Wednesday, July 26, 2017

Register Cisco APs with Cisco vWLC 8.1 on EVE-NG

EVE (Emulated Virtual Environment) is running in VMWare Workstation in my Laptop. Cisco AP is connected to the Ethernet port of my laptop directly. PoE is given by a power injector. You can see the EVE topology on this capture. A core switch is bridged to external world and connected to vWLC. Service Port of vWLC is bridged to NAT interface of the VMware. If you are not familiar with these kind of virtual networking, following post will be helpful for you to understand how to make this a reality..

https://roshanznet.blogspot.com/2017/01/connect-virtual-devices-in-unleve-to_31.html

Note:- Find the matching country code of your physical access point before you start configuring your WLC. As an example; my AP is Cisco AIR-CAP2602I-E-K9; the 'E' there is indicating the the region, Europe.. This is why I am configuring my WLC country code as GB (Great Britain)

Configuration in WLC

How the WLC is configured can be found in the following post.
https://roshanznet.blogspot.com/2017/02/deploy-vwlc-on-eve-unl.html

After initial configuration, you will have to activate licences.

Log in to WLC with web-GUI and go to Advanced..
Go to Management > Software Activation > Licenses













Click on the ap count and click on the set status tab and accept..

You will not see anything changed, but trust me, this will hold your AP from registering.
After accepting the license, go to Commands > Reboot and click on Save and Reboot tab

Configuration in CORE

CORE(config)#vlan 50
CORE(config)#vlan 60

CORE(config)#interface vlan 50
CORE(config-if)#ip address 192.168.50.254 255.255.255.0

CORE(config)#interface vlan 60
CORE(config-if)#ip address 192.168.60.254 255.255.255.0

CORE(config)#interface e0/0
CORE(config-if)#switchport access vlan 60

CORE(config)#interface e0/1
CORE(config-if)#switchport trunk encapsulation dot1q
CORE(config-if)#switchport mode trunk
CORE(config-if)#witchport trunk allowed vlan 50

Configuration in AP

ap#capwap ap ip address 192.168.60.10 255.255.255.0
ap#capwap ap ip default-gateway 192.168.60.254 255.255.255.0
ap#capwap ap controller ip address 192.168.50.51

Now It everything will work fine.. If still AP is not joining because of a license issue (you can see this on the log of AP and WLC) you may need to reset the AP and try again..

To know the correct way to reset a Cisco AP please go the following link..
https://roshanznet.blogspot.com/2017/07/correct-way-to-factory-reset-cisco-ap.html

Change the Mode of AP to Flex Connect

The SSID you created will not be broadcast unless you do this..
Go to Wireless and click on the name of the AP, change AP mode to FlexConnect and apply..
You will see your SSID is live around you.. :)

Correct Way to Factory Reset Cisco AP (Clear Configurations Completely)

If you have tried to clear old configurations / reset using mode button of a Cisco Lightweight AP and tried to join it to a new WLC, you may have experienced that it is not clearing it's old configurations completely. May be it will join the previous controller again. Sometimes only IP address is clearing, primary controller address is still visible in SET variables. Well, this is the correct way to completely reset it..


The AP I am using is a Cisco 2602i which is a very common AP.

01. First console the AP and log in with username and password, go to privilege mode..

Default Username: Cisco
Default Password: Cisco
Default Enable Password: Cisco

02. Unlock hidden commands..

Because erase command is hidden, you will need to unlock it by the following command.
AP#debug capwap console cli

Note:- This command can be used to go to config mode of a Cisco Lightweight AP too.

03. Erase NVRAM.

NVRAM is where the startup configuration file is located and where the AP maintains the list of previously learned WLC IPs.










Hit the following command to erase the nvram..
AP#erase /all nvram:

After erasing nvram, it will be like this..








04. Delete the Flash or env_vars file in Flash..

Hit a dir flash:/ to see what is inside it..



















If you really want to get your AP to fresh factory reset, you will issue the following command to erase full flash with all the files in it. But proceed with caution because it wipes out the OS too.

Hit the following command to delete flash..
AP#delete /force /recursive flash:

Note:- Flash is where the IOS image and the recovery OS image are stored. If you issue the above command it will wipe out both images. So you will have to upload the recovery image from a TFTP server (your PC) after doing this in rommon mode. If you want to know how to do it please refer this.

A brand new AP comes with a recovery image only. It will download the IOS image from the WLC after it joined one.

So if you don't want to delete the OS, but if you need to clear all the old configurations, hit the following command to delete the env_vars file in Flash..
AP#delete flash:/env_vars

This file is where the set variables are stored. If you don't delete this some of the set variables will be intact even after you reset pushing the mode button.

05. Reset AP using the Mode button

Unplug and plug again the power source of the AP holding the mode button..
Release it after the LED turns steady red.. (about 10 seconds)

Now issue set command and you can see all the set variables are also cleared..
If you did not delete the entire Flash, you can give the following command to set the IOS image to bootup instead of recovery image.

ap:set BOOT flash:/<image-directory>/<image>

In my case it is set BOOT flash:/ap3g2-k9w8-mx.153-3.JBB1/ap3g2-k9w8-mx.153-3.JBB1

Sunday, July 23, 2017

How EAP-PEAP (Protected EAP) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-PEAP

EAP-PEAP (Protected EAP) is an authentication mechanism which can work entirely with certificates or without certificates.

Note:- Certificate is a public key verified by a trusted authority.
When EAP-TLS is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes..

(5) AP/WLC continues with an EAPSTART message asking for the Supplicant Identity
(6) The client sends its Identity to AP/WLC
(7) AP/WLC forwards the Supplicant Identity to the RADIUS server
(8) The RADIUS server sends its certificate to the client through AP/WLC
(9) The client generates a master encryption key and encrypts it using the server certificate and sends       it to the RADIUS server

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. But only the server is authenticated (by its certificate). So the client still needs to be authenticated. Therefore a second authentication phase starts (EAP inside the 1st EAP tunnel, thus the name Protected EAP) where the client is authenticated using a username and password with MSCHAPv2 (for PEAPv0) or GTC (for PEAPv1).

(10) RADIUS server asks client to send credentials to authenticate
(11) The client forwards the credentials to RADIUS server

Now RADIUS server can derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(10) RADIUS server generates the PMK (Pairwise Master Key)
(11) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(12) AP/WLC use the PMK to generate encryption keys for the client traffic

Note:- RADIUS server does not keep the PMK, it just generates it and hands it over to WLC..
At this point, the work of the EAP-PEAP is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..


Saturday, July 22, 2017

How EAP-TLS (Transport Layer Security) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-TLS

EAP-TLS (Transport Layer Security) is an authentication mechanism that relies on certificates. Key pairs (certificate & private key) are installed on the clients and on the RADIUS server.

Note:- Certificate is a public key verified by a trusted authority.

When EAP-TLS is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes.. 

(5) AP/WLC continues with an EAPSTART message asking for the Supplicant Identity (username)
(6) The client sends its Identity to AP/WLC
(7) AP/WLC forwards the Supplicant Identity to the RADIUS server
(8) The RADIUS server responds with its certificate
(9) The client verifies the server certificate and sends its own certificate

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. They use this secure connection to agree on  a way to derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(10) RADIUS server generates the PMK (Pairwise Master Key)
(11) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(12) AP/WLC use the PMK to generate encryption keys for the client traffic

Note:- RADIUS server does not keep the PMK, it just generates it and hands it over to WLC..

At this point, the work of the EAP-TLS is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..




















Note:- EAP-TLS is a very secure method for authentication but certificates will be needed to install on each client so it is not widely used as the enterprises are moving towards BYOD..

Friday, July 21, 2017

802.1X/EAP Authentication Concept in Wireless Security

Because of the weakness in WEP (Wired Equivalent Privacy) which provide one single key for all users in the WLAN and if this key is found (which can be done easily with Kali Linux) the WLAN is compromised. So the need to use a new security concept which separates authentication from encryption was required. Using 802.1x and EAP (Extensible Authentication Protocol), IEEE offered a better solution which is used in WPA/WPA2 (Wireless Protected Access) nowadays.

802.1X

This is a protocol which defines port-based access control. 802.1X states following 3 roles..

1. Supplicant = the end point which wants to access the network
2. Authenticator = the point of connection to the network
3. Authentication Server = the server which actually authenticates the users

When a supplicant connects to the authenticator, the authenticator closes its port except for authentication-related exchanges and asks the supplicant for credentials. Authenticator then passes the received credentials to the authentication server. Authentication server then responds to the authenticator with either a success or a failure message. If the response is a success, the port will be opened and user traffic will be allowed.

In wireless world, the AP (or the AP/WLC pair in a centralized network) acts as the authenticator.
Following steps will take place..
First 4 steps are about basic wireless connectivity.

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response
At this point AP blocks all traffic from the supplicant until authentication completes..
(5) 802.1X/EAP process starts at this point..
(6) When the 802.1X/EAP process is successful, the client traffic is allowed through the AP..

RADIUS (Remote Dial In User Service) is the main protocol described for the communication in between the authenticator and the authentication server in the 802.1X protocol. This means that the supplicant exchanges the 802.1X messages with the authenticator and the authenticator then translates those 802.1X messages to RADIUS messages and forwards them to a RADIUS server.

So the 802.1X and the RADIUS protocols are the protocols used to transport the authentication dialog between the supplicant and the authentication server.

Note:- RADIUS server uses UDP port 1812 for authentication and UDP 1813 for authorization..

That authentication dialog is what defined by EAP..

EAP (Extensible Authentication Protocol)

The 802.1Xdoes not contain specific methods for wireless clients to send their credentials to the authentication server, nor does it specify how this authentication should occur. So IEEE added EAP to fulfill this requirement.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..
Ex:- EAP-TLS, PEAP, EAP-FAST

If you want to know how EAP-TLS works go here.
If you want to know how PEAP works go here.

Thursday, July 20, 2017

Light Weight Access Point Registration Process with Cisco WLC

This is a 4 step process. They are Getting an IP address, Finding WLCs, Selecting WLCs & Registering with the Primary WLC.. Simple like that.. In Light Weight mode, APs act as end point dumb devices to Wireless LAN Controllers. What they just need is to find a WLC to build it's tunnel (CAPWAP) to transport user traffic where they will be handled as required..

Step 01: Getting an IP address

AP can be assigned an IP address in 2 methods..
1. Static assignment
2. DHCP

If it is not configured statically, it will send a DHCP discover to find a DHCP server to get an IP address along with other network details.. Nothing amazing here as this is what any end point will do when it is plugged in to a network..


Step 02: Finding WLCs

There are 2 WLC discovery methods in Cisco APs; L2 discovery & L3 discovery..
L2 discovery happens first..

Note:- LWAPP & CAPWAP are 2 Light Weight mode protocols which allows APs to join with WLCs. LWAPP stands for Light Weight Access Point Protocol and CAPWAP stands for Control And Provisioning Wireless Access Point. Both accomplishes same task in different ways. CAPWAP seems to do it in a better more secure way. LWAPP is older and only supports in few old platforms.

1. Layer 2 Discovery (supports only on few old platforms using LWAPP)
2. Layer 3 Discovery (supports on all platforms with both LWAPP or CAPWAP)

Steps of L3 Discovery :-

(i). CAPWAP Discovery request broadcast on local subnet (IP broadcast).

(ii). CAPWAP Discovery request sent to controller IP addresses learnt via OTAP feature.

When the feature called OTAP (Over the air provisioning) is configured on a controller, APs that are already been joined to the controller advertise their known controller addresses in neighbor messages that are sent over the air. New APs attempting to discover controllers receive these messages and unicast a discovery request to each controller. WLCs unicast discovery response to APs after receiving these messages.

(iii). CAPWAP discovery request sent to all locally stored WLC IP addresses.

APs maintain a list of WLC IPs previously learnt in its NVRAM. They send unicast messages to these IP addresses. WLCs unicast discovery response to APs after receiving these messages.

(iv). CAPWAP discovery request sent to IP addresses learnt from DHCP option 43.

DHCP option 43 is the IP of the WLC.. You can configure this in DHCP server settings.

(v). CAPWAP discovery request sent to IP addresses learnt from DNS address
CISCO-CAPWAP-CONTROLLER.localdomain

If a WLC gets a discovery request from any above step, it sends a unicast response to AP.
AP runs all these steps to create a list of WLCs. This is called the WLC hunting algorithm.

WLC Hunting Algorithm :-

1. If L2 discovery is supported, send a discovery request in an Ethernet broadcast
2. If L2 discovery is not supported or step 1 fails to find a WLC, proceed to L3 discovery
3. If L3 discovery fails to find  a candidate WLC, reboot and return to step 1


Step 03: Selecting WLCs

WLCs embed the following important information in the LWAPP/CAPWAP Discovery response
1. The controller sysName - hostname of WLC
2. The controller type - platform
3. The controller AP capacity and its current AP load
4. The master controller flag
5. The AP manager IP address

The AP uses this information to make a controller selection

1. If the LAP has been previously configured with primary, secondary and tertiary controller, the LAP will attempt to join these first (specified using the controller sysName)
2. Attempt to join a WLC configured as a master controller
3. Attempt to join a WLC with the greatest excess capacity


Step 04: Registering with the Primary WLC

1. AP sends a join request first..
Join request contains X.509 certificate of AP which WLC validates.

2. WLC sends a join response then..
Join response indicates AP is registered and contains X.509 certificate of WLC which AP validates.

After the joining is complete, following things happen between the WLC & AP..
- Sync firmware on WLC & LAP if it is not matching
- WLC provisions the LAP with configuration parameters (SSID, Security, QoS, etc)

Now the registration is complete. If the primary controller fails, it will register with the secondary controller available in his list..

Friday, July 7, 2017

Create a Local User Who Can Only View Running-Config in Cisco IOS

You will need to create a user who cannot do any other thing except viewing the running config. It will be a requirement when you create usernames for other 3rd parties. Problem is with the architecture of the Cisco IOS. Users can only view the configurations which they are allowed to modify. So if a user is given a level of 7 and if you assign show running-config command to level 7, it will not work because configuration mode is in level 15. If you assign configure terminal command to level 7 to correct this problem, the user will gain access to all the configuration commands.

So if you only need to create a user who can only view the running-config, you can simply do this..

Create a username with level 15
Router(config)#username TEST privilege 15 password cisco

Specify show run command to enter automatically when logged in
Router(config)#username TEST autocommand show run

Of course you will need to specify local login method in telnet/console which the user is using
Router(config)#line vty 0 4
Router(config)#login local