Entradas

Understanding 802.11k

Imagen
Understanding 802.11k What is 802.11k 802.11k is an amendment to the 802.11 standard that helps wireless networks  in managing their radio resources . The clients, instead of making blind decisions about when and where to roam, with 802.11k have a mechanism for the network to guide them, resulting in a much smoother and more efficient roaming process. Key Features of 802.11k: The neighbor report The "neighbor report" is the way the network can guide the clients about where to roam. Here's how it works: • APs that support 802.11k will inform of its capability in the beacon or probe response frame. In the following image we can see how is advertised in a probe response: • A client associated to that SSID will send an action frame "Neighbor report request" • The AP will reply with a "neighbor report response" and will provide the client with a list of neighboring APs that are good candidates for roaming.  This report includes information such as the BSSI...

Installing Server Certificate in Cisco ISE

Imagen
 Installing Server Certificate in Cisco ISE In this post we will be installing a certificate from our Certification Authority. In this scenario, the CA is enabled in my Windows Server 2019 wich also is my DNS server and Domain Controller: The topology for this lab is as follows: 1.- Downloading the Root CA: Frist step is to navigate to the Active Directory Certificate Services Web Enrollment page: For my lab is https://172.20.55.99/certsrv I will save this cert as DARGNET_CA.cert 2.- Uploading the Root CA in Cisco ISE: The cert must be uploaded to the "Trusted Certificates" tab: 3.- Generating the Certificate Signing Request We will generate the CSR to be signed by our CA: I will add the IP address of the node, so in case my DNS server is down, the certificate will still be valid: We will need to export the generated CSR and open it in a txt editor: 4.- Signing the CSR: We will navigate again to our AD CA Web Enrollment page and will use the Request a Certificate link: Now we...

Analizando las capturas de WPA2 Enterprise con asignación dinámica de VLAN

Imagen
 Analizando las capturas de WPA2 Enterprise con asignación dinámica de VLAN En un post anterior , configurábamos WPA2 Enterprise con PEAP y asignábamos la VLAN de forma dinámica dependiendo de a que grupo pertenecía el usuario, vamos, Role-Based Access Control (RBAC)  Estos son los 4 puntos donde realizamos las capturas:  Autenticación WPA2 Enterprise En un entorno WPA2 Enterprise, la seguridad se basa en el estándar 802.1X para el control de acceso a la red, utilizando el protocolo EAP (Extensible Authentication Protocol). Con PEAP (Protected EAP), se establece un túnel TLS cifrado entre el cliente y el servidor de autenticación (en este caso, Cisco ISE). Dentro de este túnel seguro, se realiza la autenticación real del usuario (generalmente con credenciales como nombre de usuario y contraseña, y en nuestro caso, almacenados en la base de datos interna del Cisco ISE). Los componentes clave son: • Cliente (Suplicante) : El dispositivo que intenta conectarse (en el ejemp...

WLC Failure scenario: Flexconnect in Standalone Mode

Imagen
Flexconnect in Standalone Mode I recently came with a situation where a site with two old 2504 AireOS WLCs in N+1 redundancy with APs in Local mode lost one of the controllers. They were using both SSIDs with WPA2 Personal, and WPA2 Enterpise. The site was concerned about having a disruption if the remaining controller went down too.  During the conversation with the site I pointed out that on the Flexconnect mode, when using local authentication, the WPA2 Personal SSID would work, and although I personally never really tested it, I knew you can add the Radius servers to that configuration.  The site after finding an old 2504 WLC with licenses, finally opted for getting that old WLC and keep the existing configuration. That is probably the best option, since it doesn´t need any change, and moving to Flexconnect required testing and validation.  In any case, I wanted to test this solution for the WPA2 Enterprise (the WPA2 Personal I´ve tested in the past and I know it work...

WPA2 Enterprise con asignación dinámica de VLAN : Cisco 9800 / Cisco ISE

Imagen
WPA2 Enterprise con asignación dinámica de VLAN : Cisco 9800 / Cisco ISE En esta entrada quería mostar la configuración más básica posible para usar WPA2 Enterprise usando Protected EAP con una WLC Cisco 9800 con APs en modo Flexconnect y Cisco ISE. Para mantener todo lo más simple posible, la base de datos de usuarios será local en ISE. La configuración no sigue best practices, tan solo se trata de un laboratorio para probar funcionalidades. En este caso, mediante un único SSID y las Policy Set, definiremos, dependiendo del tipo de usuario, si accederá a la VLAN asignada de forma general a la SSID, o una asignación dinámica a otra VLAN.  Topología CONFIGURACIÓN EN ISE Creación de usuarios y Grupos en ISE Primero crearemos los grupos que necesitamos. He precedido los nombres de los grupos con "00" para que sean más visibles: Una vez creados los grupos, podemos crear los usuarios y asignarlos a los grupos que hemos definido: Añadir la WLC 9800 como Autenticator Administration...