Wednesday, July 26, 2017

Register Cisco APs with Cisco vWLC 8.1 on EVE-NG

EVE (Emulated Virtual Environment) is running in VMWare Workstation in my Laptop. Cisco AP is connected to the Ethernet port of my laptop directly. PoE is given by a power injector. You can see the EVE topology on this capture. A core switch is bridged to external world and connected to vWLC. Service Port of vWLC is bridged to NAT interface of the VMware. If you are not familiar with these kind of virtual networking, following post will be helpful for you to understand how to make this a reality..

Note:- Find the matching country code of your physical access point before you start configuring your WLC. As an example; my AP is Cisco AIR-CAP2602I-E-K9; the 'E' there is indicating the the region, Europe.. This is why I am configuring my WLC country code as GB (Great Britain)

Configuration in WLC

How the WLC is configured can be found in the following post.

After initial configuration, you will have to activate licences.

Log in to WLC with web-GUI and go to Advanced..
Go to Management > Software Activation > Licenses

Click on the ap count and click on the set status tab and accept..

You will not see anything changed, but trust me, this will hold your AP from registering.
After accepting the license, go to Commands > Reboot and click on Save and Reboot tab

Configuration in CORE

CORE(config)#vlan 50
CORE(config)#vlan 60

CORE(config)#interface vlan 50
CORE(config-if)#ip address

CORE(config)#interface vlan 60
CORE(config-if)#ip address

CORE(config)#interface e0/0
CORE(config-if)#switchport access vlan 60

CORE(config)#interface e0/1
CORE(config-if)#switchport trunk encapsulation dot1q
CORE(config-if)#switchport mode trunk
CORE(config-if)#witchport trunk allowed vlan 50

Configuration in AP

ap#capwap ap ip address
ap#capwap ap ip default-gateway
ap#capwap ap controller ip address

Now It everything will work fine.. If still AP is not joining because of a license issue (you can see this on the log of AP and WLC) you may need to reset the AP and try again..

To know the correct way to reset a Cisco AP please go the following link..

Change the Mode of AP to Flex Connect

The SSID you created will not be broadcast unless you do this..
Go to Wireless and click on the name of the AP, change AP mode to FlexConnect and apply..
You will see your SSID is live around you.. :)

Correct Way to Factory Reset Cisco AP (Clear Configurations Completely)

If you have tried to clear old configurations / reset using mode button of a Cisco Lightweight AP and tried to join it to a new WLC, you may have experienced that it is not clearing it's old configurations completely. May be it will join the previous controller again. Sometimes only IP address is clearing, primary controller address is still visible in SET variables. Well, this is the correct way to completely reset it..

The AP I am using is a Cisco 2602i which is a very common AP.

01. First console the AP and log in with username and password, go to privilege mode..

Default Username: Cisco
Default Password: Cisco
Default Enable Password: Cisco

02. Unlock hidden commands..

Because erase command is hidden, you will need to unlock it by the following command.
AP#debug capwap console cli

Note:- This command can be used to go to config mode of a Cisco Lightweight AP too.

03. Erase NVRAM.

NVRAM is where the startup configuration file is located and where the AP maintains the list of previously learned WLC IPs.

Hit the following command to erase the nvram..
AP#erase /all nvram:

After erasing nvram, it will be like this..

04. Delete the Flash or env_vars file in Flash..

Hit a dir flash:/ to see what is inside it..

If you really want to get your AP to fresh factory reset, you will issue the following command to erase full flash with all the files in it. But proceed with caution because it wipes out the OS too.

Hit the following command to delete flash..
AP#delete /force /recursive flash:

Note:- Flash is where the IOS image and the recovery OS image are stored. If you issue the above command it will wipe out both images. So you will have to upload the recovery image from a TFTP server (your PC) after doing this in rommon mode. If you want to know how to do it please refer this.

A brand new AP comes with a recovery image only. It will download the IOS image from the WLC after it joined one.

So if you don't want to delete the OS, but if you need to clear all the old configurations, hit the following command to delete the env_vars file in Flash..
AP#delete flash:/env_vars

This file is where the set variables are stored. If you don't delete this some of the set variables will be intact even after you reset pushing the mode button.

05. Reset AP using the Mode button

Unplug and plug again the power source of the AP holding the mode button..
Release it after the LED turns steady red.. (about 10 seconds)

Now issue set command and you can see all the set variables are also cleared..
If you did not delete the entire Flash, you can give the following command to set the IOS image to bootup instead of recovery image.

ap:set BOOT flash:/<image-directory>/<image>

In my case it is set BOOT flash:/ap3g2-k9w8-mx.153-3.JBB1/ap3g2-k9w8-mx.153-3.JBB1

Sunday, July 23, 2017

How EAP-PEAP (Protected EAP) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..


EAP-PEAP (Protected EAP) is an authentication mechanism which can work entirely with certificates or without certificates.

Note:- Certificate is a public key verified by a trusted authority.
When EAP-TLS is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes..

(5) AP/WLC continues with an EAPSTART message asking for the Supplicant Identity
(6) The client sends its Identity to AP/WLC
(7) AP/WLC forwards the Supplicant Identity to the RADIUS server
(8) The RADIUS server sends its certificate to the client through AP/WLC
(9) The client generates a master encryption key and encrypts it using the server certificate and sends       it to the RADIUS server

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. But only the server is authenticated (by its certificate). So the client still needs to be authenticated. Therefore a second authentication phase starts (EAP inside the 1st EAP tunnel, thus the name Protected EAP) where the client is authenticated using a username and password with MSCHAPv2 (for PEAPv0) or GTC (for PEAPv1).

(10) RADIUS server asks client to send credentials to authenticate
(11) The client forwards the credentials to RADIUS server

Now RADIUS server can derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(10) RADIUS server generates the PMK (Pairwise Master Key)
(11) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(12) AP/WLC use the PMK to generate encryption keys for the client traffic

Note:- RADIUS server does not keep the PMK, it just generates it and hands it over to WLC..
At this point, the work of the EAP-PEAP is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..