Entradas

AP in sniffer mode in Cisco 9800

Imagen
 AP in sniffer mode in Cisco 9800 When a Cisco AP joins a WLC it can work in several modes, one of those being the "sniffer". In this mode, the AP will be passively listening to wireless traffic which can be sent to a device that can capture and analyze this traffic using an application like Wireshark. Setting the AP in Sniffer mode Converting the AP to Sniffer mode On our Cisco 9800 WLC we have to navigate to Configuration->Wireless->Access Points From the list of APs we will select the Access Point we want to be in Sniffer Mode, then in the " General " tab, we will select " Sniffer " and " Update and apply to device ". The AP will then reboot and re-join the WLC after a few minutes Setting parameters in Sniffer mode Once the AP has re-joined, we can verify its current mode. We will also notice that no channel is configured to be "sniffed"  For configuring what channels are going to be sniffed, we have to individually go to each ...

[TIP] Cisco 9800: Baselining MAC filtering and PSK failures

Imagen
TIP - Cisco 9800: Baselining MAC filtering and PSK failures MAC Filtering Failure Some times is good to leverage a quick call to solve an issue to baseline the behaviour of both correct authentication or failures. This time is an SSID with WPA2 Personal, with MAC filtering for Dynamic VLAN asignment via Cisco ISE.  A field engineer called me because one RF Gun was not authenticating to the SSID. Knowing there is a MAC filtering on the SSID (for Dynamic Vlan Assignment) in addition to a PSK, I quickly checked the exclusion reason on the 9800: And also on ISE it was clear that the MAC address was not added to the allowed list : Although I didn´t used the Cisco Wireless Debug Analyzer until this was solved, this is the output for the current issue: Solution : The solution was easy, just add the MAC address to the authorized list. PSK Failure While I was adding the MAC address, the field engineer informed me, he re-entered the PSK on the RF Gun thinking that maybe that was the error ¬¬...

Understanding 802.11k

Imagen
Understanding 802.11k What is 802.11k 802.11k is an amendment to the 802.11 standard that helps wireless networks  in managing their radio resources . The clients, instead of making blind decisions about when and where to roam, with 802.11k have a mechanism for the network to guide them, resulting in a much smoother and more efficient roaming process. Key Features of 802.11k: The neighbor report The "neighbor report" is the way the network can guide the clients about where to roam. Find below  how it works: • APs that support 802.11k will inform of its capability in the beacon or probe response frame. In the following image we can see how is advertised in a probe response: • A client associated to that SSID will send an action frame "Neighbor report request" • The AP will reply with a "neighbor report response" and will provide the client with a list of neighboring APs that are good candidates for roaming.  This report includes information such as the BS...

Installing Server Certificate in Cisco ISE

Imagen
 Installing Server Certificate in Cisco ISE In this post we will be installing a certificate from our Certification Authority. In this scenario, the CA is enabled in my Windows Server 2019 wich also is my DNS server and Domain Controller: The topology for this lab is as follows: 1.- Downloading the Root CA: Frist step is to navigate to the Active Directory Certificate Services Web Enrollment page: For my lab is https://172.20.55.99/certsrv I will save this cert as DARGNET_CA.cert 2.- Uploading the Root CA in Cisco ISE: The cert must be uploaded to the "Trusted Certificates" tab: 3.- Generating the Certificate Signing Request We will generate the CSR to be signed by our CA: I will add the IP address of the node, so in case my DNS server is down, the certificate will still be valid: We will need to export the generated CSR and open it in a txt editor: 4.- Signing the CSR: We will navigate again to our AD CA Web Enrollment page and will use the Request a Certificate link: Now we...

Analizando las capturas de WPA2 Enterprise con asignación dinámica de VLAN

Imagen
 Analizando las capturas de WPA2 Enterprise con asignación dinámica de VLAN En un post anterior , configurábamos WPA2 Enterprise con PEAP y asignábamos la VLAN de forma dinámica dependiendo de a que grupo pertenecía el usuario, vamos, Role-Based Access Control (RBAC)  Estos son los 4 puntos donde realizamos las capturas:  Autenticación WPA2 Enterprise En un entorno WPA2 Enterprise, la seguridad se basa en el estándar 802.1X para el control de acceso a la red, utilizando el protocolo EAP (Extensible Authentication Protocol). Con PEAP (Protected EAP), se establece un túnel TLS cifrado entre el cliente y el servidor de autenticación (en este caso, Cisco ISE). Dentro de este túnel seguro, se realiza la autenticación real del usuario (generalmente con credenciales como nombre de usuario y contraseña, y en nuestro caso, almacenados en la base de datos interna del Cisco ISE). Los componentes clave son: • Cliente (Suplicante) : El dispositivo que intenta conectarse (en el ejemp...