Course Management - Cisco · IAUWS Course Management . Overview . Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 is a five-day day instructor-led course, designed

IAUWS

Course Management

Overview Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 is a five-day day instructor-led course, designed to help students prepare for the CCNP® wireless certification, a professional-level certification specializing in the wireless field. The goal of the course is to provide network professional with information to prepare them to secure the wireless network from security threats via appropriate security policies and best practices, as well as ensure the proper implementation of security standards and proper configuration of security components. The IAUWS reinforces the instruction by providing students with hand-on labs to ensure students thoroughly understand how to secure a network.

Outline The Course Management section of the Course Administration Guide includes these topics:

Overview

Course Instruction Details

Course Evaluations

Equipment List

Course Version This is the original release of the course named Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0.

Course Objectives Upon completing this course, the learner will be able to meet these overall objectives:

Translate organizational and regulatory security policies and enforce security compliances

Integrate security on client devices

Design and implement guest access services on the WLAN controller

Design and integrate a wireless network with Cisco NAC Appliance

2 Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 © 2009 Cisco Systems, Inc.

Implement secure wireless connectivity services on the WLAN controller

Use the internal security features on the WLAN controller and integrate the WLAN controller with advanced security platforms to isolate and mitigate security threats to the WLAN

© 2009 Cisco Systems, Inc. Course Administration Guide 3

Target Audience The primary and secondary target audiences of this course are as follows:

Wireless network engineers (primary audience)

Wireless test engineers (primary audience)

Wireless network administrators (primary audience)

Wireless network managers (primary audience)

Mid-level wireless support engineer (primary audience)

Project managers (secondary audience)

Program managers (tertiary audience)

Other – sales and marketing personnel (tertiary audience)

The primary audience is formed of individuals who are tasked with performing or overseeing site surveys for WLAN solution implementations.

The secondary and tertiary audience is formed of individuals who need to know how to sell, design, install and support site surveys for WLAN solution implementations.

Learner Skills and Knowledge The knowledge and skills that a learner must have before attending this course are as follows:

Interconnecting Cisco Networking Devices Part 1 (ICND1)

Interconnecting Cisco Networking Devices Part 2 (ICND2)

Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0


Course Instruction Details This topic provides the information that you need to prepare the course materials and set up the classroom environment.

Instructor Requirements To teach this course, instructors must have attended the following training or completed the following requirements:

Be an active Cisco Certified Systems Instructor in good standing

Attend a Train the Trainer (TTT) or open enrollment delivery of a course facilitated by a qualified Cisco Certified Systems Instructor

Pass an Implementing Advanced Cisco Unified Wireless Security exam at the Instructor pass score

Note Submit questions concerning instructor certification to [email protected].

Classroom Reference Materials These items should be available for the learner during the course:

Student Guide

Lab Guide

Course Evaluation Form

Class Environment This information describes recommended class size and classroom setup:

Room set up classroom style with chairs and tables large enough for 16 learners

Eight pairs of chairs sharing access to eight laptops

Projector to display course slides and projection screen as needed

Sufficient power for all equipment

For local labs, rack and floor space to locate all equipment

Course Flow This is the suggested course schedule. You may make adjustments based on the skills, knowledge, and preferences of the learners in attendance. The presentation of all topics is optional for noncertification offerings, but you are encouraged to use them because they are designed to reinforce the lesson concepts and ensure that learners apply some of the concepts.

Day 1: Course Introduction, Describing Regulatory Compliance, Segmenting Traffic, Configuring Administrative Security, Managing WLAN Controller and Cisco WCS, Alarms, Identifying Security Audit Tools, Configuring EAP Authentication

Module 0 8:30–9:00 Course Introduction


(0830–0900)

Module 1 Lesson 1 9:00–10:00 (0900–1000)

Describing Regulatory Compliance

10:00–10:15 (1000–1015)

Break

Module 1 Lesson 2 10:15 -11:00 (1015-1100)

Segmenting Traffic

Lab 1-1 11:00-12:00 (1100-1200)

Segmenting Traffic

12:00–1:00 (1200–1300)

Lunch

Module 1 Lesson 3 1:00–1:45 (1300–1345)

Configuring Administrative Security

Lab 1-2 1:45–2:30 (1345–1430)

Configuring Administrative Security

2:30-2:45 (1430-1445)

Break

Module1 Lesson 4 2:45–3:15 (1445–1515)

Managing WLAN Controller and Cisco WCS Alarms

Module 1 Lesson 5 3:15-3:45 (1515–1545)

Identifying Security Audit Tools

Module Summary and Self Check

3:45-4:05 (1545-1605)


Module 2 Lesson 1 4:05-5:00 (1605-1700)

Configuring EAP Authentication

5:00 (1700) Day ends

Day 2: Configuring EAP Authentication, Describing the Impact of Security on Applications and Roaming, Configuring the Cisco Secure Services Client, Troubleshooting Wireless Connectivity, Describing Guest Access Architecture, Configuring the WLAN to Support Guest Access, Configuring Guest Access Accounts

8:00–8:30 (0800–0830)

Review of Day 1

Module 2 Lesson 1 8:30–8:50 (0830–0850)

Configuring EAP Authentication (continued)

Lab 2-1 8:50–9:05 (0930–1200)

Configuring EAP Authentication on the Clients

Module 2 Lesson 2 9:05-10:00 (0905-1000)

Describing the Impact of Security on Applications and Roaming

10:00-10:15 (1000-1015)

Break

Module 2 Lesson 3 10:15-11:15 (1015-1115)

Configuring Cisco Secure Services Client

Lab 2-2 11:15-12:00 (1115-1200)

Configuring Cisco Secure Services Client

12:00–1:00 (1200–1300)

Lunch

Module 2 Lesson 4 1:00–1:20 (1300–1320)

Troubleshooting Wireless Connectivity


Lab 2-3 1:20–2:20 (1400–1450)

Troubleshooting Wireless Connectivity

Module 2 Summary and Self-Check

2:20 – 2:40 (1420-1435)

Summary and Self Check

2:40–2:55 (1440–1455)

Break

Module 3 Lesson 1 2:55-3:15 (1455-1515)

Describing Guest Access Architecture

Module 3 Lesson 2 3:15-3:45 (1515-1545)

Configuring the WLAN to Support Guest Access

Lab 3-1 3:45 – 4:15 (1545-1615)

Configure the WLAN to Support Guest Access

Module 3 Lesson 3 4:15-5:00 (1615-1700)

Configuring Guest Access Accounts

5:00 (1700) Day ends

Day 3: Configure a Controller to use the Cisco NAGS for Authentication, Troubleshooting Guest Access, Introducing the Cisco NAC Appliance Solution, Configuring the Controller for Cisco NAC Out-of-Band Operations, Configuring Authentication for the WLAN Infrastructure

8:00–8:30 (0800–0830)

Review of Day 2

Lab 3-2 8:30–9:30 (0830–0930)

Configure a Controller to use the Cisco NGS for Authentication

Module 3 Lesson 4 9:30–9:45 (0930–0945)

Troubleshooting Guest Access

Lab 3-3 9:45-10:00 (0945-1015)


10:00-10:15 (1000-1015)

Break

Lab 3-3 10:15-11:00 Troubleshooting Guest Access (Cont.)


11:00-11:20 Module Summary and Self Check

Module 4 Lesson 1 11:20 – 12:00 (1120-1200)

Introducing the Cisco NAC Appliance Solution

12:00–1:00 (1200–1300)

Lunch

Module 4 Lesson 2 1:00–1:30 (1300–1335)

Configuring the Controller for Cisco NAC Out-of-Band Operations

Lab 4-1 1:30–2:15 (1330–1415)

Configuring the Controller for Cisco NAC

2:15-2:30 Break


2:30–2:50 (1430–1450)


Module 5 Lesson 1 2:50-3:50 Configuring Authentication for the WLAN Infrastructure

Lab 5-1 3:50-4:25 (1550-1625)

Configuring Local Authentication on the WLAN Controller

Lab 5-2 4:25-5:00 (1625-1700)

Configuring H-REAP for WAN Failure


5:00 (1700) Day ends

Day 4: Configuring Management Frame Protection, Configuring Certificate Services, Implementing Access Control Lists, Implementing Identity Based Networking, Troubleshooting Secure Wireless Connectivity, Mitigating Wireless Vulnerabilities

8:00–8:30 (0800–0830)

Review of Day 3

Module 5 Lesson 2 8:30–9:00 (0830–0855)

Configuring Management Frame Protection

Lab 5-3 9:00–9:30 (0900–0930)

Configuring Management Frame Protection

Module 5 Lesson 3 9:30–10:15 (0930-1015)

Configuring Certificate Services

10:15-10:30 (1015-1030)

Break

Lab 5-4 10:30-11:30 (1030-1130)

Configuring Certificate Services

Module 5 Lesson 4 11:30-12:00 (1130-1200)

Implementing Access Control Lists

12:00–1:00 (1200–1300)

Lunch

Lab 5-5 1:00–1:30 (1300–1330)

Implementing Access Control Lists

Module 5 Lesson 5 1:30–2:00 (1330–1400)

Implement Identity Based Networking

Lab 5-6 2:00-2:30 (1400-1440)

Implementing Identity Based Networking

2:30-2:45 (1430-1445)

Break

Module 5 Lesson 6 2:45-3:15 (1445-1500)

Troubleshooting Secure Wireless Connectivity

Lab 5-7 3:15-3:45 (1515-1545)

Troubleshooting H-REAP Security Issues


3:45-4:00 (1545-1600)


Module 6 Lesson 1 4:00-5:00 (1600-1700)

Mitigating Wireless Vulnerabilities

5:00 (1700) Day ends

Day 5: Mitigating Wireless Vulnerabilities, Managing Rogue Access Points, Understanding Cisco’s End-to-End Security Solutions, Integrating Cisco WCS and Wireless IPS

8:00–8:30 (0800–0830)

Review of Day 4

Module 6 Lesson 1 8:30–10:00 (0830–1000)

Mitigating Wireless Vulnerabilities (Cont.)

10:00-10:15 (1000-1015)

Break

Lab 6-1 10:15–11:00 (1015–1100)

Managing Rogue Access Points


Lab 6-2 11:00–1200 (1100–1200)

Managing IDS Signatures

12:00–1:00 (1200–1300)

Lunch

Module 6 Lesson 2 1:00–3:00 (1300–1330)

Understanding Cisco’s End-to-End Security Solutions (Cont.)

3:00-3:15 (1000-1500-1515)

Break

Module 6 Lesson 3 3:15–4:00 (1515–1600)

Integrating Cisco WCS and Wireless IPS

Module Summary and Self-Check

4:00–4:30 (1600–1630)


4:30–5:00 (1630–1700)

Wrap-up

High-Level Course Outline This subtopic provides an overview of how the course is organized. The course contains these components:

Course Introduction

Organizational and Regulatory Security Policies

Secure Client Devices

Design and Implement Guest Access Services

Design and Integrate Wireless Network with Cisco NAC Appliance

Internal and Integrated External Attacks Mitigations


Detailed Course Outline This in-depth outline of the course structure lists each module, lesson, and topic.

Course Introduction The Course Introduction provides learners with the course objectives and prerequisite learner skills and knowledge. The Course Introduction presents the course flow diagram and the icons that are used in the course illustrations and figures. This course component also describes the curriculum for this course, providing learners with the information that they need to make decisions regarding their specific learning path.

Overview

— Learner Skills and Knowledge

Course Goal and Objectives

Course Flow

Additional References

— Cisco Glossary of Terms

Your Training Curriculum

Module 1 of 7: Organizational and Regulatory Security Policies Upon completion of this module, the student should be able to translate organizational and regulatory security policies and enforce security compliances.

Lesson 1: Describing Regulatory Compliance This lesson describes regulatory compliance considerations. Upon completing this lesson, the learner will be able to meet these objectives:

Identify and categorize various common wireless vulnerabilities

Describe the various industry standards and associations and how they affect wireless implementations

Describe the various regulatory compliance acts, what industries they affect, and how they affect wireless implementations

The lesson includes these topics:

Categorizing Wireless Vulnerabilities

Industry Standards and Associations

Regulatory Compliance

Lesson 2: Segmenting Traffic This lesson defines how to segment traffic into different VLANs. Upon completing this lesson, the learner will be able to meet these objectives:

Describe the segmentation of wireless traffic by application type on the controller

Describe the segmentation of wireless traffic by security capabilities on the controller

Describe the segmentation of wireless traffic by QoS policy on the controller



Segmenting Traffic By Application

Segmenting Traffic By Security Capabilities

Segmenting Traffic by QoS Policy

The lesson includes this activity:

Lab 1-1: Segmenting Traffic

Lesson 3: Configuring Administrative Security This lesson defines how to configure administrative security on the controller. Upon completing this lesson, the learner will be able to meet these objectives:

Describe when and how to configure local management authentication on the controller

Describe how to configure RADIUS on the controller to provide authentication and accounting services to management users

Describe how to configure the Cisco Secure ACS to support RADIUS authentication of administrative users on the controller.

Describe how to configure TACACS+ on the controller to provide AAA services to management users

Describe how to configure the Cisco Secure ACS to support TACACS+ authentication of administrative users on the controller.

Describes how to configure the controller to allow management over wireless

Describe how the controller can be used to change the default Cisco username, password, and enable password on the access point


Authenticating Management Users Locally

Authenticating Management Users on RADIUS

Configuring the Cisco Secure ACS for RADIUS

Authenticating Management Users on TACACS+

Configuring the Cisco Secure ACS for TACACS+

Enabling Management Over Wireless

Configuring Credentials for Access Points


Lab 1-2: Configuring Administrative Security

Lesson 4: Managing WLAN Controller and Cisco WCS Alarms This lesson defines how to manage WLAN controller and Cisco WCS alarms. Upon completing this lesson, the learner will be able to meet these objectives:

Describe how to configure system message logging, Syslog server, and SNMP trap notification on the controller


Describe how to configure logging options and SMTP mail server notification on the Cisco WCS


Configuring Logging and Trap Notification on the Controller

Configuring Logging and Message Notification on the Cisco WCS

Lesson 5: Identifying Security Audit Tools This lesson defines how to describe security audit tools. Upon completing this lesson, the learner will be able to meet these objectives:

Describe the framework for wireless penetration testing and examine the mitigations at each level of the framework

Describe when and how to perform a wireless security audit and the tools available to perform them


Wireless Security Audits

Performing a Wireless Security Audit

Module 2 of 7: Secure Client Devices Upon completion of this module, the leaner should be able to integrate security on client devices.

Lesson 1: Configuring EAP Authentication This lesson defines how to configure client devices for secure EAP authentication. Upon completing this lesson, the learner will be able to meet these objectives:

Describe 802.1X/EAP and the operation of EAP-FAST, EAP-TLS, PEAP-MSCHAP, and PEAP-GTC

Describe how to configure the controller as an AAA client on the Cisco Secure ACS.

Describe how to configure the various EAP types using MS Wireless Zero Configuration and Intel PROSet wireless clients


802.1X/EAP Authentication

Configuring the Wireless Infrastructure to Support Radius Authentication

Configuring 802.1X/EAP Authentication on the Wireless Clients

Lesson 2: Describing the Impact of Security on Application and Roaming This lesson describes the impact of security configurations on application and client roaming. Upon completing this lesson, the learner will be able to meet these objectives:

Describes the impact of security configuration when roaming on applications such as voice over wireless

Describe 802.11i Proactive Key Caching and Cisco Centralized Key Management mechanisms to provide fast secure roaming



Fast, Secure Roaming with Voice

Fast Secure Roaming Mechanisms


Lab 2-1: Configuring EAP Authentication on the Clients

Lesson 3: Configuring Cisco Secure Services Client This lesson describes how to configure the Cisco SSC. Upon completing this lesson, the learner will be able to meet these objectives:

Describe how to configure various EAP types on the Cisco SSC using the sscManagement Utility

Describe how to configure Cisco Secure Services Client for machine login and pre-session authentication to provide access to domain services using the sscManagement Utility

Describe how the client can configure the Cisco SCC for EAP protocols


Configuring EAP on Cisco SSC

Configuring Machine Login and Pre-Session Authentication

Using the Cisco SSC


Lab 2-2: Configuring Cisco Secure Services Client

Lesson 4: Troubleshooting Wireless Connectivity This lesson defines how to troubleshoot client wireless connectivity issues. Upon completing this lesson, the learner will be able to meet these objectives:

Identify and isolate problems with EAP authentication using various available tools

Understand the client risks involved with driver updates and Microsoft Hotfixes


Troubleshooting EAP Authentication

Driver Updates and Microsoft Hotfixes


Lab 2-3: Troubleshooting Wireless Connectivity

Module 3 of 7: Design and Implement Guest Access Services Upon completion of this module, the student should be able to design and implement guest access services on the WLAN controller.


Lesson 1: Describing Guest Access Architecture This lesson defines the overall architectures for guest access services. Upon completing this lesson, the learner will be able to meet these objectives:

Describe the various traditional guest access architectures available

Describe the elements, features, and benefits of providing guest access through Cisco Unified Wireless Solution


Wireless Guest Access Overview

Guest Access Using the Cisco Unified Wireless Solution

Lesson 2: Configuring the WLAN to Support Guest Access This lesson defines how to configure the WLAN to support guest access. Upon completing this lesson, the learner will be able to meet these objectives:

Describe the design considerations for deployment of the guest WLAN using the DMZ anchor controller approach

Describe how to configure the foreign and anchor controller for guest access

Describe the steps to configure guest (wired) LAN access using anchor controller approach


Guest WLAN Design Considerations

Configuring the Anchor and Foreign Controllers

Guest LAN Configuration

Lesson 3: Configuring Guest Access Accounts This lesson defines how to configure the WLAN to support guest access accounts. Upon completing this lesson, the learner will be able to meet these objectives:

Describe how to use the lobby ambassador services on the controller and Cisco WCS to configure guest user accounts

Identify administrative configurations for guest account management on the Cisco NAC Guest Server


Lobby Ambassador

Cisco NAC Guest Server Account Management


Lab 3-1: Configure the WLAN to Support Guest Access

Lesson 4: Troubleshooting Guest Access This lesson defines how to isolate and resolve guest access issues. Upon completing this lesson, the learner will be able to meet these objectives:

Describe guidelines for proper deployment of the anchor controller


Identify various tasks to help identify and isolate problems with guest access


Anchor Controller Deployment Guidelines



Lab 3-2: Configure a Controller to use the Cisco NGS for Authentication

Lab 3-3: Troubleshooting Guest Access Issues

Module 4 of 7: Design and Integrate Wireless Network with Cisco NAC Appliance Upon completion of this module, the student should be able to design and integrate a wireless network with NAC.

Lesson 1: Introducing the Cisco NAC Appliance Solution This lesson defines how to understand the overall architectures that support the Cisco NAC Appliance solution. Upon completing this lesson, the learner will be able to meet these objectives:

Describe the functions of the various NAC components, such as the Cisco NAS, Cisco NAM, and Cisco NAA

Introduce the various Cisco NAC Appliance deployment options

Describe the data flow for a wireless client for the authentication process

Describes the role of Cisco NACAppliance in guest access services


NAC Components

Cisco NAC Appliance Solution Overview

Wireless Client Data Flow

Cisco NAC with Guest Access

Lesson 2: Configuring the Controller for Cisco NAC Appliance for Out-of-Band Operations This lesson defines how to configure the controller to support Cisco NAC Appliance out-of-band operations. Upon completing this lesson, the learner will be able to meet these objectives:

Describe configuring the controller for Cisco NAC out-of-band operations

Describe the configurations on the Cisco NAC Appliance using the Cisco NAM web GUI for supporting Cisco NAC out-of-band operations

Describe the process to verify that the wireless client has successfully passed the NAC appliance authentication and posture assessment,


Configure the Controller for Cisco NAC Out-of-Band Operations

Verify the Required Configurations on the Cisco NAC Appliance


Verify Wireless Client Authentication


Lab 4-1: Configuring the Controller for Cisco NAC Out-of-Band Operations

Module 5 of 7: Implement Secure Wireless Connectivity Services Upon completion of this module, the student should be able to implement secure wireless connectivity services on the WLAN controller.

Lesson 1: Configuring Authentication for the WLAN Infrastructure This lesson defines how to configure secure wireless connectivity services on the controller. Upon completing this lesson, the learner will be able to meet these objectives:

Describe how to configure local authentication with both a local and a remote LDAP database

Describe how to configure H-REAP to provide authentication services in the event of a WAN failure

Describe how to configure access points to use EAP authentication to connect to the switch


Configuring Local Authentication

Configuring H-REAP for WAN Failure

Configuring an Access Point to Authenticate to the Local Switch

The lesson includes these activities:

Lab 5-1: Configuring Local Authentication on the WLAN Controller

Lab 5-2: Configuring H-REAP for WAN Failure

Lesson 2: Configuring Management Frame Protection This lesson defines how to configure management frame protection on clients and controllers. Upon completing this lesson, the learner will be able to meet these objectives:

Describes how to configure management frame protection on clients

Describes how to configure management frame protection on the controller


Configuring Management Frame Protection on Clients

Configuring Management Frame Protection on the Controller


Lab 5-3: Configuring Management Frame Protection

Lesson 3: Configuring Certificate Services This lesson defines how to configure client and server-side digital certificate services. Upon completing this lesson, the learner will be able to meet these objectives:


Describe the functionality of asymmetric encryption algorithms.

Describe the principles behind a Public key Infrastructure

Describe how to install and configure a server certificate on the Cisco Secure ACS

Describe how to obtain and install a user certificate on the client PC

Describe how to install a self-signed certificate on the Cisco Secure ACS

Describe how to install server and CA certificates on the controller


Asymmetric Encryption Overview

Public Key Infrastructure Principles

Installing Certificates on the ACS

Obtaining and Installing User Certificates

Using Self-Signed Certificates on the ACS

Adding Certificates on the Controller


Lab 5-4: Configuring Certificates Services

Lesson 4: Implementing Access Control Lists This lesson defines how to implement ACLs on a WLAN controller. Upon completing this lesson, the learner will be able to meet these objectives:

Describes how to install and configure Access Control Lists on the controller

Describes how to apply Access Control Lists on the controller

Describes how to apply preauthentication ACLs on the guest WLAN


Configuring Access Control Lists on the Controller

Applying Access Control Lists on the Controller

Preauthentication ACLs


Lab 5-5: Implementing Access Control Lists

Lesson 5: Configuring Identity Based Networking This lesson defines how to configure identity based networking on the controller and the Cisco Secure ACS. Upon completing this lesson, the learner will be able to meet these objectives:

Describes how to configure identity based networking on the controller

Describes how to configure identity based networking on the Cisco Secure ACS


Configuring Identity Based Networking on the Controller


Configure Identity Based Networking on the Cisco Secure ACS


Lab 5-6: Configuring IBN

Lesson 6: Troubleshooting Secure Wireless Connectivity This lesson defines how to troubleshoot secure wireless connectivity services. Upon completing this lesson, the learner will be able to meet these objectives:

Describes how to troubleshoot secure wireless connectivity issues using the imbedded tools on the controller and Cisco Secure ACS

Describes how to troubleshoot secure wireless connectivity issues utilizing external tools


Troubleshooting with the Controller and Cisco WCS

Troubleshooting Issues Utilizing External Tools


Lab 5-7: H-REAP Security Issues

Module 6 of 6: Internal and Integrated External Security Mitigations Upon completion of this module, the student should be able to use the integrated security features on the WLAN controller to isolate and mitigate security threats to the WLAN.

Lesson 1: Mitigating Wireless Vulnerabilities This lesson defines how to categorize and mitigate wireless vulnerabilities. Upon completing this lesson, the learner will be able to meet these objectives:

Identify the various possible mitigation strategies available for each of the vulnerabilities already discussed

Describe how to configure rogue policies for access points to be applied to the controller

Describe the function and utilization of the various threat mitigation tools in Cisco WCS to identify and locate threats


Mitigating Wireless Vulnerabilities

Configuring a Rogue Policies Template

Threat Identification with Cisco WCS

This lesson includes this activity:

Lab 6-1: Managing Rogue Access Points

Lab 6-2: Managing IDS Signatures


Lesson 2: Understanding Cisco’s End-to-End Security Solutions This lesson defines how to describe Cisco's end-to-end security solutions and how they integrate with Cisco's wireless solutions. Upon completing this lesson, the learner will be able to meet these objectives:

Describe Cisco Secure ACS and how it integrates with the CUWN solution.

Describe Cisco NAC Appliance and how it integrates with the CUWN solution

Describe the firewall port configuration requirements to support the WLAN controller for demilitarized zone placement

Describe Cisco IPS appliance and how it integrates with the CUWN solution

Describe Cisco Security Agent and how it integrates with the CUWN solution

Describe Cisco Security MARS and how it integrates with the CUWN solution


Cisco ACS Integration

NAC Appliance Integration

Firewall Requirements for DMZ

Cisco IPS Integration

Cisco Security Agent Integration

Cisco Security MARS Integration

Lesson 3: Integrating Cisco WCS with Wireless IPS This lesson defines how to configure Cisco WCS to operate with the Cisco adaptive wireless IPS solution. Upon completing this lesson, the learner will be able to meet these objectives:

Describe the functions of the Cisco adaptive wireless IPS solution

Describe how to configure Cisco WCS to communicate with Cisco Adaptive Wireless IPS


Cisco Adaptive Wireless IPS Functions

Integrating Cisco WCS with Wireless IPS


Course Evaluations Cisco uses a post-course evaluation system, Metrics That Matter (MTM), for its instructor-led courses. The instructor must ensure that each student is aware of the confidential evaluation process and that all students submit an evaluation for each course. There are two options for students to complete the evaluation.

For Classes with Internet Access A URL will be made available, specific to each Cisco Learning Partner. Obtain the URL from your MTM system administrator before the last day of class.

1. Upon completion of the course, instruct the students to enter the URL into their browser.

2. Make sure that the students input their e-mail address (used only for a follow-up evaluation).

Note Sixty days following a learning event, students will receive a brief follow-up evaluation, and, again, responses will be kept confidential. E-mail addresses will not be used for marketing purposes. (If students do not have e-mail addresses, they may type in a “dummy” address.)

3. Instruct the students to select the appropriate course from the drop-down list.

4. Instruct the students to complete the course evaluation and click Submit one time only.

5. Advise the students to wait for “Thank you” to appear on the screen before leaving.

For Classes Without Internet Access A paper-based version of the post-course evaluation is available. Your MTM system administrator can provide you with copies.

1. Distribute paper-based evaluations at the beginning of the last day of class.

2. Instruct the students to complete the survey only after completing the course.

3. Collect the evaluations and submit them to your MTM system administrator.

To View Evaluation Results To view your post-course evaluation results:

1. Go to www.metricsthatmatter.com/client. (Reminder: All data is confidential; you will see only your own data.)

2. Log in using your ID and the password sent to you from MTM or provided by your company MTM system administrator to ensure confidentiality.

3. Choose Menu Option – Learner Evaluation Reports:

— Evaluation Retrieval Tool

— Class Evaluation Summary Report

4. Search for and select the appropriate class.

http://www.metricsthatmatter.com/client


Lab Setup

Overview The purpose of the “Lab Setup” section is to assist in the setup and configuration of the training equipment for Implementing Advanced Cisco Unified Wireless Security course. This section includes these topics:

Lab Topology

Hardware and Software Requirements

Workstation Configuration

Lab Equipment Configuration

General Lab Setup






Lab 3-1: Configure the WLAN to Support Guest Access

Lab 3-2: Configure a Controller to use the Cisco NGS for Authentication


Lab 4-1: Configuring the Controller for Cisco NAC




Lab 5-4: Configuring Certificate Services


Lab 5-6: Implementing IBN

Lab 5-7: Troubleshooting H-REAP Security Issues




Configuration Files Summary

Lab Activity Solutions

Teardown and Restoration


Lab Topology This topic describes the lab topology for Implementing Advanced Cisco Unified Wireless Security (IAUWS) v 1.0.

© 2009 Cisco Systems, Inc. All rights reserved. IAUWS 1.0—CAG-3

IAUWS Logical Topology Diagram

This lab consists of a central switch which supports eight remote pods. Each pod consists of a

o

PN

Note: At the time of the course development, we have an AIP-SSM in the ASA 5510. But we

2106 WLC, an AP1252 and a remote laptop with an Intel wireless client card. In addition, there is an ASA 5510 providing firewall services. In the DMZ is a 4402-12 WLC and a CiscNGS appliance. Also connected to the core switch is a Cisco NAM appliance and Cisco NAS appliance, a Windows 2003 server with WCS and a Windows 2003 server (enterprise) running VM with 8 instances of Cisco Secure ACS (one per pod). Windows certificate services is running on the root of the Windows Server with VM. Connection to the remote lab is via Vrunning on a local router with terminal services enabled to provide command line access to the various hardware in the lab. In addition, a remote IP KVM switch and a remote power switch are available to the instructor as necessary. There is one autonomous AP1242 to server as a rogue access point.

couldn’t get the controller to successfully retrieve the shun-list from the AIP-SSM. Therefore, the IPS and WLC integration lab was removed from the course. Without the AIP-SSM requirement in lab, the actual firewall can be any Cisco Firewall like ASA 5505 or IOS Firewall.


Device Name

Device Name Abbreviation

Assigned Pod

Interface

Network Address

Additional Information

WLC-2106 Pod1-2106 1 1 10.10.1.10 AP Manager 10.10.1.11

AP1252 Pod1-ap 1 FA0 DHCP 10.10.1.x

Remote PC Pod1 1 Ethernet 10.10.1.100 Access Via VPN






















WCS v5.2 WCS All pods Ethernet port

10.100.1.4


ACS v4.2 Pod1-ACS 1 Ethernet 10.100.1.51 VM on 10.100.1.5








NGS (v2.0) NGS (v2.0) All pods 0 10.103.1.3

4402-12 Anchor Controller

All pods 1 10.103.1.10 Service port 10.100.1.10

NAM (v4.5) NAM (v4.5) All Pods 0 10.102.1.2

NAS (v4.5) NAS (v4.5) All pods 0 – trusted

1-untrusted

10.100.1.2 – trusted Instructor access only. See port map file on instructor CD for port usage.

Core switch Iauws-sw all pods Multiple ports

10.1.1.1 Instructor access only. See port map file on instructor CD for port usage.

ASA 5510 iauws-asa All pods Multiple ports

10.100.1.7 Instructor access only. See port map file on instructor CD for ACL requirements for the firewall.

AP1242 Rogue-ap All ports FA0 10.100.1.99 Instructor access only


Hardware and Software Requirements Hardware List The hardware listed in the following table is suggested for this learning product.

Single Unit Price (Monetary Unit) [Insert Unit]

Total Unit Price (Monetary Unit) [Insert Unit]

Description Mfr. Part Number Qty.

OPTIONAL – Internal use only

Student Pod Equipment – 2 Students Per Pod – 8 Pods Total Per Class Class Network equipment to share across all pods

Cisco AP1242 standalone Cisco AIR-AP1242AG-x-K9

1

2.2 dBi 2.4GHz dipole antenna

Cisco AIR-ANT2422DW-R

2

3.5 dBi dipole 5 GHz antenna Cisco AIR-ANT5135DW-R

2

Cisco 1841 router (VPN router)

Cisco CISCO1841-SEC/K9

1

Catalyst 3560E 48 port switch with 1150WAC power supply

Cisco WS-C3560E-48PD-E

1

WLC 4402-12 Cisco AIR-WLC4402-12-K9

1

3310 NAC Appliance for Clean Access Server (includes software and license for 100 users) and Clean Access Manager and NAC Guest Server

Cisco NAC3310-100-K9

3

ASA 5510 Cisco ASA5510--BUN-K9

1

Windows 2003 Server 4G+ memory - used for WCS

Various 1

Windows 2003 Server (enterprise) 8G+ memory - used for VM, ACS,TFTP/FTP, Certificate Services

Various 1

Cables CAT 5 Various 8

Student POD equipment (8 pods)

WLC 2106 Cisco AIR-WLC2106-K9

8

AP1252 Lightweight Cisco AIR- 8






LAP1252AG-X-K9

2.2 dBi 2.4GHz dipole antenna

Cisco AIR-ANT2422DW-R

24

3.5 dBi dipole 5 GHz antenna Cisco AIR-ANT5135DW-R

24

Laptop with IntelPRo 4965 a/b/g/n wireless NIC, RS-232 port or USB to RS-232 adapter, 2+GHz processor, 2 Gig RAM, 802.3 10/100 T, PCMCIA and USB ports.

Various 8

Cables CAT 5 Various 24

Other Required Equipment

Web-KVM switch (Example: StarTech.com Enhanced KVM Switch Over IP SV841HDIE - KVM switch - 8 ports +Cables) For remote maintenance

Various 1

Powered APC switch (Example: BayTech Power Switch 20 outlet switched RPC-28) For remote maintenance

Various 1

Software List The software listed in the following table is suggested for this learning product.





Class Network - Shared Equipment

IOS software for switch Cisco 12.2(44)SE 1

WLC code v5.2 Cisco SWLC4400K9-52

9

WCS v5.2 with license Cisco WCS-APLOG-52

1

ACS V4.2 Cisco CSACS-4.2-WIN-K9

8






Clean Access Lite Manager (v4.5) NAC Guest Server v.20 ASA (v.7.x or 8.x is fine)

Cisco Cisco Cisco

NACMGR-3-K9 cisco-nac-guest-server-2.0.0-K9.iso 7.x or 8.x

1

Option 1 - Windows 2003 standard on server, WCS-1, ACS-8 (1base+VM and 7 additional VMs)

Microsoft 9

Option 2 - Windows 2003 standard on Server for WCS Windows 2003 Enterprise on ACS server (2 instances with 4 VM each)

Microsoft Microsoft

1 2

Windows 2003 on Server Enterprise

Microsoft 1

VMware Microsoft 1

Free FTP/TFTP Server Various 1

Student PODs

Windows XP Microsoft 8

WLC code v5.2 Cisco SWLC4400K9-52

8

Cisco Secure Services Client

Cisco

Cisco_SSC-XP2K_5.1.1.3.zip

8

Cisco Secure Services Client Management Utility

Cisco Cisco_SSCMgmtUtil_5.1.1.4.zip

8

IntelPro Wireless Client Intel N/A 8

NAC Appliance Agent (v.4.5) Cisco

CCAAgentSetup-4.5.0.0.tar.gz

8

http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=Cisco_SSC-XP2K_5.1.1.3.zip&advUrl=null&defInd=N&mdfid=280753707&sftType=Secure+Services+Client+Software&optPlat=Windows+XP&nodecount=2&relVer=5.1.1&md5=8faaba6187cf9c5aff42b73dcd229d6f&modifmdfid=280753707&imname=&hybrid=&imst=&modelName=Cisco+Secure+Services+Client&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2&fsd=&wc=N&hasfsd=N



http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=Cisco_SSCMgmtUtil_5.1.1.4.zip&advUrl=null&defInd=N&mdfid=280753707&sftType=Secure+Services+Client+Software&optPlat=Windows+XP&nodecount=2&relVer=5.1.1&md5=5831717a733d2cee7bb01cde1f947b99&modifmdfid=280753707&imname=&hybrid=&imst=&modelName=Cisco+Secure+Services+Client&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2&fsd=&wc=N&hasfsd=N




Workstation Configuration These instructions describe how to set up the lab when workstations are required.

Class PCs If you use a remote lab, Steps 1 to 4 apply to class PCs only. If you use a local lab, skip this part and go to Step 5.

Step 1 Make sure that PCs have Windows installed, browser capability, Java (JRE), and proper access to the Internet.

Step 2 Make sure that PCs have Flash plug-in installed, it is required to access Cisco WCS.

Step 3 Download and install Cisco VPN Client software, and provide a shortcut on the desktop.

Step 4 Create Cisco VPN client profiles and copy them the Cisco VPN Client profiles directory.

Step 5 Create a Remote Desktop Connection shortcut on the PC desktop.

Step 6 Download and install TeraTerm Pro and create a shortcut on the desktop.

Lab Laptops The following steps apply to the laptops in the remote lab.

Step 1 Remote laptops should have their IP address properly set (refer to the lab maps), and configured to allow remote access via remote desktop.

Step 2 Install XP SP2, plus any critical category patch for Windows XP Pro, BIOS and Intel wireless card.

Step 3 Obtain a CA certificate from the server which provides ACS and CA services and install the CA certificate in the Trusted Root Certification Authorities store.

Step 4 Install Cisco Secure Services Client and sscUtilityManagement and create shortcuts on the desktop.

Step 5 Obtain a copy of the Self-Signed Certificate from the ACS assigned to the pod and install in the Trusted Root Certification Store.

Step 6 Install a TeraTerm Pro on the laptop and create a shortcut on the desktop.


Lab Equipment Configuration This equipment configuration information is necessary for initial setup of the lab configuration.

Notes on Delivery Lab Equipment

Learners can access their controllers both from the CLI using the terminal server and from the web interface using their connection to the switch.

Learners can access the remote lab laptops using remote desktop connection.

Save in startup-config of Cat3560E configuration file “iauwsSwitchConfig.txt”.

Save in the startup-config of the ASA5510 the configuration file “’iauws5510config.txt.

Download the configuration file “iauwsanchor4402.txt” to the 4402 anchor controller.

Ensure that all equipment is properly wired to their respective switches.

All AP1252 should be reset to normal mode.

Pod controllers should be reset to factory default.

Cisco WCS should be installed and ready. Root password should be IAUWSwcs123. For WCS http port, choose 81. Use the default https port, 443.

Back up the Cisco WCS database with the controllers and APs added, a building with one floor created and all APs placed on the MAP, and users created. See the WCSusers.txt file for a list of users and passwords. A sample floorplan (floor1.jpg) will be included.

Restore the back up at the end of the class to bring WCS back to this original state.

Terminal server and VPN gateway should be configured to provide access to the remote lab.

The ACS server should have VMware installed and eight VM instances running. Windows Server CA should be enabled on the root and configured to automatically approve certificate requests. Each instance of VM should have a copy of ACS installed. See the iauwsACSconfig.txt file for the items to be configured on each ACS VM. Take a snapshot of each configured VM.

The Cisco NAM should be preconfigured. See the file iauwsNAM.txt for all configuration requirements.

The Cisco NAS should be preconfigured. See the file iauwsNAS.txt for all configuration requirements.

The Cisco NGS should be preconfigured for sponsors. See the file iauwsNGS.txt for all configuration requirements.


General Lab Setup This information details the procedure to set up and configure the lab equipment.

Step 1 Interconnect all the lab devices equipment.

Step 2 Clear the Cisco 2106 WLC configuration (clear config, reset system without save).

Step 3 In the remote laptops, clear any remaining community on the Cisco Configuration Assistant.

Step 4 In the remote laptops, remove all profiles from the Intel PROSet wireless tool.

Step 5 In the remote laptops, remove all networks and groups from Cisco Secure Services Clients using the ssc Management Utility.

Step 6 In the remote laptops, make sure that the required programs are available as per the previous section.

Step 7 On the class WCS server, install Cisco WCS on ports 80 and 443. Configure with a building and floor and users per the previous section. Perform a Cisco WCS backup with Cisco WCS in its configured state. You will be able to restore the Cisco WCS to its pre-class configuration after the class by restoring this backup.

Step 8 On the main switch, inject the iauwsSwitchConfig.txt file.

Step 9 On the ASA5510, inject the iauws5510config.txt file.

Step 10 On the 4402-12 anchor controller, download the iauwsAnchor4402.txt file.

Step 11 On the Cisco NGS, delete all created uses.

Step 12 On the ACS server, revert each VM to the saved snapshot.

Step 13 In the class PCs, make sure that the required programs are available and that connectivity to the Internet is possible.


Lab 1-1: Segmenting Traffic This topic details the lab activity for Lab 1-1.

Objectives You will complete these tasks in this lab:

Restore the WLC to factory defaults and complete the initial CLI wizard setup

Connect to the WLC using the web interface and allow SSH and management via wireless

Configure the required interfaces and WLANs using the provided encryption, authentication, and QoS criteria

Configure DHCP pools on the WLAN controller

Create WLANs to provide data and voice segmentation

Visual Objective The figure displays the lab topology that you will use to complete this lab.



Instructor Notes The students will configure the remote 2106 controllers from a default state.

esents common issues for this lab.

Common Issues This subtopic pr


First question of confirmation wizard is skipped. When the controller is cleared and then rebooted it will attempt an autoconfig.

When the student cancels or selects no to bypass the autoconfiguration, an extra carriage return is buffered and the installation wizard skips the first question. The students can use the minus (-) key followed by the Enter key to backup to the first question.


Lab 1-2: Configuring Administrative Security This topic details the lab activity for Lab 1-2.


Configure the controller to use the Cisco Secure ACS for TACACS+ authentication

Add the controller as an AAA client for TACACS+ on the Cisco ACS (Instructor Demo)

Create the administrative user on the Cisco Secure ACS for TACACS+ and assign the appropriate administrative roles (Instructor Demo)

Create an administrative user on the Cisco Secure ACS for TACACS+ and assign the user to the appropriate group (Instructor Demo)

Login to the 2106 controller with the new administrative user you have created




Instructor Notes This lab has the students creating a TACACS+ account on the ACS.

Common Issues Monitor account does not connect. Verify the admin user account is created in the

correct group and that the role is entered correctly. “role1=MONITOR”


La Clients

This topic details the lab activity for Lab 2-1.


Configure a profile on the wireless client for EAP-FAST authentication using Intel PROSet wireless client and connect to the secure WLAN


b 2-1: Configuring EAP Authentication on the



Instructor Notes This lab has the students using the Intel supplicant on the remote laptop.

Common Issues This subtopic presents common issues for this lab.

Cisco SSC enabled: If the Cisco SSC supplicant is enabled on the remote pc, it must be disabled before this lab can be performed.

Windows Zero Config enabled: If Windows Zero Config is enabled on the remote laptop, it must be disabled before this lab can be performed.


Intel Supplicant will not connect: After verifying that all parameters are configured

Intel Supplicant will not process server certificate: If the Intel PROSet supplicant fails ACS, verify that the supplicant is configured to

correctly, it the Intel supplicant will not connect, disable and re-enable the radio from the Intel supplicant.

with a certificate error on indicated on the accept “Any trusted CA”.


LabCl


Configure a wireless profile using the Cisco Secure Services Client Management Utility

Verify the wireless profile created using the Cisco Secure Services Client Management Utility is connected


2-2: Configuring Cisco Secure Services ient




Instructor Notes This lab has the students using the Cisco sscUtilitiesManager supplicant on the remote laptop. CSSC is designed to utilize one interface and disable any others on the machine. This creates a problem for remote labs since once the wireless client becomes active, the wired interface is disabled. If the student configures the CSSC improperly, then the remote PC will become unreachable. The instructor can use the KVM switch to either point the CSSC back to the wired port or disable the CSSC as necessary when this happens.



Cisco SSC disabled: Be sure the students enabled the SSC client.


Lab 2- less Connectivity Access



Disable the Cisco Secure Services Client

Capture a successful EAP-FAST connection using the debug commands on the controller

Capture a successful EAP-FAST connection using the client troubleshooting log on Cisco WCS

Identify and isolate issues involving client authentication introduced by your instructor (Multiple issues may be introduced or the same issue using different clients)

Correct the failure

Verify the client has successfully authenticated to the secure wireless network


3: Troubleshooting Wire



Instructor Notes The instructor will introduce common authentication problems in this lab. The following are examples of problems to introduce. The instructor should tell the students that 802.1X


authentication has just been configured on the ACS and the controller and the users cannot

ce) to RADIUS (Cisco IOS)

ADIUS authentication server setting in the controller.

ange the shared secret of the RADIUS authentication server in the controller.

authentication server in the controller.

connect.

Change the AAA client setting on the ACS for the controller from RADIUS (Cisco Airespa

Uncheck the Net Users check box on the R

Ch

Change the IP address of the RADIUS


Lab 3-Acces

details the lab activity for Lab 3-1.

Obje

gn controller as a mobility group member on the anchor controller

interface and define guest WLAN parameters and policies on the foreign controller

Configure an interface to be used for guest access, create a Guest WLAN mapped to interface and define guest WLAN parameters and policies on the anchor controller

Configure the guest credentials on the anchor controller using Cisco WCS

Create a wireless guest profile on your client utility and connect to the guest WLAN on the foreign controller


1: Configure the WLAN to Support Guest s This topic

ctives You will complete these tasks in this lab:

Add the forei

Add the anchor controller as a mobility group member on the foreign controller

Configure an interface to be used for guest access, create a Guest WLAN mapped to


Lab 3-1: Configuring the WLAN to Support Guest Access


Instructor Notes This lab requires the students to make configuration settings on two controllers. There are twVLA

o Ns configured in the DMZ.

iguring the Guest Server and for the 4402 controller. VLAN 203 is the guest user VLAN where the remote laptops connect in this lab.

sues

gn

troller

controller for guest connectivity to the Internet via the Firewall.

VLAN 103 is the management VLAN for conf

Common IsThis subtopic presents common issues for this lab.

Anchor controller tunnel failure: The anchor controller has a different mobility group name than the foreign controller in the pod. Check these parameters:

— Mobility Group name in mobility group is set to anchor for the 4402 anchor controller and iauws for all other controllers.

— Guest WLAN parameters like SSID must match between anchor and foreicontroller.

— The DMZ has two VLANs 103 and 203. VLAN 103 is for the conmanagement interface. VLAN 203 is for the guest WLAN egress interface on the anchor


Lab 3-Guest entication

te these tasks in this lab:

the NAC Guest Server

ated on the NAC Guest Server

Visual ObThe figure displays the lab topology that you will use to complete this lab.

2: Configure a Controller to use the NAC Server for AuthThis topic details the lab activity for Lab 3-2.

Objectives You will comple

Add your controller as a RADIUS client to the NAC Guest Server

Add a sponsor to the NAC Guest Server

Add the NAC Guest Server as a RADUIS server to your controller

Modify the guest WLAN to direct authentications to

Add a guest user account to the NAC Guest Server

Connect to the guest network using the credentials cre

jective


Lab 3-2: Configuring a Controller to use the NAC Guest Server for Authentication

Instructor Notes This lab requires the students to make configuration settings on two controllers and the NGS



Student makes changes on incorrect controller. Ensure the student has made changes to

Student using wired interface for verification. Students must add static routes on the ote laptop to verify the wireless connections. Each time the student resets the wireless

nnection, the static routes must be added again.

the WLAN on the anchor controller.

remco


Lab 3- st Access Issues

Ob

Identify and isolate a guest access failure introduced by your instructor

Correct the failure

Verify the guest access is working


3: Troubleshooting GueThis topic details the lab activity for Lab 3-3.

jectives You will complete these tasks in this lab:



Instructor Notes This lab requires the instructor to introduce problems into the network for guest access. Some common examples of problems for this lab follow.

Change mobility group name of the anchor controller to iauws to match the other controllers. This will cause the controller to fail.

Create an ACL to block IP protocol 97 in the ASA 5505.

Create an ACL to block UDP 16666 in the ASA 5505.

Configure the Anchor controller for tunnel security.

Change the SSIDs between the guest WLAN on the pod 2106 and the anchor controller.


Change the Interface to secure-data on the guest WLAN on the 2106.


La isco NAC



Configure SNMP parameters, an NAC enabled interface and WLAN to provide out-of-band services to a client using WPA2 enterprise security

Configure the WLAN controller as a device on the Cisco NAM

Verify some required Wireless NAC out-of-band configurations on the Cisco NAM Configure a client profile to use 802.1X/EAP with WPA2 and connect to the NAC enabled secure WLAN

Use the NAC appliance agent to login and use the NAM and controller GUIs to verify Wireless NAC out-of-band operations


b 4-1: Configuring the Controller for C


Lab 4-1: Configuring the Controller for NAC

Instructor Notes This lab has the students use the NAM and NAS.



NAC Appliance Agent login does not pop-up: Be sure the student has entered static ace.

In our alpha/beta class, we configured a simple requirement check on the NAM to eck that the student’s laptop is running Windows XP with Service Pack 3.

hen generating the digital certificate on the NAM, use the NAC Appliance IP DNS server in lab.

routes to make the remote pc use the wireless interf

ch

W address as the DN if you don’t have


Lab 5- thentication on the W

Objectives

onfigure a local network user on the controller

cal EAP on the controller

Configure a WLAN on the controller to use Local EAP authentication

Configure a wireless profile on the remote lab pc and connect to the secure-data wlan


1: Configuring Local AuLAN Controller


You will complete these tasks in this lab:

C

Configure Lo



Instructor Notes This lab has the students disable ACS server to verify local authentication.

Common Issues There are no common issues.


Lab 5-2: Configuring H-REAP for WAN Failure This topic details the lab activity for Lab 3-1.

Objectives ill complete these tasks in this lab:

ly switched WLAN for H-REAP using central

ne mode

ays the lab topology that you will use to complete this lab.

You w

Configure the controller with a central802.1X authentication

Configure a client profile to use the new WLAN created

Enable H-REAP on the access point and configure H-REAP groups

Induce a WAN failure and ensure the client connects to the H-REAP in standalo

Visual Objective The figure displ



Instructor Notes the students to use the CLI to disable the port on the pod controller.

Common Issues esents common issues for this lab.

SSID. If student does not verify that the access point is in hreap get put into the exclusion list when trying to connect to the

SSID. Disable client exclusion in the WLAN when troubleshooting client issues.

This lab requires

This subtopic pr

Client will not connect tostandalone mode, the client may





Enable the management frame protection AP Authentication Policy on the controller

Enable MFP on a WLAN

Verify MFP is required by the controller




Instructor Notes This lab has the student verify that the client cannot connect using MFP.


Wireless client cannot authenticate: Make sure student re-enabled the port on the controller via the CLI at the end of Lab 5-2.


Lab 5-4: Configuring Certificate Services This topic details the lab activity for Lab 5-4.


Verify security certificates and EAP-TLS settings on the Cisco Secure ACS

Obtain and install a user certificate and CA certificate on the client

Visays the lab topology that you will use to complete this lab.

Configure a TLS profile on the client and connect to the WLAN

ual Objective The figure displ


Lab 5-4: Configuring Certificate Services

Instructor Notes This lab requires the students obtain a user certificate from the CA on 10.100.1.5 and create a

Commoesents no common issues

TLS profile.

n Issues This subtopic pr


LabThis topic details the lab activity for Lab 5-5.


Create an ACL in the controller

Verify the ACL function


5-5: Implementing Access Control Lists



Instructor Notes This lab has the students create and apply ACLs on the controller.


Ping will not fail: Be sure the student has entered static routes to make the remote pc use the wireless interface.


Lab 5-6: Implementing IBN This topic details the lab activity for Lab 5-6.


h the new user and verify the AAA override

Visual Objective ays the lab topology that you will use to complete this lab.

You w

Configure AAA override on a WLAN

Configure a group to send and ACL name and add a user to the ACS

Connect to the WLAN wit

The figure displ


Lab 5-6: Implementing IBN

Instructor Notes This lab has the students apply ACLs using IBN on the controller.

CommoThis subtopic presents common issues for this lab.

t fail: Be sure the student has entered static routes to make the remote pc use

n Issues

Ping will nothe wireless interface.



pic details the lab activity for Lab 5-7.

Objectiv

by your instructor

This to

es You will complete these tasks in this lab:

Place the H-REAP in standalone mode

Identify, isolate and correct a H-REAP security failure introduced




Instructor Notes This lab has the instructor introduce problems that prevent the HREAP access point from authenticating a user when in standalone mode. The instructor should inform the students that HREAP access points have just been added to the network and configured for authentication on the ACS server first and then on the local server. Add the proper ACS for each pod to the

onfiguration as a primary server. Do not add the HREAP access point as an get an unknown NAS server failure.

Common Issues This subtopic presents no common issues for this lab.

HREAP group cAAA client on the ACS. The student should


Lab 6-1: Managing Rogue Access Points This topic details the lab activity for Lab 6-1.


Create an open WLAN on the access point

licious rogue access point and friendly access points on your controller

ection to a rogue access point with the wireless client


Create rules to identify ma

Open a conn

Locate the rogue access point using the WCS and contain the Rogue AP



Instructor Notes the student to create a friendly and malicious rogue rule on the controller.

of the controllers to the WCS and run

each pod, and configured for open authentication. The student can connect to the rogue SSID from the remote desktop and implement a containment using WCS.

This lab requiresThe instructor will need to refresh the configurationRogue AP background “Execute Now” from the Administration>Background Tasks menu on the WCS. The rogue access point is an autonomous access point that is pre-configured with eight SSIDs (rogue1 – rouge8), one for



ller has not updated the WCS. Run Rogue AP background “Execute Now” from the Administration>Background Tasks menu on the

CS.

Friendly APs do not show up: The contro

W


Lab 6-2: Managing IDS Signatures This topic details the lab activity for Lab 6-2.


ller using the WCS

ent from the WCS

You w

Modify an IDS signature on the contro

Place the rogue access point in containm

Observe the IDS alerts on WCS




Instructor Notes the student to modify an IDS signature on the controller. In this lab, the

an

CommoThis subtopic presents common issues for this lab.

This lab requiresstudent will use the WCS to attack their own access point (SSID pod1 – pod8) to generate IDS signature attack. The friendly access points are defined in Lab 6-1. Since each student is adding only other controllers SSIDs as a friendly access point, each student must be finished with lab 6-1 before lab 6-2 can be completed.

n Issues


Friendly APbackground

s do not show up: The controller has not updated the WCS. Run Rogue AP “Execute Now” from the Administration>Background Tasks menu on the

WCS.


Teardown and Restoration This topic describes how to tear down and restore the equipment that is used in the course.

Clear the 2106 controllers configuration (clear config reset without saving)

ot and load the saved configuration using auto

te the controller’s on pod 1 through pod 8 from the AAA Radius client on the the NGS?

In the remote laptops, remove the profiles from Intel PROSet.

remote laptops, open sscManagementUtility and delete the Ethernet network

Step 8 In the ACS server, reset each VM to the pre-class snapshot.

Step 9 In the lab server, restore the database you backed up during WCS initial installation, to bring WCS back to “installed, base config database” state.

Step 1

Step 2 Clear the 4402 configuration, reboconfig.

Step 3 Restore the WCS base configuration.

Step 4 DeleNGS. Delete sponsors 1 through 8 and all guest accounts from

Step 5 In the remote laptops, delete the log files from the desktop.

Step 6

Step 7 In theand the IAUWSMGNT group and all networks.

Documents

Course Management - Cisco · IAUWS Course Management . Overview . Implementing Advanced Cisco Unified Wireless Security (IAUWS) v1.0 is a five-day day instructor-led course, designed