip any any
Thus an address from 156.1.1.1 to 156.1.1.254 will not be able to access any address
from 156.70.1.0 network.
If we have a Class B address with a subnet in the third field (such as 156.1.1.0)
and we define that we shall allow all odd IP addresses to pass though to a given
destination (such as 156.70.1.1), and bar all even IP addresses we could implement
the following:
(config)# access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1
(config)# access-list 100 permit ip any any
This will allow any host with an odd number (such as 1, 3, 5, and so on), to access the
156.70.1.1 host, but as we check the least significant bit of the address (with the
wildcard mask of 0000 0000 0000 0000 0000 0000 1111 1110) and if it is a 0 then the
condition passes, and we will deny traffic from the even numbered hosts to
156.70.1.1.
We can also bar access to complete parts of destination addresses. For example, if
we wanted to bar all odd addresses from access the 156.70.1.0 subnet:
(config)# access-list 100 deny ip 156.1.1.1 0.0.0.254 156.70.1.0 0.0.0.255
(config)# access-list 100 permit ip any any
Once the access-list is created it can then be applied to a number of ports with the
command, such as:
Router (config)# interface D0
Router (config-if)# ip address 156.1.1.130 255.255.255.192
Router (config-if)# ip access-group 100 in
which allows the access-list of a value of 100 to port D0 on incoming traffic (that is,
traffic which is coming into this router port).
156.1.1.2
E0
156.1.1.2
D0
156.1.1.130
161.10.11.12
from
161.10.11.13
to
70.1.2.0 0.0.0.255
The firewall can also filter on TCP/UDP ports, and is defined with the TCP or UDP It
has a similar syntax.
(config)# access-list access-list-value { permit | deny } {tcp | udp
| igrp} source source-mask destination destination-mask {eq | neq | lt |
gt} port
For example:
access-list 101 deny tcp 156.1.1.0 0.0.0.254 eq telnet host 156.70.1.1 eq telnet
access-list 101 permit ip any any
Denies telnet traffic from even addresses from the 156.1.1.0 subnet to the 156.70.1.1
host, with is also destined for the telnet port (port 23).
As previously defined, ACLs should be placed in the optimal place, so that they
reduce the amount of unwanted traffic on the network/Internet. As an extended ACL
allows us to check the source and the destination, the extended ACL should be
placed as near as possible to the source of the traffic (Figure 7.4).
110
W.Buchanan
Traffic blocked
to the barred site
156.1.1.2
156.1.1.2
156.1.1.130
161.10.11.12
161.10.11.13
!
interface D0
ip address 156.1.1.130 255.255.255.0
ip access-group 100 in
!
access-list 100 deny ip 156.1.1.0 0.0.0.255 140.5.6.7 0.0.0.255
access-list 100 permit ip any any
140.5.6.7
7.4.1
(config-ext-nacl)#deny ?
<0-255> An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco's GRE tunneling
icmp
Internet Control Message Protocol
igmp
Internet Gateway Message Protocol
igrp
Cisco's IGRP routing protocol
ip
Any Internet Protocol
ipinip
IP in IP tunneling
nos
KA9Q NOS compatible IP over IP tunneling
ospf
OSPF routing protocol
pcp
Payload Compression Protocol
pim
Protocol Independent Multicast
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config-ext-nacl)#deny tcp ?
A.B.C.D Source address
any
Any source host
host
A single source host
(config-ext-nacl)#deny tcp 192.168.1.0 ?
A.B.C.D Source wildcard bits
(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 ?
A.B.C.D Destination address
any
Any destination host
eq
Match only packets on a given port number
gt
Match only packets with a greater port number
host
A single destination host
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
range
Match only packets in the range of port numbers
(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255
which applies the named standard ACL on the incoming port of E0.
112
W.Buchanan
access. For this an ACL can be created which blocks ICMP access. An example of
blocking a ping from 192.168.1.1 to 192.168.1.110:
ip access-list extended Test
deny icmp 192.168.1.1 0.0.0.0 192.168.1.110 0.0.0.0
permit ip any any
10110110b
0000 0000b
182
0000 0010b
0000 0000b
2
0000 0001b
0000 0000b
1
1000 0000b
0011 1111b
128 (1000 0000b)
to
191 (10 11 1111b)
The range of barred address will thus be from 182.2.1.128 to 182.2.1.191. These will be
barred WWW access on the 180.70.1.0 subnet (from 180.70.1.0 to 180.70.1.255 using
180.70.1.0 0.0.0.255 eq www)
Line
no.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Whereas a closed firewall will restrict traffic, and only allow certain network
addresses and/or ports, such as:
access-list 100 permit ip host 180.2.1.134 host 180.70.1.1
access-list 100 deny ip any any
114
W.Buchanan
E0
156.1.1.2
D0
156.1.1.130
E0
156.1.1.2
D0
156.1.1.130
161.10.11.12
161.10.11.13
7.8 Tutorial
For a network which has an access point at 192.168.0.110 and five wireless
clients from 192.168.0.1 to 192.168.0.5, with an SSID of APskills, complete the
following:
7.8.1
Create a firewall that blocks ping access to all other nodes on the network.
Test it, and then restore ping access.
7.8.2
Create a firewall that bars TELNET access from 192.168.0.2 to the wireless
access point. All other nodes should be able to telnet into the access point.
Next do the opposite where only the node 192.168.0.2 is allowed to TELNET
into the access point, and the rest are not.
7.8.3
Create a firewall that bars SNMP access from all the nodes on the network to
the wireless access point. All other nodes should be able to telnet into the
access point.
7.8.4
Enable the small-servers on the wireless access point, and access the time
server port (port 7), and prove that it works from each of the clients.
Implement a firewall on the wireless access point to bar time server access
from 192.168.0.1 to the access point. Make sure that all the other nodes can
still access the port.
7.8.5
Create a firewall which blocks all the address which have even numbered IP
addresses access to the web server on the access point, such as:
7.8.6
Create a network of wireless clients where the access point has an address of
192.168.0.110, and create a firewall which blocks all the address which have
odd numbered IP addresses access to the web server on the access point, such
as:
7.8.7
7.8.8
Create a firewall rule which allows hosts with address from 192.168.5.128 to
192.168.5.254 access to the Web server on the access point, and bars the rest of
the nodes.
7.8.9
Create a firewall rule which allows hosts with address from 192.168.5.64 to
192.168.5.254 access to the Web server on the access point, and bars the rest of
the nodes.
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
116
W.Buchanan
VLANs
8.1 Introduction
Layer 2 devices, such as network switches and wireless access points can be used to
create virtual LANs (vLANs), which can enhanced network security as it can be used
to isolate one network from another, even if they connect to the same access device.
A vLAN can also be created which spans multiple access point, and can thus lead to
the concept of open-plan networks. For wireless devices they can be used to connect
users together onto the same network, no matter on which access point they connect
to.
8.2 vLANs
vLANs are a new technology, which uses software to define a broadcast domain,
rather than any physical connections. In a vLAN a message transmitted by one node
is only received by other nodes with a certain criteria to be in the domain. It is made
by logically grouping two or more nodes and a vLAN-initialized switching device,
such as intelligent switches (which use the MAC address to forward data frames) or
routers (which use the network address to route data packets). The important
concept with vLANs is that the domain is defined by software, and not by physical
connections.
There are two methods that can define the logical grouping of nodes within a
vLAN:
Implicit tagging. This uses a special tagging field which is inserted into the data
frames or within data packets. It can be based upon the MAC address, a switch
port number, protocol, or another parameter by which nodes can be logically
grouped. The main problem with implicit tagging is that different vendors create
different tags which make vendor interoperability difficult. This is known as
frame filtering.
Explicit tagging. This uses an additional field in the data frame or packet header.
This can also lead to incompatibility problems, as different vendor equipment
may not be able to read or process the additional field. This is known as frame
identification.
It is thus difficult to create truly compatible vLANs until standards for implicit and
explicit tags are standardized. One example of creating a vLAN is to map ports of a
switch to create two or more virtual LANs. For example, a switch could connect to
two servers and 16 clients. The switch could be configured so that eight of the clients
connected to one server through a vLAN, and the other eight onto the other server.
This setup is configured in software, and not by the physical connection of the
network. Figure 8.1 shows a possible implementation where nodes 1 to 8 create a
vLAN through the switch with Server1, and nodes 9 to 16 create a vLAN with
Server2. The switch would map ports to create the vLANs, where the two networks
are now independent broadcast domains (network segments), and will only receive
the broadcasts from each of their virtual LANs. Normally a switch would connect
any one of its ports to another port, and allow simultaneous connection. In this case,
the switch allows for multiple connections onto a segment. Now, with the vLAN,
data frames transmitted on one network segment will stay within that segment and
are not transmitted to the other vLAN.
VLAN1
PC1
Figure 8.1
Creating a vLAN
by mapping
ports of a switch
Server1
PC8
PC9
Server2
PC16
VLAN2
118
W.Buchanan
them. This makes much better usage of bandwidth than workgroup users who
span network segments. The amount of broadcast traffic on the whole network is
also reduced, as broadcasts can be isolated within each of the workgroups. A
typical drain on network bandwidth is when network servers broadcast their
services at regular intervals (in Novell NetWare this can be once every minute,
and is known as the Service Advertising Protocol). With vLANs these broadcasts
would be contained within each of the vLANs that the server is connected to.
Microsegmentation. This involves dividing a network into smaller segments,
which will increase the overall bandwidth available to networked devices.
Enhanced security. vLANs help to isolate network traffic so that traffic which
stays within a vLAN will not be transmitted outside it. Thus it is difficult for an
external user to listen to any of the data that is transmitted across the vLAN,
unless they can get access to one of the ports of the vLAN device. This can be
difficult as this would require a physical connection, and increases the chances of
the external user being caught spying on the network.
Relocate servers into secured locations. vLANs allows for servers to be put in a
physical location in which they cannot be tampered with. This will typically be in
a secure room, which is under lock and key. The vLAN can be used to map hosts
to servers.
Easy creation of IP subnets. vLANs allow the creation of IP subnets, which are
not dependent on the physical location of a node. Users can also remain part of a
subnet, even if they move their computer.
Figure 8.2
vLANs using a
backbone and
switches
VLAN1
VLAN2
VLAN1
Data Frame
Data Frame
VLAN1
Data Frame
VLAN2
120
W.Buchanan
Static vLANs. These are ports on a switch that are statically assigned to a VLAN.
These remain permanently assigned, until they are changed by the administrator.
Static vLANs are secure and easy to configure, and are useful where vLANs are
fairly well defined.
Dynamic VLANs. These are ports on a switch which automatically determine
their VLAN assignments. This is achieved with intelligent management software,
using MAC addresses, logical addressing, or the protocol type of the data
packets. Initially, where a node connects to the switch, the switch detects its MAC
address entry in the VLAN management database and dynamically configures
the port with the corresponding VLAN configuration. The advantage of dynamic
vLANs is that they require less setup from the administrator (but the database
must be initially created).
VLAN1
Broadcast domain
Broadcast domain
VLAN2
Note that a broadcast domain extends the full length of the vLAN, and not onto
other vLANs. A router does not forward broadcasts, thus the vLAN is isolated from
other networks. The router provides intercommunicate between vLANs, and security
is enhanced by implement security restrictions on the ports of the router.
VLAN1
VLANs
intercommunicate
through the router
122
W.Buchanan
VLAN2
Next the sub-interfaces for the radio port can to be defined to use IEEE 802.11q
tagging, and assign them to a bridge group:
(config)# interface Dot11Radio0.1
(config-if)# encapsulation dot1Q 1 native
(config-if)# bridge-group 1
(config-if)# interface Dot11Radio0.2
(config-if)# encapsulation dot1Q 2
(config-if)# bridge-group 2
Dot11Radio0.1
Received:
17
17
Transmitted:
9
9
Received:
1
1
Transmitted:
0
0
Dot11Radio0.2
Protocols Configured:
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
Devices on each VLAN should not be able to communicate with each other. If they
did, it is possible to assign them to the same bridge-group with:
User groups. This is used to define different security policies for user groups,
such as between full-time staff and guests.
Device types. This could relate to different types of devices which connect, such
as between simple wireless devices which can only support simple security
methods, and more complex ones for workstations.
VLAN2
VLAN3
SSID: VLAN1
SSID: VLAN2
SSID: VLAN3
124
W.Buchanan
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
encapsulation dot1q
int fa0.1
encapsulation dot1q
int d0.2
encapsulation dot1q
bridge-group 2
int fa0.2
encapsulation dot1q
bridge-group 2
exit
1 native
1 native
2
126
W.Buchanan
In this case FA0/1, FA0/2 and FA0/3 on the switch is used as a trunk route, where
VLAN 1 and 2 are trunked between the ports. Thus one node on the same VLAN can
connect to another node on a different access point can communicate, if they are on
the same VLAN. On the access point, a show vlan command should identify the
connections:
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0.1
Virtual-Dot11Radio0.1
This is configured as native Vlan for the following interface(s) :
Dot11Radio0
Virtual-Dot11Radio0
Protocols Configured:
Address:
Received:
Transmitted:
Bridging
Bridge Group 1
17
9
Bridging
Bridge Group 1
17
9
Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0.2
Virtual-Dot11Radio0.2
Protocols Configured:
Address:
Received:
Transmitted:
Bridging
Bridge Group 2
1
0
Bridging
Bridge Group 2
1
0
This will then allow routing between the VLANs, so that all of the nodes should now
be able to communicate. Also the default gateway for nodes in VLAN 1 is set to
10.0.0.254, and for VLAN 2 to 10.0.1.254. This will send all the unknown traffic to the
switch.
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
9.1 Introduction
There are many issues that wireless factors over the next few years. These include:
More bandwidth. The demand for wireless bandwidth will increase, specially
with Voice/Video over IP.
Better use of bandwidth. The current usage of bandwidth in wireless are
inefficient, and do not provide a great deal of bandwidth for each unit of physical
space.
Mobility. This will allow users to move through wireless spaces, and keep their
connections, seamlessly.
Scalability. This will allow for large-scale networks.
Convergence. This will allow many different types of wireless systems to be
integrated together, especially for different device types and different types of
wireless (Bluetooth, UWB, IEEE 802,11, and so on).
Compatibility.
Power consumption.
Security.
This unit looks at some of the evolving technologies, including WiMax, UWB, and
4G.
128
W.Buchanan
The basic ranges and data rates for each of the main technologies is given in Figure
9.2. For WPAN, the technology moves from ZigBee (good coverage, low data rate) to
Bluetooth (medium data rate, low coverage) and then onto UWB (highest data rates).
IEEE 802.11 has reasonable data rates, but it was limited coverage. This gap can be
filled by IEEE 802.16 (WiMax) and/or Cellular technology (GSM 2G, 3G and now
onto 4G).
Range
Cellular
(Mobile)
3G
2G
WMAN
(Fixed)
4G
IEEE 802.16
WiFi
(100m)
WLAN
ZigBee
(300m)
WPAN
0.01
Bluetooth
(10m)
0.1
1
10
Data Rate (Mbps)
UWB
100
1000
9.3 WiMax
On the major problems in networking is the last mile problem, where the cables
that connect househoulds are typically poor quality, and are thus limited in the
bandwidth capacity. It provides:
a standards-based technology enabling the delivery of last mile
wireless broadband access as an alternative to cable and DSL based
IEEE 802.16
And connects devices through Wi-Fi hotspots. It also providing 4G services - highspeed mobile data and telecommunications services, and, at present, will provide
backup Internet access and mobility.
WiMax is typically a compromise of either high bandwidth, lower coverage or
high coverage, lower bandwidth. The data rates are resoanble with a rate of 70Mbps
for 70 miles (112km), but is more typically, for line-of-sight at 10Mbps
at
10km
(shared), and for non-line-of-sight it is around 10Mbps for 3km (shared). Users then
have 2, 4, 8, 10 Mbps for an available bandwidth of 100Mbps for a region. The main
application for WiMAx is likely to be to span wide areas (Figure 9.4), where the
wireless provides a backbone to local connections within homes and businesses, with
antennas relaying data for line-of-sight connections.
2917mm
130
W.Buchanan
9.4 UWB
To be covered in the lecture.
9.5 4G
To be covered in the lecture.
9.7 RFID
To be covered in the lecture.
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
Wireless
LANs
Challenges
132
W.Buchanan
10
10.1 Introduction
The following relates to the wireless emulator challenges. Refer to:
http://networksims.com/simtests.html for Wireless test
http://networksims.com/downloads/napier.zip for the Simulator (register with your
Napier matriculation ID).
Explanation
One of the most popular access points for creating infrastructure networks is the
Cisco Aironet 1200 device, which is an industry-standard wireless access point. It has
two main networking ports: radio port named Dot11radio0 (D0) and an Ethernet one
(E0 or FA0). Each of these ports can programmed with an IP address, but a special
port named BVI1 is normally used to define the IP address for both ports. Figure 1
outlines this, and how the port is programmed.
dot11radio0
(or d0)
bvi 1 port is used
to configure both ports
with the same address
con
e0 (or fa0)
## config
config tt
(config)#
(config)# int
int bvi1
bvi1
(config-if)#
(config-if)# ip
ip address
address 192.168.0.1
192.168.0.1 255.255.255.0
255.255.255.0
(config-if)#
(config-if)# exit
exit
Antenna
connector
Figure 1
Explanation
134
W.Buchanan
Note that the setting of SSID is now done in the global configuration mode, and the
SSID is then associated with the D0 port.
Explanation
The radio SSID (Service Set ID) uniquely identifies a wireless network within a
limited physical domain. It is setup within the access point with:
# config t
(config)# int dot11radio0
(config-if)# ssid fred
(config-if-ssid)# guest-mode
which sets up an SSID of fred, and allows guest-mode. Along with the SSID it is also
possible to define a beacon time where a beacon signal is sent out at a given time
interval, such as:
# config t
(config)# int dot11radio0
(config-if)# beacon ?
dtim-period
dtim period
period
beacon period
(config-if)# beacon period ?
<20-4000> Kusec (or msec)
(config-if)# beacon period 1000
13
channel 12412
channel 22417
channel 32422
channel 42427
channel 52432
channel 62437
channel 72442
channel 82447
channel 92452
channel 102457
channel 112462
channel 122467
channel 132472
channel 142484
13
136
W.Buchanan
<1-2472>
10.6 Challenge 5
The following sets up radio port settings:
> en
# config t
(config)# enable ?
last-resort Define enable action if no TACACS servers respond
password
Assign the privileged level password
secret
Assign the privileged level secret
use-tacacs
Use TACACS to check enable passwords
(config)# enable password hotel
(config)# enable secret hotel
(config)# username lynn password foxtrot
(config)# ip http server
Explanation
A wireless access point is typically accessible through the TELNET and/or HTTP
proposal. The HTTP service is important as it allows remote access through a Web
browser, and can be authenticated locally with:
# config
(config)
(config)
(config)
(config)
(config)
(config)
t
#
#
#
#
#
#
username ?
username fred password bert
ip http ?
ip http server
ip http authentication local
exit
This type of authentication is not the most secure but it offers a simple way to block
access to the access point. Thus, when the user tries to access to the wireless access
point they will not be allowed to connect, unless the have the correct username and
password, such as shown in Figure 1. If the user has the correct username and
password, the Web page will show the device settings (left-hand side of Figure 2),
otherwise there will be an authentication failure (right-hand side of Figure 2).
Often a new HTTP port is required (to stop users from trying to access the Web
page). Thus to change the port:
# config t
(config) # ip http port 8080
Now we cannot access the Web page with the standard port (80), and we must
change the address with a colon to define the port, such as shown in Figure 3.
138
W.Buchanan
10.7 Challenge 6
The following sets up radio port settings:
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# beacon ?
dtim-period dtim period
period
beacon period
(config-if)# beacon period ?
<20-4000> Kusec (or msec)
(config-if)# beacon period 2000
(config-if)# power ?
client Client radio transmitter power level
local
Local radio transmitter power level
(config-if)# power local ?
<1-50>
One of: 1 5 20 30 50
maximum Set local power to allowed maximum
(config-if)# power local 5
(config-if)# power client ?
<1-50>
One of: 1 5 20 30 50
maximum Set client power to allowed maximum
(config-if)# power client 5
(config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
antenna
dot11 radio antenna setting
arp
Set arp type (arpa, probe, snap) or timeout
bandwidth
Set bandwidth informational parameter
beacon
dot11 radio beacon
bridge-group
Transparent bridging interface parameters
broadcast-key
Configure broadcast key rotation period
carrier-delay
Specify delay for interface transitions
cdp
CDP interface subcommands
channel
countermeasure
custom-queue-list
dampening
default
delay
description
dot11
dot1x
encryption
exit
fair-queue
fragment-threshold
help
hold-queue
infrastructure-client
ip
keepalive
l2-filter
load-interval
logging
loopback
mac-address
max-reserved-bandwidth
mtu
no
ntp
packet
parent
payload-encapsulation
power
preamble-short
priority-group
random-detect
an
rts
service-policy
shutdown
snmp
speed
ssid
station-role
timeout
traffic-class
transmit-interface
tx-ring-limit
world-mode
(config-if)#
<cr>
(config-if)#
world-mode ?
world-mode
(config-if)# no shut
(config-if)# speed ?
1.0
Allow 1 Mb/s rate
11.0
Allow 11 Mb/s rate
2.0
Allow 2 Mb/s rate
5.5
Allow 5.5 Mb/s rate
basic-1.0
Require 1 Mb/s rate
basic-11.0 Require 11 Mb/s rate
basic-2.0
Require 2 Mb/s rate
basic-5.5
Require 5.5 Mb/s rate
range
Set rates for best range
throughput Set rates for best throughput
140
W.Buchanan
<cr>
(config-if)# speed 1.0
(config-if)# ssid fred
(config-if-ssid)# max-assoc ?
<1-255> association limit
(config-if-ssid)# max-assoc 9
10.8 Challenge 7
The following sets up radio port settings:
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config)# int d0
(config-if)# station ?
repeater Repeater access point
root
Root access point
(config-if)# station root
(config-if)# antenna ?
receive
receive antenna setting
transmit transmit antenna setting
(config-if)# antenna receive ?
diversity antenna diversity
left
antenna left
right
antenna right
(config-if)# antenna receive diversity
(config-if)# antenna transmit left
(config-if)# ssid michigan
(config-if-ssid)# guest-mode
root
Root access point
(config-if)# station root
(config-if)# antenna ?
receive
receive antenna setting
transmit transmit antenna setting
(config-if)# antenna receive ?
diversity antenna diversity
left
antenna left
right
antenna right
(config-if)# antenna receive diversity
(config-if)# antenna transmit left
(config-if)# ssid michigan
A major factor in wireless LANs is the multipath problem where waves can take
differing paths to get to a destination. These multipaths can cause fading and
distortion of the radio wave form. If different waves arrive at a receiver with
different time delays they can distort the received signal. One of the way to
overcome this problem is to use diversity which uses more than one antenna. It is
likely that one of the antennas will experience less multipath problems than the other
antennas. It is thus important that diversity antennas are physically separated from
each other, and, so as to reduce the problem of null points, they can be moved
around the physical space. The antenna can be set for both the transmit and receive
options. These can be:
Diversity. With this the WAP uses the antenna in which the best signal is being
received.
Right. This where the antenna is on the right of the WAP, and is highly
directional.
Left. This where the antenna is on the left of the WAP, and is highly directional.
10.9 Challenge 8
The following sets up radio port settings:
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config)# int d0
(config-if)# ssid oklahoma
(config-if)# rts ?
retries
RTS max retries
threshold RTS threshold
(config-if)# rts threshold ?
<0-2347> threshold in bytes
(config-if)# rts threshold 19
(config-if)# rts retries 24
(config-if)# ssid oklahoma
(config-if-ssid)# max-assoc 24
(config-if-ssid)# exit
(config-if)# fragment ?
<256-2346>
(config-if)# fragment 1091
(config-if)# channel 4
142
W.Buchanan
10.10 Challenge 9
The following sets up radio port settings:
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config)# int d0
(config-if)# packet ?
retries retries
(config-if)# packet retries ?
<1-128> max packet retries before giving up
(config-if)# packet retries 7
(config-if)# premable-short
(config-if)# ssid oklahoma
(config-if-ssid)# max-assoc 24
(config-if-ssid)# exit
(config-if)# fragment ?
<256-2346>
(config-if)# fragment 1091
(config-if)# channel 4
144
W.Buchanan
on
212.72.52.7
buffer 440240
host 138.24.170.8
trap emergency
monitor emergency
console emergency
buffer emergency
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
146
W.Buchanan
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server community popup
(config)# snmp-server contact june
(config)# snmp-server location glasgow
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server enable ?
informs Enable SNMP Informs
traps
Enable SNMP Traps
(config)# snmp-server enable traps
(config)# snmp-server chassis-id brighton
mac-address
MAC address of the primary AP
poll-frequency Standby polling frequency
timeout
Standby polling timeout
(config)# iapp standby mac-address 00e0.9143.5615
(config)# iapp standby timeout
<5-600> Standby polling timeout in seconds
(config)# iapp standby timeout 234
(config)# iapp standby poll-frequency ?
<1-30> Standby polling frequency in seconds
(config)# iapp standby poll-frequency 11
148
W.Buchanan
key-management
network-eap
open
shared
(config-if-ssid)#
WORD leap list
(config-if-ssid)#
key management
leap method
open method
shared method
authentication network-eap ?
name (1 -- 31 characters)
authentication network-eap newhampshire
150
W.Buchanan
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server host ?
Hostname or A.B.C.D IP address of RADIUS server
(config)# radius-server host 42.55.230.3
acct-port
UDP port for RADIUS accounting server (default is 1646)
alias
1-8 aliases for this server (max. 8)
auth-port
UDP port for RADIUS authentication server (default is 1645)
key
per-server encryption key (overrides default)
non-standard Parse attributes that violate the RADIUS standard
retransmit
Specify the number of retries to active server (overrides
default)
timeout
Time to wait for this RADIUS server to reply (overrides
default)
<cr>
(config)# radius-server host 42.55.230.3 auth 1812 acct 1813
priority-group
random-detect
an
Interface
Configure QoS Service Policy
Shutdown the selected interface
Modify SNMP interface parameters
Configure speed operation.
Define timeout values for this interface
Assign a transmit interface to a receive-only
interface
tx-ring-limit
Configure PA level transmit ring limit
(config-if)# ip proxy-mobile ?
<cr>
(config-if)# ip proxy-mobile
(config-if)# int d0
(config-if)# ip proxy-mobile
(config-if)# int e0
(config-if)# ip proxy-mobile
service-policy
shutdown
snmp
speed
timeout
transmit-interface
Description
With LBS, access points monitor location packets sent by LBS positioning tags, and
thus allow assets to be tracked. On receiving a positioning packet, the access point
determines the received signal strength indication (RSSI). It then creates a UDP
packet with the RSSI value and the current time, which it then forwards to a location
server. Next the location server determines the position of the tag based on the
information received.
152
W.Buchanan
> en
# config t
(config)# aaa new-model
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at
startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with
`@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without
requesting a
password
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server local
(config-radsrv)# user ?
WORD Client username
(config-radsrv)# user giraffe ?
nthash
Set NT hash of clientpassword
password Set client password
(config-radsrv)# user giraffe password root
(config-radsrv)# nas ?
A.B.C.D IP address of the NAS
(config-radsrv)# nas 42.55.230.3 ?
key Set NAS shared secret
(config-radsrv)# nas 42.55.230.3 key coconut
(config-radsrv)# exit
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at
startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with
`@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without
requesting a
password
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server host ?
Hostname or A.B.C.D IP address of RADIUS server
(config)# radius-server host 42.55.230.3
acct-port
UDP port for RADIUS accounting server (default is 1646)
alias
1-8 aliases for this server (max. 8)
auth-port
UDP port for RADIUS authentication server (default is 1645)
key
per-server encryption key (overrides default)
non-standard Parse attributes that violate the RADIUS standard
retransmit
Specify the number of retries to active server (overrides
default)
timeout
<cr>
(config)# radius-server host 42.55.230.3 auth 1812 acct 1813
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
154
aaa new-model
tacacs-server host 39.100.234.1
tacacs-server key krinkle
aaa authentication login default group tacacs
aaa authentication ppp default group tacacs
aaa authorization network default group tacacs
aaa authorization exec default group tacacs
W.Buchanan
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
permit host 192.168.0.1
access-class 9
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of wap>.
Level 15. This is the highest level of privilege, and has a prompt of wap#.
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter
the non-privileged mode. Also:
(config)# access-list 9 permit host 192.168.0.1
(config)# username fred access-class 9
restricts the access for fred to a single host (192.168.0.1), so that the user will not be
able to log-in from any other host. The following:
(config)# username test user-maxlinks 2
156
W.Buchanan
(config-if) # bridge-group 1 ?
<cr>
circuit-group
Associate serial interface with a circuit group
input-address-list
Filter packets by source address
input-lat-service-deny
Deny input LAT service advertisements matching
a
group list
input-lat-service-permit
Permit input LAT service advertisements
matching a
group list
input-lsap-list
Filter incoming IEEE 802.3 encapsulated packets
input-type-list
Filter incoming Ethernet packets by type code
lat-compression
Enable LAT compression over serial or ATM
interfaces
output-address-list
Filter packets by destination address
output-lat-service-deny
Deny output LAT service advertisements matching
a
group list
output-lat-service-permit Permit output LAT service advertisements
matching
a group list
output-lsap-list
Filter outgoing IEEE 802.3 encapsulated packets
output-type-list
Filter outgoing Ethernet packets by type code
port-protected
There will be no traffic between this interface
and other protected
subscriber-loop-control
Configure subscriber loop control
port interface in this bridge group
block-unknown-source
block traffic which come from unknown source
MAC
address
input-pattern-list
Filter input with a pattern list
output-pattern-list
Filter output with a pattern list
path-cost
Set interface path cost
priority
Set interface priority
source-learning
learn source MAC address
spanning-disabled
Disable spanning tree on a bridge group
unicast-flooding
flood packets with unknown unicast destination
MAC
addresses
(config-if) # bridge-group 1 input-address-list 701
Explanation
The Cisco Aironet extensions are:
158
Cisco Key Integrity Protocol (CKIP). This uses a permutation method to renuew
the WEP key. If TKIP is used, CKIP is not required.
Limiting power level. This allows the Aironet to control the power level of the
clients, once they associate.
Load balancing. This allows the access point to select the best access point in
terms of signal strength, load requirements, and so on.
Message Integrity Check (MIC). This enhances WEP security again a number of
attacks.
Repeater mode. This allows the access to support repeater access points.
World mode. This allows for carrier information from the wireless device and
adjust their settings automatically.
W.Buchanan
Explanation
The beacon period is defined as the amount of time between access point beacons in
Kilomicroseconds (1 Ksec is 1,024 millseconds). The default is 100 Ksec. If the
beacon period is 1000, the time between beacons is approximately 1 second (1.024
seconds).
The Data Beacon Rate defines how often the DTIM (delivery traffic indication
message) appears in a beacon, where the DTIM tells power-save client devices that a
packet is waiting for them. The default DTIM is 2. If the DTIM is set at 5, and the
beacon period is 1000, a packet with a DTIM will be sent every 5 seconds (approx).
Explanation
The RTS threshold prevents the Hidden Node problem, where two wireless nodes are
within range of the same access point, but are not within range of each other, as
illustrated in Figure 1. As they do not know that they both exist on the network, they
may try to communicate with the access point at the same time. When they do, their
data frames may collide when arriving simultaneously at the access point, which
causes a loss of data frames from the nodes. The RTS threshold tries to overcome this
by enabling the handshaking signals of Ready To Send (RTS) and Clear To Send
(CTS). When a node wishes to communicate with the access point it sends a RTS
signal to the access point. Once the access point defines that it can then communicate,
tit sends a CTS signal. The node can then send its data, as illustrated in Figure 2. RTS
threshold determines the data frame size that is required, in order for it send an RTS
to the WAP. The default value is 4000.
# config t
(config)# int dot11radio0
(config-if)# rts ?
retries
RTS max retries
threshold RTS threshold
(config-if)# rts threshold ?
<0-2347> threshold in bytes
(config-if)# rts threshold 2000
These nodes cannot
hear each other.
RTS (Ready To
Send)
RTS (Ready To
Send)
CTS (Clear To
Send)
Data transmitted
160
W.Buchanan
RTS retries defines the number of times that an access point will transmit an RTS
signal before it stops sending the data frame. Values range from 1 to 128. For
example:
# config t
(config)# int dot11radio0
(config-if)# rts retries ?
<1-128> max retries
(config-if)# rts retries 10
(config-if)# end
Explanation
A wireless data frame can have up to 2312 data bytes in the data payload. This large
amount could hog the bandwidth too much, and not give an even share to all the
nodes on the network, as illustrated in Figure 1. Research has argued that creating
smaller data frames, often known as cells, is more efficient in using the available
bandwidth, and also for switching data frames. Thus wireless systems provides a
fragment threshold, in which the larger data frames are split into smaller parts, as
illustrated in Figure 2. An example of the configuration is:
# config t
(config)# int dot11radio0
(config-if)# fragment-threshold ?
<256-2346>
(config-if)# fragment-threshold 700
Data packets are split into 1500 byte data frames (MTU)
Explanation
The power of the access point and also of the clients are important as they will
define the coverage of the signal, and must also be within the required safety limits.
Thus, the more radio power that is used to transmit the signal, the wider the scope of
the wireless network. Unfortunately, the further that the signal goes, the more chance
that an intruder can pick up the signal, and, possibly, gain access to its contents, as
illustrated in Figure 1. To control this power, the access point can set up its own
radio power, and also is able to set the power transmission of the client adapter. An
example in setting the local power, and the client is shown next:
# config t
(config)# int dot11radio0
(config-if)# power ?
(config-if)# power local ?
<1-50>
One of: 1 5 20 30 50
maximum Set local power to allowed maximum
(config-if)# power local 30
(config-if)# power client ?
<1-50>
One of: 1 5 20 30 50
maximum Set client power to allowed maximum
(config-if)# power client 10
162
W.Buchanan
The
Thepower
powerofofthe
theaccess
accesspoint
pointand
andalso
also
ofofthe
theclient
clientare
areimportant
importantas
asthey
theywill
will
define
definethe
thecoverage
coverageofofthe
thesignal,
signal,and
andmust
must
also
be
within
the
required
safety
limits.
also be within the required safety limits.
Figure 1 Power transmission
One the client, especially with portable devices, the power usage of the radio port is
important. Thus there are typically power settings, such as:
-
CAM (Constant awake mode). Used when power usage is not a problem.
PSP (Power save mode). Power is conserved as much as possible. The card will
typically go to sleep, and will only be awoken by the access point, or if there is
activity.
FastPSP (Fast power save mode). This uses both CAM and PSP, and is a
compromise between the two.
Explanation
A particular problem in wireless networks is that the access point may become
overburdened with connected clients. This could be due to an attack, such as DoS
(Denial of Service), or due to poor planning. To set the maximum number of
associations, the max-associations command is used within the SSID setting:
# config t
(config)# int dot11radio0
(config-if)# ssid fred
(config-if-ssid)# max ?
It is possible to define up to four parents, so that if one fails to association, it can use
others. In most cases the Cisco Aironet extensions must be enabled, as it aids the
association process, but this can cause incompatibility problems with non-Cisco
devices.
164
W.Buchanan
Figure 1 Preamble
Note that short slot time is only avialable in IEEE 802.11g. By default it is disabled.
Explanation
MAC authentication cache on the access points is typically used where MACauthenticated clients roam around the network. When it is enabled it reduces the
time overhead in re-authenticating the nodes with an authentication server. When a
node is initially authenticated, its MAC address is added to the cache.
(config-if)# exit
(config) # wlccp ?
ap
authentication-server
wds
wnm
Enable WLCCP AP
Authentication Server
Enable Wireless Domain Service Manager
Configure Wireless Network Manager
Explanation
The scanner mode is used in WIDS where the access point listens on all of the radio
channels and reports activity. As it is used as a WIDS, it does not accept any
associations. The monitor command can then be used to forward all of the data
packets received to a specific address on a certain port, such as for 10.0.0.1 on UDP
port 1111 :
(config-if)# monitor frames endpoint ip address 10.0.0.1 port 1111
Enabled
10.0.0.1
1111
128 bytes
: Disabled
:
:
:
:
0
0
0
0
Total
Total
Total
Total
Total
:
:
:
:
:
0
0
0
0
0
No.
No.
No.
No.
No.
of
of
of
of
of
frames captured
data frames captured
control frames captured
Mgmt frames captured
CRC errored frames captured
166
W.Buchanan
: 0
: 0
10.53
Challenge 53 (Fallback)
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# station root fallback shutdown
Explanation
A major problem occurs when the Ethernet/Radio port fails, and in some situations
the radio port of the access-point should shutdown. The following shuts down the
D0 port when the Ethernet connection fails:
(config-if)# station root fallback shutdown
By default the Web page is then accessed by the client with (http://10.0.0.1):
168
W.Buchanan
out-bytes
50720
remote-ipaddress:port
10.0.0.2:4046
10.0.0.2:4047
10.0.0.2:4049
10.0.0.2:4048
10.0.0.2:4051
10.0.0.2:4052
10.0.0.2:4053
10.0.0.2:4064
10.0.0.2:4065
in-bytes
396
427
5352
4885
396
4878
5041
401
4343
out-bytes
192
192
52152
85094
192
86257
50737
192
85878
out-bytes
end-time
00:00:46
00:00:52
00:01:59
00:02:04
00:25:23
00:26:30
00:26:35
00:47:16
00:48:21
03/01
03/01
03/01
03/01
03/01
03/01
03/01
03/01
03/01
all information
connection information
history information
server status information
application session module information
statistics information
status information
(config-if)#
(config-if)#
(config)# ip
% Generating
(config)# ip
<0-65535>
(config)# ip
By default the Web page is then accessed by the client with (https://10.0.0.1),
afterwhich the client responds with:
and then:
170
W.Buchanan
The data transferred between the client and server will then be encrypted. To verify
the details:
ap#sh ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:/c1200-k9w7-mx.1238.JA/html/level/1;zflash:/c1200-k9w7-mx.1238.JA/html/level/1;flash:/c1200-k9w7-mx.1238.JA/html/level/15;zflash:/c1200-k9w7-mx.1238.JA/html/level/15;flash:/c1200-k9w7-mx.123-8.JA/html;zflash:/c1200k9w7-mx.123-8.JA/html;flash:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 120 seconds
Server life time-out: 120 seconds
Maximum number of requests allowed on a connection: 60
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5
rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
ap#sh ip http server conn
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes
10.0.0.1:443
10.0.0.2:1082 266
10.0.0.1:443
10.0.0.2:1083 2493
out-bytes
52587
67032
172
W.Buchanan
Thus the best effort for this access point is a rate of 1.0Mbps. If this was advertised to
client, they would choose if this was the best rate for the best effort.
00036B00
CC4DE0C4
ECBE417E
EBEFAEDE
30680261
080D2B47
1C3C09D1
7B4B992F
00B435A4
55970CA5
2BBC90DF
5F020301
C007251B
39F21170
8DA398DB
0001
An SSH client such as putty can then be used to connect to the access point:
174
W.Buchanan
In this case the user login for LEAP will be aaauser with a password of aaauser.
Notice that the NAS is set to the local IP address, and that the Radius server is set
also as the local IP address.
Notice also that the shared key (in this case named sharedkey) must be set the same
for the NAS and the Radius server.
Next setup the clients to support LEAP authentication, as shown in Figure 1. Once
the client has associated, determine the associated devices with:
# show dot assoc
802.11 Client Stations on Dot11Radio0:
SSID [APskills] :
MAC Address
IP address
0090.4b54.d83a 192.168.1.111
Others:
Device
Name
4500-radio
Parent
self
State
EAP-Assoc
After which the WAP will display a message such as the following on a successful
association:
*Mar
1 00:00:51.750: %DOT11-6-ASSOC:
0090.4b54.d83a Associated KEY_MGMT[WPA]
176
W.Buchanan
Interface
Dot11Radio0,
Station
An example is:
#
#
#
#
#
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
include cisco
include product
include ver
begin power
exclude pca
178
W.Buchanan
An example is:
# config t
(config)# dot11 ssid fred
(config-ssid)# mbssid guest-mode dtim 10
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
Note:
Large DTIM values are useful for increasing the battery life for power-save client
devices.
(config-ssid)#ip ?
redirection Redirect client data to alternate IP address
(config-ssid)#ip redirection ?
host Destination host to forward data
(config-ssid)#ip redirection host ?
A.B.C.D IP redirect destination host address
(config-ssid)#ip red host 1.2.3.4 ?
access-group Optional group access-list to apply
<cr>
(config-ssid)#ip red host 1.2.3.4 access-group ?
WORD Access-list number or name
(config-ssid)#ip red host 1.2.3.4 access-group 1 ?
in Apply to input interface
(config-ssid)#ip red host 1.2.3.4 access-group 1 in ?
<cr>
(config-ssid)#ip red host 1.2.3.4 access-group 1 in
(config-ssid)# exit
180
W.Buchanan
encryption. WEP suffers from many security problems, but TKIP overcomes most of
these, and is still compatible with most currently available IEEE 802.11 wireless
interfaces. The CKIP and CMIC are Cisco-derived methods, and sometimes lack
compatibility. An example for WPA using TKIP is:
# config t
(config)# dot11 ssid fred
(config-ssid)# vlan 22
(config-ssid)# exit
(config)# int d0
(config-if)# ssid fred
(config-if)# encryption vlan 22 mode cipers tkip
wep128
wep40
ckip
cmic
ckip-cmic
tkip
tkip
tkip wep128
tkip wep40
which enables the broadcast-key on VLAN 22, and defines that the broadcast key is
changed every 100 seconds.
Figure 1:
where:
182
W.Buchanan
This is the time that a client device must wait before it can reattempt to authenticate,
after it has failed an authentication. This occurs when the client device fails three
logins or does not reply to three authentication requests. 1-65,545 seconds.
(config)# dot1x timeout supp-response 10
This is the time that the access point waits for a reply to an EAP/dot1x message from
a client before the authentication is failed.
(config-if)# dot1x reauth-period 10
This is the time that the access point waits before it asks the client to reauthenticate
itself.
(config-if)# countermeasure tkip hold-time
This defines the TKIP MIC failure holdtime, and is caused when the access point
detects two MIC failures in a period of 60 seconds. It will then, for the holdtime
period, blocks all TKIP clients on the interface.
which defines that the authentication of infrastructure devices is done using the
server group testi, and that client devices using the testing SSID are authenticated
using the server group of testc.
Copyright statement
This lab has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
184
W.Buchanan
Wireless
LANs
Labs
11
11.1 Introduction
The wireless lab in C6 is isolated from the main university network, and allows for
the development of mobile networks and applications, for both projects and
teaching. It currently contains the following:
20 wireless hosts with Belkin IEEE 802.11b/g wireless cards. Note: Do not set
the wireless cards to have an address which links to the Ethernet network
(192.168.1.x). The Ethernet network is used to allow the connection to the
Aironets, and the wireless network should have addresses which do not link to
the Ethernet network.
12 wireless hosts with Cisco Aironet IEEE 802.11g wireless cards.
One Cisco 3560 switch (C6SW2).
Seven Aironet 1200 wireless access points.
One Windows 2003 server. This server has two Ethernet cards, which allows it to
be part of the main Ethernet network (192.168.1.5), and also the Wireless network
(such as 192.168.2.x). The main connection allows it to be configured to be part of
the wireless network.
One Linux server. This server has two Ethernet cards, which allows it to be part
of the main Ethernet network (192.168.1.6), and also the Wireless network (such
as 192.168.2.x).
The main Ethernet network is located on the 192.168.1.x network, where the main
server is at 192.168.1.1, and the hosts start at 192.168.1.6 (on the left-hand side of
Bench 1) and go onto 192.168.1.25 (on right-hand side of Bench 4), as illustrated in
Figure 1.
Ethernet network
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
192.168.1.14
192.168.1.18
192.168.1.19
192.168.1.23
192.168.1.24
192.168.1.28
192.168.1.29
C6SW1
Bench 1
C6SW2
192.168.1.15
192.168.1.16
192.168.1.17
192.168.1.100
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
Eth
Eth
Con
Windows server:
192.168.1.5
192.168.2.x (Any)
Eth
Aironet1:
192.168.1.100 Port 2001
192.168.1.20
192.168.1.21
192.168.1.22
Bench 3
Con
Eth
Aironet2:
192.168.1.100 Port 2002
Linux server:
192.168.1.6
192.168.2.x (Any)
Aironet7:
192.168.1.100 Port 2007
W.Buchanan
192.168.1.25
192.168.1.26
192.168.1.27
Con
Eth
186
Bench 2
Bench 4
Device:
Remote port:
Aironet1 IP:
Aironet SSID:
Wireless client:
Windows server:
Tutorial example
[Aironet1]
[2001]
[192.168.2.3]
[bill]
[192.168.2.2]
[192.168.2.5]
Your example
[
[
[
[
[
[
]
]
]
]
]
]
Figure 2 illustrates the example setup. Please note that your connection is likely to be
different, as you want to have different IP addresses and SSIDs to other wireless
networks.
Telnet
192.168.1.100
Port: 2001
Aironet1
IP: 192.168.2.3
SSID: bill
Windows server:
192.168.2.5
Client 1
IP: 192.168.2.2
SSID: bill
Aironet3:
Aironet4:
Aironet5:
Aironet6:
Aironet7:
Bench 1
C6SW2
192.168.1.100
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
Eth
Eth
Bench 2
Con
Windows server:
192.168.1.5
192.168.2.x
Eth
Aironet1:
192.168.1.100 Port 2001
Bench 3
Con
Eth
Aironet2:
192.168.1.100 Port 2002
Linux server:
192.168.1.6
192.168.2.x
Con
Eth
Bench 4
Aironet7:
192.168.1.100 Port 2007
188
W.Buchanan
This sets up the IP address of the access point at [192.168.2.3] with an SSID of [Bill]
and using radio channel 6. The wireless nodes which connect to this access point will
now have an address of 192.168.2.x.
190
W.Buchanan
192
W.Buchanan
Association
from
from
from
from
192.168.2.3:
192.168.2.3:
192.168.2.3:
192.168.2.3:
bytes=32
bytes=32
bytes=32
bytes=32
time=2ms
time=1ms
time=1ms
time=1ms
TTL=150
TTL=150
TTL=150
TTL=150
194
W.Buchanan
Figure 18: Setup of the IP address on the 2nd Ethernet card on the Windows 2003
server
196
W.Buchanan
198
W.Buchanan
Con
Eth
Eth
Con
Aironet7:
192.168.1.100 Port 2007
Aironet2:
192.168.1.100 Port 2002
Aironet1:
192.168.1.100 Port 2001
Con
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
192.168.1.100
C6SW2
C6SW1
Eth
Eth
Linux server:
192.168.1.6
192.168.2.x (Any)
Windows server:
192.168.1.5
192.168.2.x (Any)
Eth
192.168.1.25
192.168.1.20
192.168.1.15
192.168.1.10
192.168.1.12
192.168.1.17
192.168.1.22
192.168.1.27
Bench 4
192.168.1.26
Bench 3
192.168.1.21
Bench 2
192.168.1.16
Bench 1
192.168.1.11
Ethernet network
192.168.1.28
192.168.1.23
192.168.1.18
192.168.1.13
192.168.1.29
192.168.1.24
192.168.1.19
192.168.1.14
FA0/11:
FA0/11-20:
FA0/21:
Console server (C6CS1)
FA0/22:
Windows 2003 1st Ethernet port (192.168.1.5)
FA0/23:
Linux 1st Ethernet port (192.168.1.6)
Login for Windows and Linux servers:
Login ID: co72047
Password: co72047
12 Labs
Lab 1: Access Point Tutorial
Using the Network-emulators, select the Wireless emulator, and perform the
following:
1.
>
2.
> enable
3.
From the EXEC mode go into the Global Configuration Mode, and use the
hostname command to change the hostname to MyWireless.
# ?
# config t
(config) # hostname MyWireless
4.
Exit from the Global Configuration Mode using exit, and list the current
running-config with show running-config.
(config) # exit
# show running-conf
200
W.Buchanan
buffers
memory
stacks
hosts
arp
flash
history
version
interfaces
interface fa0
interface dot11radio0
Using the information from above what are the following:
Processor Board ID:
Processor Type:
Processor Clock Speed:
System image file:
Operating System Version:
File names shored in the Flash Memory:
Product/Model Number:
terminal ?
terminal history ?
terminal history size ?
terminal history size 100
show history
clock
clock
clock
clock
clock
clock
?
set
set
set
set
set
?
11:00
11:00
11:00
11:00
?
11 ?
11 jun ?
11 jun 2006
Ping the newly defined ports (207.11.12.10 and 192.168.0.1). Are they responding?
7.
# show running-config
8. The WAP can access a domain server and DNS, using the ip name-server and ip
domain-lookup commands:
# config t
(config)# ip ?
202
W.Buchanan
to
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
9.
ip
ip
ip
ip
ip
ip
ip
domain-name ?
domain-name mydomain.com
name-server ?
name-server 160.10.11.12
domain-lookup
default-gateway ?
default-gateway 10.11.12.11
To get rid of any of these settings, insert a no in front of them, such as:
# config t
(config)# no ip
(config)# no ip
(config)# no ip
(config)# no ip
(config)# exit
# show running
10.
domain-name mydomain.com
name-server 160.10.11.12
domain-lookup
default-gateway 10.11.12.11
Setting passwords for the line console and for telnet access:
# config t
(config)# line
(config-line)#
(config-line)#
(config-line)#
(config)# line
(config-line)#
(config-line)#
(config-line)#
(config)# exit
11.
con 0
login
password fred
exit
vty 0 15
login
password fred
exit
# config t
(config)# ip http server
(config)# exit
# show running
12.
If we need to change the port and the max number of connections on the
WWW server:
# config t
(config)# ip http port 8080
(config)# ip http max-connections 2
(config)# exit
# show running
13.
# config t
(config)# no ip http server
(config)# exit
# show running
14.
# config t
(config)# username ?
(config)# username fred ?
(config)# username fred password bert
(config)# exit
# show running
15.
# config t
(config)# no username fred password bert
(config)# exit
# show running
16.
# config t
(config)# ip host freds 172.14.10.11
(config)# ip host berts 172.14.10.12
(config)# ip host slappi 10.15.1.100
17.
# config t
(config)# ip ?
(config)# ip dhcp ?
(config)# ip dhcp pool socpool
(config-dhcp)# ?
(config-dhcp)# network 192.168.0.0 255.255.255.0
(config-dhcp)# lease 10
(config-dhcp)# exit
(config)# exit
# show running-config
18.
# config t
(config)# no ip dhcp pool socpool
(config)# exit
# show running-config
19.
To create a banner:
# config t
(config)# banner motd # hello #
(config)# exit
# show running
21.
204
W.Buchanan
# config t
(config)# int dot11radio0
(config-if)# arp ?
(config-if)# arp arpa
22.
# config t
(config)# cdp ?
(config)# cdp holdtime 120
(config)# cdp timer 50
(config)# end
Using the show cdp command, determine the settings for CDP:
25.
26.
(config)# ip host
(config)# ip host
(config)# ip host
(config)# ip host
(config)# ip host
(config)# exit
# show hosts
# show running
LAB_A
LAB_B
LAB_C
LAB_D
LAB_E
192.5.5.1
201.100.11.2
223.8.151.1
210.93.105.1
210.93.105.2
The power level of the access point can be set with the power command, and
the speed can be set with the speed command:
# config t
(config)# int dot11radio0
(config-if)# power ?
(config-if)# power local ?
(config-if)# power local 30
(config-if)# power client 10
(config-if)# speed ?
(config-if)# speed 1.0
(config-if)# exit
(config)# exit
28.
With world-mode, the access point adds channel carrier set information to its
beacon. This allows client devices with world mode to receive the carrier set
information and adjust their settings automatically. World mode is disabled by
default, to enable it:
# config t
(config)# int dot11radio0
(config-if)# ?
(config-if)# world-mode
(config-if)# exit
(config)# exit
29. The antenna can be set for both the transmit and receive options. These can be :
Diversity. With this the WAP uses the antenna in which the best signal is
being received.
Right. This where the antenna is on the right of the WAP, and is highly
directional.
Left. This where the antenna is on the left of the WAP, and is highly
directional.
# config t
(config)# int dot11radio0
(config-if)# antenna ?
(config-if)# antenna transmit ?
(config-if)# antenna transmit diversity
(config-if)# antenna receive left
(config-if)# exit
206
W.Buchanan
(config)# exit
30.
The WAP can be setup to transmit a beacon signal on which devices can
connect to (using a delivery traffic indication message - DTIM). The time period
on which it transmits is defined in Kilomicroseconds, which is 1 millisecond
(one thousands of a second). For example to set the beacon period to once every
second:
# config t
(config)# int dot11radio0
(config-if)# beacon ?
(config-if)# beacon period ?
(config-if)# beacon period 1000
(config-if)# exit
(config)# exit
31.
802.1H (dot1h). This is the default, and is optimized for Cisco Aironet
wireless products.
RFC1042. This is used by many wireless manufacturers (SNAP), and is thus
more compatible than 802.1H.
For example:
# config t
(config)# int dot11radio0
(config-if)# payload-encapsulation ?
(config-if)# payload-encapsulation rfc1042
(config-if)# exit
(config)# exit
32.
CARRIER TEST. The WAP can show the activity on certain channels using the
carrier busy test (note that the connections to devices are dropped for about 4
seconds when these tests are made).
For example:
# show dot11 ?
# show dot11 carrier ?
# show dot11 carrier busy
33.
RTS. The RTS (Ready To Send) is used to handshake data between the client
and the WAP. RTS threshold is used to set the packet size at which the access
point issues a request to send (RTS) before sending the packet. Low RTS
Threshold values are useful in areas where there are many clients, or where
the clients are far apart and cannot reach each other (the hidden node
problem). The Maximum RTS Retries (1-128) defines the maximum number
of times the access point issues an RTS before abandoning the send. For
example to set the threshold at 1000 Bytes and the number of retries to 10:
# config t
(config)# int dot11radio0
(config-if)# rts ?
(config-if)# rts threshold ?
(config-if)# rts threshold 1000
(config-if)# rts retries ?
(config-if)# rts retries 10
(config-if)# exit
(config)# exit
34.
PACKET RETRIES. The maximum data retries value (1-128) defines the
number of attempts that a WAP makes before dropping the packet.
# config t
(config)# int dot11radio0
(config-if)# packet retries 5
(config-if)# exit
(config)# exit
35.
# config t
(config)# int dot11radio0
(config-if)# fragment-threshold 1000
(config-if)# exit
(config)# exit
208
W.Buchanan
36.
# config t
(config)# int dot11radio0
(config-if)# ip proxy-mobile
(config-if)# exit
(config)# exit
A particular problem can be were there are too many associations with the
wireless device. To limit the number of associations, the max-association
value is set. For example to set the maximum number of associations to 20:
# config t
(config)# int d0
(config-if)# ssid
(config-if-ssid)#
(config-if-ssid)#
(config-if-ssid)#
(config-if-ssid)#
38.
fred
?
max-associations ?
max-associations 20
exit
To determine wireless nodes that have been associated with the WAP:
# show dot11 ?
# show dot11 associations
# show dot11 statistics client-traffic
What is the IP address and the MAC address of the node has been associated with the WAP:
39.
To list controllers
# show controllers
!
interface Dot11Radio0
Channel 5
Allowed Rates:
no
210
RM Tx Power Level 0
RM Tx Channel Number
Saved Tx Power
Saved Tx Channel
W.Buchanan
41.
SHOW CLIENTS. This command is used to show the details of all the
associated clients, and uses:
: 0003.6dff.2a51
Name
IP Address
: 192.168.0.11
Interface
: Dot11Radio 0
Device
State
: Assoc
Parent
: self
SSID
: tsunami
VLAN
: 0
Hops to Infra
: 1
Association Id
: 3
Software Version :
Clients Associated: 0
Repeaters associated: 0
Encryption
Capability
: NONE
:
Rate
: 11.0
ShortHdr
Supported Rates
Signal Strength
: -29
Signal Quality
: 81 %
Power-save
: Off
Last Activity
: 28 seconds ago
Packets Input
: 143
Packets Output
: 5
Bytes Input
: 16801
Bytes Output
: 266
Duplicates Rcvd
: 0
Data Retries
: 0
Decrypt Failed
: 0
RTS Retries
: 0
MIC Failed
: 0
MIC Missing
: 0
dBm
Connected for
: 913 seconds
On Interface Dot11Radio0:
cDot11AssStatsAssociated
:2
cDot11AssStatsAuthenticated
:2
cDot11AssStatsRoamedIn
:0
cDot11AssStatsRoamedAway
:0
cDot11AssStatsDeauthenticated
:1
cDot11AssStatsDisassociated
:1
cur_bss_associated
:1
cur_associated
:1
cur_bss_repeaters
:0
cur_repeaters
:0
cur_known_ip
:1
dot11DisassociateReason
:2
dot11DisassociateStation
:0003.6dff.2a51
dot11DeauthenticateReason
:2
dot11DeauthenticateStation
:0003.6dff.2a51
dot11AuthenticateFailStatus
:0
dot11AuthenticateFailStation
:0000.0000.0000
43.
TRANSMITTER
41758 /
Host Tx Bytes:
Unicasts Rx:
450 /
Unicasts Tx:
Unicasts to host:
450 /
Unicasts by host:
1247 /
Beacons Rx:
0 /
Broadcasts to host:
Multicasts Rx:
Multicasts to host:
135270 /
1258 /
11 /
Broadcasts Tx:
30329 /
49
Beacons Tx:
29773 /
49
0 /
Broadcasts by host:
556 /
0 /
Multicasts Tx:
77 /
0 /
Multicasts by host:
77 /
1247 /
1247 /
0 /
RTS transmitted:
0 /
Duplicate frames:
65 /
0 /
CRC errors:
57 /
1258 /
WEP errors:
0 /
Retries:
0 /
Buffer full:
0 /
0 /
0 /
0 /
Broadcasts Rx:
656 /
Protocol defers:
Invalid header:
0 /
0 /
52 /
Length invalid:
0 /
Jammer detected:
0 /
Incomplete fragments:
0 /
Rx Concats:
0 /
Packets aged:
0 /
Tx Concats:
0 /
450 /
Tx Packets:
41664 /
Tx Bytes:
0 /
Data Retries:
212
W.Buchanan
8 /
764 /
0 /
#
#
#
#
show
show
show
show
interface
interface
interface
interface
?
fa0
dot11radio0
bvi
44.
# show dot11 ?
# show dot11 network-map
# config t
(config)# dot11 network-map
(config)# exit
# show dot11 network-map
# show dot11 carrier ?
# show dot11 carrier busy
Which frequency is the most utilized:
show
show
show
show
show
show
show
ip
ip ?
led
led ?
led flash
line
log
*Mar
to reset
*Mar
to up
*Mar
*Mar
# show vlans
46.
#
#
#
#
#
#
#
#
show
show
show
show
show
show
show
show
aliases
caller
cca
class-map
clock
crash
dhcp ?
dot11 ?
adjacent-ap
antenna-alignment
arp-cache
Arp Cache
associations
association information
carrier
linktest
network-map
statistics
Network Map
statistics information
IP address
Device
Name
Parent
4500-radio
self
State
0090.4b54.d83a 192.168.2.2
Assoc
Others:
#
#
#
#
#
#
show
show
show
show
show
show
dot11
dot11
dot11
dot11
dot11
dot11
carrier ?
carrier busy
network-map
statistics
statistics ?
statistics client-traffic
Clients:
3-0090.4b54.d83a pak in 372 bytes in 31151 pak out 3 bytes out 262
214
W.Buchanan
dot11
dot11
dot11
dot11
dot11
?
dot11radio0
dot11radio0
dot11radio0
dot11radio0
?
carrier ?
carrier busy
linktest
216
W.Buchanan
Next ping your node and the others in your network, such as with:
C:\Documents and Settings\co72047.XP3>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
192.168.10.2:
192.168.10.2:
192.168.10.2:
192.168.10.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=1467ms TTL=128
time=1ms TTL=128
time<1ms TTL=128
time<1ms TTL=128
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
XP3
c06server
Unknown
No
No
218
W.Buchanan
Connection-specific
Description . . . .
Physical Address. .
Dhcp Enabled. . . .
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
DNS
. .
. .
. .
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
.
.
.
.
.
:
:
:
:
:
:
:
220
W.Buchanan
Outline some of the information that is provided on the ping with Ethereal:
Figure 9: Ethereal
8192
8192
10.00
5.84
Can you see the data packets in Ethereal and read the contents of the conversation:
To determine the open TCP ports, run the netstat -a command, such as:
C:\> netstat -a
Active Connections
Proto Local Address
TCP
XP3:epmap
TCP
XP3:microsoft-ds
TCP
XP3:1026
TCP
XP3:netbios-ssn
TCP
XP3:1068
222
W.Buchanan
Foreign Address
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
192.168.10.2:1001
State
LISTENING
LISTENING
LISTENING
LISTENING
ESTABLISHED
Throughput
10^6bits/sec
5.71
8192
8192
10.00
Throughput
10^6bits/sec
5.85
From the previous results, what affect does WEP encryption have on the throughput:
224
W.Buchanan
8192
8192
10.00
0.81
Transmission
rate
226
W.Buchanan
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
192.168.2.7
192.168.2.10-192.168.2.12
192.168.2.13-192.168.2.14
192.168.2.15-192.168.2.17
192.168.2.18-192.168.2.19
192.168.2.20-192.168.2.22
192.168.2.23-192.168.2.24
192.168.2.25-192.168.2.27
Radio
channel
2
3
4
5
7
8
9
The setup for the Windows server is 192.168.2.8 and the Linux server is 192.168.2.9. A
diagram of the system is shown in Figure 1.
192.168.2.10
192.168.2.11
SSID: GroupA
SSID: GroupB
C6SW2
192.168.1.100
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
Eth
Eth
SSID: GroupC
SSID: GroupD
SSID: GroupE
SSID: GroupF
Con
Windows server:
192.168.2.8
Eth
Aironet1:
IP: 192.168.2.1
SSID: GroupA
Con
Eth
Aironet2:
IP: 192.168.2.2
SSID: GroupB
Linux server:
192.168.2.9
Con
Eth
SSID: GroupG
Aironet7:
IP: 192.168.2.7
SSID: GroupG
Figure 1:
An example setup for GroupA is:
hostname GroupA
dot11 ssid GroupA
authentication open
guest-mode
int bvi1
ip address 192.168.1.1 255.255.255.0
interface d0
channel 2
station-role root
ssid GroupA
no shutdown
interface fa0
no shutdown
1.
Configure your Aironet for the required settings for your group.
Outline the main configuration settings:
2.
Set the IP address of your wireless cards. All the hosts on your network will
connect to the same subnet (192.168.2.x), as illustrated in Figure 1. What is
your IP address?
What is your IP address, and what are the others in the group:
3.
NOTE: Sometimes the card must be disabled and then enabled for it to fully reconnect.
An example of a ping is:
C:\Documents and Settings\co72047.XP2>ping 192.168.2.20
Pinging 192.168.1.100 with 32 bytes of data:
Reply from 192.168.1.100: bytes=32 time<1ms TTL=128
Reply from 192.168.1.100: bytes=32 time<1ms TTL=128
C:\Documents and Settings\co72047.XP2>ping 192.168.1.240
Pinging 192.168.1.240 with 32 bytes of data:
Reply from 192.168.1.240: bytes=32 time=1ms TTL=255
Reply from 192.168.1.240: bytes=32 time=1ms TTL=255
228
W.Buchanan
4.
Next access the Web page of the access point with http://192.168.2.x:
Was the connection successful?
5.
Ping all the devices in your network. Next, as with Lab 3, share a folder on
your machine with the rest of your network:
Was the sharing successful:
6.
As with Lab 3, run netperf and netserver, and determine the throughput of
the connection between two hosts:
Network throughput:
7.
As with Lab 3, run the client and server, and make a connection between two
hosts:
Network throughput:
230
W.Buchanan
8.
Once all the group have setup their wireless networks, ping all the nodes in
the network:
Can you ping all the hosts?
9.
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
172.16.1.1
172.16.1.2
172.16.1.3
172.16.1.4
172.16.1.5
172.16.1.6
172.16.1.7
172.16.1.10-172.16.1.12
172.16.1.13-172.16.1.14
172.16.1.15-172.16.1.17
172.16.1.18-172.16.1.19
172.16.1.20-172.16.1.22
172.16.1.23-172.16.1.24
172.16.1.25-172.16.1.27
Radio
channel
2
3
4
5
7
8
9
The setup for the Windows server is 172.16.1.8 and the Linux server is 172.16.1.9. An
example setup for GroupA is:
hostname GroupA
dot11 ssid GroupA
authentication open
guest-mode
int bvi1
ip address 172.16.1.1 255.255.255.0
interface d0
channel 2
station-role root
ssid GroupA
no shutdown
interface fa0
no shutdown
10.
Setup your wireless network, and ping all the nodes in your network.
Can all the nodes connect to the wireless network, and can ping each other:
Use the command show dot11 assoc on the access point. What is the output:
2.
Telnet is one of the most widely use protocols for remote access of devices,
and uses port 23 by default. Enable up to 16 TELNET sessions on the access
point with the configuration:
# config t
(config)# line vty 0 15
(config-line)# transport input telnet
3.
Using the TELNET program in Windows, test if the wireless nodes can access
232
W.Buchanan
4.
Next, using the PuTTY client, TELNET into the wireless access point (as
illustrated in Figure 3).
Can all the nodes TELNET into the access point:
5.
Next, run Ethereal, and capture the wireless traffic, and re-TELNET into the
access point. Verify that you can read the username and the password from
the network traffic (Figure 4).
Can you view the username and password:
6.
Next, create a number of usernames and passwords using a form such as:
Using a username and password for each person in the group, login using
their username and password. At the same time, using Ethereal, verify that
the username and password can be determined:
Can the username and password be determined for each session:
7.
# config t
(config)# ip domain-name fred.com
(config)# crypto key generate rsa
(config)# exit
# show ip ssh
# config t
(config)# ip ssh rsa keypair-name ap.fred.com
(config)# line vty 0 15
(config-line)# transport input ssh
Do the connections work:
234
W.Buchanan
8.
Next connect to the access point using SSH (with the PuTTY client), as shown
in Figure 5.
9. Next, using the show vty 0 command, verify that SSH is being used, such as:
# show line vty 0
*
1 VTY
335
0/0
10.
Dispatch
not set
Run Ethereal, and verify that the username and password cannot be viewed.
Is it possible to view the username and password:
11.
# config t
(config)# line vty 0 15
(config-line)# transport input any
12.
# config t
(config)# line vty 0 15
(config-line)# transport input ssh
(config-line)# session-timeout 1
and, after one minute of inactivity the session should be closed, such as:
236
W.Buchanan
timeout expired!
Create a number of SSH sessions, and verify that after one minute of inactivity that the sessions
will time-out. Is this verified:
13.
Many firewalls block access to lower ports, such as TELNET and FTP, and
thus for TELNET/SSH access the port of the server on the access point must
be changed. In the following the port is changed to 2000:
Connect to the SSH service using port 2000 (such as shown in Figure 5). Does it connect:
Achieve the same for TELNET access using the 2001 port. Does it connect using the new port?
What configuration is used:
14.
Often the administrator wants to limit the number of TELNET sessions. In the
following case there is a limit of three TELNET/SSH sessions (0, 1 and 2):
(config)# line
(config-line)#
(config)# line
(config-line)#
vty 0 2
transport input any
vty 3 15
transport input none
Connect to the access point with more than three sessions, and verify that it does not allow any
more than three. Is it working:
238
W.Buchanan
Lab 6: Encryption/Authentication
You will be assigned a group. In this lab the setup is as follows:
Group
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.10-10.0.0.12
10.0.0.13-10.0.0.14
10.0.0.15-10.0.0.17
10.0.0.18-10.0.0.19
10.0.0.20-10.0.0.22
10.0.0.23-10.0.0.24
10.0.0.25-10.0.0.27
Radio
channel
2
3
4
5
7
8
9
11. Setup your wireless network, and ping all the nodes in your network.
Can all the nodes connect to the wireless network, and can ping each other:
Use the command show dot11 assoc on the access point. What is the output:
2.
Setup your access point and nodes (Figure 1) so that they use WEP
encryption. An example of the encryption settings for the access point for
GroupA could be:
hostname ap
int bvi1
ip address 10.0.0.1 255.255.255.0
exit
dot11 ssid GroupA
authentication open
guest-mode
interface d0
channel 2
station-role root
Use the command show dot11 assoc on the access point. What is the output:
3.
Next setup LEAP authentication, with the following (for Group A):
hostname ap
aaa new-model
aaa group server radius rad_eap
server 10.0.0.1 auth-port 1812 acct-port 1813
exit
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa session-id common
int bvi1
ip address 10.0.0.1 255.255.255.0
exit
radius-server local
nas 10.0.0.1 key sharedkey
user aaauser password aaauser
exit
radius-server host 10.0.0.1 auth 1812 acct 1813 key sharedkey
dot11 ssid GroupA
authentication open
authentication network-eap eap_methods
guest-mode
interface d0
channel 11
station-role root
encryption key 1 size 40bit aaaaaaaaaa transmit-key
encryption mode ciphers tkip wep40
ssid GroupA
240
W.Buchanan
4.
IP address
0090.4b54.d83a 10.0.0.1
Others:
Device
4500-radio
Name
-
Parent
State
self
EAP-Assoc
Did you see a message on the access point which had the following format:
5.
Next setup WPA with TKIP encryption, and LEAP authentication with (for
Group A):
hostname ap
aaa new-model
aaa group server radius rad_eap
server 192.168.1.110 auth-port 1812 acct-port 1813
exit
aaa group server radius rad_mac
exit
aaa group server radius rad_acct
exit
Did you see a message on the access point which had the following format:
242
W.Buchanan
6.
If the client supports CCKM, then the following can be setup (for Group A):
hostname ap
aaa new-model
aaa group server radius rad_eap
server 10.0.0.1 auth-port 1812 acct-port 1813
exit
aaa authentication login eap_methods group rad_eap
int bvi1
ip address 10.0.0.1 255.255.255.0
exit
radius-server local
nas 10.0.0.1 key sharedkey
user aaauser password aaauser
exit
radius-server host 10.0.0.1 auth 1812 acct 1813 key sharedkey
dot11 ssid GroupA
authentication open
auth key-management cckm
authentication network-eap eap_methods
guest-mode
interface d0
channel 2
station-role root
encryption mode ciphers tkip
ssid GroupA
Lab 7: Filtering/Blocking
You will be assigned a group. In this lab the setup is as follows:
Group
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
192.168.2.7
192.168.2.10-192.168.2.12
192.168.2.13-192.168.2.14
192.168.2.15-192.168.2.17
192.168.2.18-192.168.2.19
192.168.2.20-192.168.2.22
192.168.2.23-192.168.2.24
192.168.2.25-192.168.2.27
Radio
channel
2
3
4
5
7
8
9
The setup for the Windows server is 192.168.2.8 and the Linux server is 192.168.2.9. A
diagram of the system is shown in Figure 1.
The wireless access point can be used to filter mac addresses for a source and
destination. Its format is:
access-list [deny | permit] [source ac] [source mask] [dest mac] [dest mask]
For example to disallow the node with the mac address of 0090.4b54.d83a access to
0060.b39f.cae1:
access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0
access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
ap#show arp
Protocol Address
Internet 192.168.1.110
Internet 192.168.1.101
Internet 192.168.1.103
Internet 192.168.1.115
ap#
Age (min)
1
2
1
Hardware Addr
000d.65a9.cb1b
0060.b39f.cae1
0009.7c85.87f1
0090.4b54.d83a
244
W.Buchanan
Type
ARPA
ARPA
ARPA
ARPA
Interface
BVI1
BVI1
BVI1
BVI1
Block the access of one computer to another. What is the access-list used:
Is the access blocked, and can the other nodes still access each other:
1.
and now add a new one which block access from one computer to two of the
hosts on the network.
Is the block successful:
2.
The access point supports access-lists. For example, the following blocks a
host at 192.168.1.111 access to 192.168.1.110:
3.
Create a wireless network which blocks one of the nodes on the network, and
allows the other one.
What is the access-list:
Do the blocks work, and can the other nodes still communicate:
4.
Along with IP filtering it is possible to filter for the TCP port. For example the
following blocking of any source host to any destation on port 80
5.
Test the above script and make sure that none of the nodes can access the web
server on the access point:
Is web access blocked:
6.
Modify the access-list so that only one node is blocked access to the web
server on the access point:
Is web access blocked:
12.
Using the client and the server program, write and access-list which will
block communications between two of the nodes on the network for clientserver communications on port 1001:
Is the access blocked:
13.
14.
246
Block a ping from one of the nodes on your network to another node.
W.Buchanan
Lab 8: VLAN
The access point can assign VLANs, where the nodes in the same VLAN can connect
to each other, but cannot communicate directly with nodes on another VLAN. This
allows nodes to connect to each other, even though they connect to a different access
device. In a wireless system the nodes can communicate with a VLAN over different
SSID. The mechanism used is IEEE 802.1Q tagging. The setup for the lab is defined in
Figure 1.
Thus, now setup the following:
SSID Group 1: MyVLAN1a, MyVLAN2a
SSID Group 2: MyVLAN1b, MyVLAN2c
SSID Group 3: MyVLAN1c, MyVLAN2c
PC1-PC5:
192.168.0.1-5
Access point:
192.168.0.100
192.168.0.110
VLAN1: MyVLAN1
VLAN2: MyVLAN2
192.168.0.1-3
192.168.0.4,5
Nodes PC1, PC2 and PC3 should associate with MyVLAN1, and PC4 and PC5
should connect to MyVLAN2. Assign the MyVLAN1 SSID to VLAN 1 and
MyVLAN2 SSID to VLAN 2.
Can nodes PC1, PC2 and PC3 ping each other:
248
W.Buchanan
Show that PC4 and PC5 cannot communicate with PC1, PC2, and PC3.
15. Now configure the sub-interfaces for the radio port and define IEEE 802.11Q
tagging, and assign them to a bridge group:
(config)# interface Dot11Radio0.1
(config-if)# encapsulation dot1Q 1 native
(config-if)# bridge-group 1
(config-if)# interface Dot11Radio0.2
(config-if)# encapsulation dot1Q 2
(config-if)# bridge-group 2
Can nodes PC1, PC2 and PC3 ping each other:
Show that PC4 and PC5 cannot communicate with PC1, PC2, and PC3.
Dot11Radio0.1
Protocols Configured:
Address:
Bridging
Bridge Group 1
Bridging
Bridge Group 1
Virtual LAN ID:
Received:
17
17
Transmitted:
9
9
Received:
1
1
Transmitted:
0
0
Dot11Radio0.2
Protocols Configured:
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
16. Now we will group the VLANs together, if required, with a bridge group. Thus:
(config-if)# interface Dot11Radio0.2
(config-if)# no bridge-group 2
(config-if)# bridge-group 1
Can nodes PC1, PC2 and PC3 ping each other:
Show that PC4 and PC5 can now communicate with PC1, PC2, and PC3.
250
W.Buchanan
SSID
BVI
Host range
Aironet1
10.0.0.4
Aironet2
Aironet3
Aironet4
Scotland (VLAN 1)
England (VLAN 2)
Ireland (VLAN 1)
Wales (VLAN 2)
France (VLAN 1)
Germany (VLAN 2)
USA (VLAN 1)
Japan (VLAN 2)
10.0.0.10-10.0.0.12
10.0.1.1-10.0.1.2
10.0.0.13-10.0.0.15
10.0.1.3-10.0.1.4
10.0.0.16-10.0.0.18
10.0.1.5-10.0.1.6
10.0.0.19-10.0.0.21
10.0.1.7-10.0.1.8
10.0.0.2
10.0.0.3
10.0.0.4
Radio
channel
2
3
4
5
1. Setup the connections, so that the first three nodes (PC1, PC2 and PC3) should
associate with the first SSID (such as Scotland), and PC4 and PC5 should connect
to the second SSID (such as England).
An outline of the configuration for Group A is:
(config)# dot11 ssid Scotland
(config-ssid)# authentication open
(config-ssid)# vlan 1
(config-ssid)# guest-mode
(config-ssid)# exit
(config)# dot11 ssid England
(config-ssid)# authentication open
(config-ssid)# vlan 2
(config-ssid)#exit
(config)# interface BVI1
(config-if)# ip address 192.168.0.110 255.255.255.0
(config)# interface Dot11Radio0
(config-if)# channel 1
(config-if)# ssid Scotland
(config-if)# ssid England
(config-if)# no shutdown
(config-if)# int fa0
(config-if)# no shutdown
252
W.Buchanan
10.0.0.3/24
Aironet 3 (192.168.1.100 Port 2003)
10.0.0.2/24
Aironet 2 (192.168.1.100 Port 2002)
10.0.0.1/24
Aironet 1 (192.168.1.100 Port 2001)
10.0.0.20/24
VLAN 1
10.0.0.15/24
VLAN 1
10.0.0.10/24
VLAN 1
10.0.0.21/24
10.0.0.16/24
10.0.0.11/24
Bench C
10.0.0.22/24
cvz
Bench B
10.0.0.17/24
cvz
Bench A
10.0.0.12/24
cvz
10.0.0.23/24
VLAN 2
10.0.0.18/24
VLAN 2
10.0.0.13/24
VLAN 2
10.0.0.24/24
10.0.0.19/24
10.0.0.14/24
2.
Now configure the sub-interfaces for the radio port and define IEEE 802.1Q
tagging, and assign them to a bridge group:
3. Now we will group the VLANs together, if required, with a bridge group. Thus:
(config-if)# interface Dot11Radio0.2
(config-if)# no bridge-group 2
(config-if)# bridge-group 1
Can nodes PC1, PC2 and PC3 ping each other:
Can nodes PC4 and PC5 ping each other:
Show that PC4 and PC5 can now communicate with PC1, PC2, and PC3.
What are the associations:
Now make sure that there is no bridge between the VLANs, and now conduct the
following:
Within VLAN 1 which nodes in the whole network can you ping:
Within VLAN 2 which nodes in the whole network can you ping:
Note: In native VLANs, frames in a VLAN are not modified when they are sent over
the trunk. Often these are know as Management VLAN. These frames will thus be
standard Ethernet frames, and have no additional 802.1q information.
Note: To enable multiple SSIDs to be broadcast (add by J.Graves):
dot11 ssid TEST1
mbssid guest-mode
dot11 ssid TEST2
mbssid guest-mode
then enable mbssid on the radio interface, and then add the SSIDs:
int Dot11Radio0
mbssid
ssid TEST1
ssid TEST2
254
W.Buchanan
SSID
BVI
Host range
Aironet1
10.0.0.4
Aironet2
Aironet3
Aironet4
Scotland (VLAN 1)
England (VLAN 2)
Ireland (VLAN 1)
Wales (VLAN 2)
France (VLAN 1)
Germany (VLAN 2)
USA (VLAN 1)
Japan (VLAN 2)
10.0.0.10-10.0.0.12
10.0.1.1-10.0.1.2
10.0.0.13-10.0.0.15
10.0.1.3-10.0.1.4
10.0.0.16-10.0.0.18
10.0.1.5-10.0.1.6
10.0.0.19-10.0.0.21
10.0.1.7-10.0.1.8
10.0.0.2
10.0.0.3
10.0.0.5
Radio
channel
2
3
4
5
256
W.Buchanan
3. Now we will group the VLANs together, if required, with a bridge group. Thus:
(config-if)# interface Dot11Radio0.2
(config-if)# no bridge-group 2
(config-if)# bridge-group 1
Can nodes PC1, PC2 and PC3 ping each other? Can nodes PC4 and PC5 ping each other?
Show that PC4 and PC5 can now communicate with PC1, PC2, and PC3. What are the associations:
Objective: You should be able to access the other VLAN on the same access point.
4. Now reassign the bridge-groups, such as:
(config-if)# interface Dot11Radio0.2
(config-if)# no bridge-group 1
(config-if)# bridge-group 2
Objective: You should not be able to access the other VLAN on the same access
point.
ENABLING TRUNKING BETWEEN VLANs
5. The switch which connects the Aironets can be accessed from 192.168.1.100 Port
2008. Log into the device, and view its configuration. 802.1q can be enabled and
trunked between the ports of the switch with:
# vlan database
(vlan)# vlan 1
(vlan)# vlan 2
(vlan)# exit
# config t
(config)# int fa0/1
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# int fa0/2
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# int fa0/3
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# int fa0/4
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config-if)# switchport
(config)# exit
# exit
258
W.Buchanan
6. Now make sure that there is no bridge between the VLANs, and now conduct the
following:
Within VLAN 1 which nodes in the whole network can you ping:
Within VLAN 2 which nodes in the whole network can you ping:
Objective: You should be able to ping any node in your VLAN, no matter which
access point they connect to, but not in other VLANs. PLEASE NOTE IT CAN TAKE
UP TO A MINUTE FOR THE TRUNKING TO OCCUR PLEASE BE PATIENT!
ENABLING IP ROUTING BETWEEN VLANs
7. Now we can enable routing between the VLANs, at Layer 3, with modifications
on the switch:
# config t
(config)# ip routing
(config)# vlan 1
(config-vlan)# exit
(config)# int vlan 1
(config)# ip address 10.0.0.254 255.255.255.0
(config-vlan)# exit
(config)# vlan 2
(config-vlan)# exit
(config)# int vlan 2
(config-if)# ip address 10.0.1.254 255.255.255.0
(config-if)# exit
8. Now make sure that you set the default gateway for nodes in VLAN 1 to
10.0.0.254, and for VLAN 2 to 10.0.1.254. This will send all the unknown traffic to
the switch.
Within VLAN 1 which nodes in the whole network can you ping:
Within VLAN 2 which nodes in the whole network can you ping:
Objective: You should now be able to get the whole network to communicate.
Example configurations
Access Point 1:
config t
dot11 ssid Scotland
mbssid guest-mode
authentication open
vlan 1
exit
dot11 ssid England
mbssid guest-mode
authentication open
vlan 2
exit
int BVI1
ip address 10.0.0.4 255.255.255.0
no shut
exit
int d0
mbssid
ssid Scotland
ssid England
channel 1
no shut
exit
int fa0
no shut
exit
int d0.1
encapsulation dot1q 1 native
int fa0.1
encapsulation dot1q 1 native
exit
int d0.2
encapsulation dot1q 2
bridge-group 2
int fa0.2
encapsulation dot1q 2
bridge-group 2
exit
260
W.Buchanan
Access Point 2:
config t
dot11 ssid Ireland
mbssid guest-mode
authentication open
vlan 1
exit
dot11 ssid Wales
mbssid guest-mode
authentication open
vlan 2
exit
int BVI1
ip address 10.0.0.5 255.255.255.0
no shut
exit
int d0
mbssid
ssid Ireland
ssid Wales
channel 2
no shut
exit
int fa0
no shut
exit
int d0.1
encapsulation dot1q 1 native
int fa0.1
encapsulation dot1q 1 native
exit
int d0.2
encapsulation dot1q 2
bridge-group 2
int fa0.2
encapsulation dot1q 2
bridge-group 2
exit
Switch configuration
vlan database
vlan 1
vlan 2
exit
config t
int fa0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport nonegotiate
int fa0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport nonegotiate
int fa0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport nonegotiate
int fa0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport nonegotiate
exit
exit
IP Routing on switch
config t
ip routing
int vlan 1
ip address 10.0.0.254 255.255.255.0
no shutdown
int vlan 2
ip address 10.0.1.254 255.255.255.0
no shutdown
262
W.Buchanan
Figure 1
The setup for the lab is defined in Figure 1, and the details are:
Group
Device
SSID
BVI
Host range
Aironet1
192.168.2.1
Aironet2
Aironet3
Aironet4
InfrastructureA (VLAN 1)
ClientA (VLAN 2)
InfrastructureB (VLAN 1)
ClientB (VLAN 2)
InfrastructureC (VLAN 1)
ClientC (VLAN 2)
InfrastructureD (VLAN 1)
ClientD (VLAN 2)
192.168.2.10192.168.2.14
192.168.2.15
192.168.2.19
192.168.2.20
192.168.2.24
192.168.2.25
192.168.2.29
192.168.2.2
192.168.2.3
192.168.2.4
Radio
channel
2
3
4
5
Figure 1: Setup
264
W.Buchanan
1. Configure the AP with the following commands. Note, erase the startup-config
initially, and re-boot. An outline for Group A is as follows:
int d0.1
encapsulation dot1q 1 native
bridge-group 1
exit
int d0.2
encapsulation dot1q 2
bridge-group 1
exit
dot11 ssid InfrastructureA
mbssid guest-mode
authentication open
vlan 1
exit
dot11 ssid ClientA
mbssid guest-mode
authentication network-eap eap_methods
vlan 2
exit
int BVI1
ip address 192.168.2.1 255.255.255.0
exit
int d0
mbssid
ssid InfrastructureA
ssid ClientA
encryption vlan 2 key 2 size 40bit aaaaaaaaaa transmit-key
encryption vlan 2 mode wep mandatory
channel 2
no shut
exit
int fa0
no shut
exit
aaa new-model
aaa group server radius rad_eap
server 192.168.2.10 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa session-id common
radius-server host 192.168.2.10 auth-port 1812 acct-port 1813 key testing123
4. Start the RADIUS server in debug mode. Debug mode is very useful, as it will
inform you of all RADIUS authentication requests, and exactly what it does with
them. You may want to monitor this window when trying to authenticate a
machine, to check to see if it works.
C:\Program Files\FreeRADIUS.net-1.1.1-r0.0.1\bin> radiusd.exe -d ../etc/raddb AX
5. Attempt to authenticate the other client to the Client SSID. For this, you will have
to use the Cisco Aironet 350 wireless card in your machine. You must disable the
Belkin wireless adaptor for this to work properly. Once you have done so, start
the Cisco adaptor, click on the Aironet Client Utility (ACU), and youll see a
screen like this:
Click on Profile Manager, and enter a new name for the profile:
266
W.Buchanan
Click OK, and enter your Client ID into the SSID1 field.
Click on the Network Security Tab, and set the screen as follows:
Click OK, and select your profile. When prompted, enter the user name and
password:
Username: testuser
Password: testpw
Clear the domain box, and click OK. Your main ACU window should display
whether youve been successful or not. Once you have a successful authentication,
assign an IP address to the adaptor.
6. Show, on the access-point that you have two associations, one should be open
and the other should be through EAP-Assoc:
ap#show dot11 assoc
802.11 Client Stations on Dot11Radio0:
SSID [ClientA] :
MAC Address
IP address
0009.7cd1.9075 192.168.2.22
268
W.Buchanan
Device
350-client
Name
WLAN-PC13
Parent
self
State
EAP-Assoc
SSID [InfrastructureA] :
MAC Address
IP address
0011.5015.b71c 192.168.2.10
Device
4500-radio
Name
-
Parent
self
State
Assoc
9. Explore the users file, which is kept in the C:\Program Files\FreeRADIUS.net1.1.1-r0.0.1\etc\raddb directory. Try and add a few new users. Make sure you
restart the RADIUS server. An example of a new user is:
testuser
bill
User-Password == "testpw"
User-Password == "bill"
10. Use Ethereal to monitor the packets arriving at the RADIUS server. Look at the
RADIUS debug screen at the same time, and determine whats happening.
What does it say when you enter an incorrect username and password?
What happens when you change the server secret in the Clients.conf file?
How does it differ when incorrect information is supplied to the RADIUS server?
Why Not?
270
W.Buchanan
SSID
BVI
Host range
A
B
C
D
Scotland
England
Ireland
Wales
10.0.0.4
10.0.0.2
10.0.0.3
10.0.0.5
10.0.0.10-10.0.0.14
10.0.0.15-10.0.0.19
10.0.0.20-10.0.0.24
10.0.0.25-10.0.0.29
Aironet1
Aironet2
Aironet3
Aironet4
Radio
channel
2
3
4
5
1. Once you have set the network up, install NetSNMP on the Windows machines.
Enable SNMP on the Aironet with the commands:
(config)#
(config)#
(config)#
(config)#
snmp-server
snmp-server
snmp-server
snmp-server
community public
contact YOURNAME
location C6 lab bench A
chassis-id napier
SNMP Version
Community string
System Description:
MAC address of the E0 port:
MAC address of the D0 port:
Up time (s):
Contact name:
MTU (Ethernet):
MTU (D0):
Speed (D0):
IP address (BVI1):
3. Now use the snmpwalk command to view the contents of the tables in the MIB,
such as:
C:\usr\bin> snmpwalk -Os -c public -v 1 10.0.0.4 system
sysDescr.0 = STRING: Wireless-G ADSL Gateway
sysObjectID.0 = OID: enterprises.3955.1.1
snmp-server
snmp-server
snmp-server
snmp-server
community Napier
contact YOURNAME
location C6 lab
chassis-id napier
Which command would you now use to show the SYSTEM table:
5. Ping the Aironet. Now determine the entries which shows the ping:
C:\usr\bin> snmpwalk -Os -c public -v 1 10.0.0.4 icmp
icmpInMsgs.0 = Counter32: 14
icmpInErrors.0 = Counter32: 0
icmpInDestUnreachs.0 = Counter32: 2
. . .
272
W.Buchanan
7. Now use the snmpwalk command to view the full details of the tables in the
MIB, such as:
C:\usr\bin> snmpwalk -c public -v 1 10.0.0.10 system
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 6 Model 13 Stepping 8
AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600
Uniprocessor Free)
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (662239) 1:50:22.39
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: BILL-93D44FD838
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 76
IF-MIB::ifNumber.0 = INTEGER: 5
IF-MIB::ifIndex.1 = INTEGER: 14
274
W.Buchanan
10. Once you have set the network up, install the NapierSNMP program on the
Windows machines. Now, using the client, view the SNMP information on the
hosts, and also on the Aironet.
Figure 2:
12.2 Logging
The use of logging is important in most networks, especially where there are
multiple devices. One method is to use a Syslog server, which can gather the alerts
from devices on the network. Along with this, this lab will investigate the TELNET
protocol, which is seen as being insecure as the password and user ID of the user is
passed through the data packet in plain text. The main objectives are:
1.
on all the clients on the network (such as on 10.0.0.10), and start the service
with:
Manage-> Install the Syslogd service
Manage-> Start the Syslogd service
2. Next, enable logging to the Syslog server for each of the nodes with:
# config t
(config)# logging
(config)# logging
(config)# logging
(config)# logging
(config)# logging
3.
10.0.0.10
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
Once it has been setup, verify the operation of the Syslog server by typing in
commands, and prompting messages, such as shown in Figure 3.
Do you receive messages on the Syslog server on all the nodes:
4.
The remote login is a source of insecurity, and often the device is setup so that
only certain devices can login into the access-point. In the following example,
a single device (10.0.0.10) is only allowed access to TELNET into the access
point:
276
W.Buchanan
Modify it so that it excludes just one address (such as 10.0.0.11) from access, but allows any
other address. What is the configuration which achieves this:
5.
Often there are problems with intruders when they continually try to login. It
is possible to log when the deny part of the access-list is fired, such as:
6.
Now, try to login using a device which is barred from TELNET access, and
verify with sh log that you get a message such as:
*Mar
00:50:44.077:
%SEC-6-IPACCESSLOGS:
list
denied
192.168.0.1
packet
Do you get this message:
Setup the access point to send this message to the Syslog server. Is it received correctly:
Modify the access-list so that the Syslog server also receives a message on a successful access.
What is the configuration used:
7.
Banners are a way to pass a message to users as they login. Typically they are
used to display a message-of-the-day, or to inform users of a change of status.
In the first example, setup the EXEC banner with:
ap(config)#banner exec #
Enter TEXT message. End with the character '#'.
You have now entered EXEC mode.
Please be careful when you access the device.
Thank you.
#
10.
Using a TELNET or SSH session, now login to the device, and determine
where the messages are shown.
Which messages do you receive:
11.
Setup a network so that users logging into the network receive the following
message-of-the-day message:
This is a private network maintained by Napier University.
You should only use this network if you are authorized by C&IT.
Use by authorized persons is not allowed.
Additional tutorials
12.
13.
14.
15.
16.
278
Setup the previous network. Now change it so that Warning messages, and
above, are logged. Verify this.
Setup a network so that 10.0.0.10 and 10.0.0.11 can access the wireless access
point with TELNET, whereas the other nodes cannot. A successful and an
unsuccessful login should be logged on the Syslog server.
Setup a network so that 10.0.0.10 and 10.0.0.11 cannot access the wireless
access point with TELNET, whereas the other nodes cannot. A successful and
an unsuccessful login should be logged on the Syslog server.
Setup a network so that only one SSH session is possible on the wireless
access point.
Setup a network so that the Syslog server logs all the successful and
unsuccessful radio associations.
W.Buchanan
17.
Create a network which allows up to two TELNET sessions with a timeout for
each session at one minute, and up to five SSH sessions with a session
timeout of two minutes.