Campus lan and Wireless lan solution Design Guide



Download 2,16 Mb.
Pdf ko'rish
bet59/73
Sana13.07.2022
Hajmi2,16 Mb.
#791104
1   ...   55   56   57   58   59   60   61   62   ...   73
Bog'liq
cisco-campus-lan-wlan-design-guide

Secure WLANs 
Wireless devices should connect to the network infrastructure securely where possible. In an enterprise 
environment, secure the WLANs by configuring at least WPA2 with AES-CCMP encryption, and 802.1x 
authentication of devices. This is sometimes referred to as WPA Enterprise on wireless devices. Most modern 
wireless devices support WPA2. You should consider migrating to the newer WPA3 standard, which is 
supported by Cisco Catalyst 9800 Series wireless controllers. 
WPA3 is the latest version of Wi-Fi Protected Access (WPA), which is a suite of protocols and technologies that 
provide authentication and encryption for Wi-Fi networks. WPA3 leverages Simultaneous Authentication of 
Equals (SAE) to provide stronger protections for users against password guessing attempts by third parties. SAE 
employs a discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual 
authentication using a password that is probably resistant to an offline dictionary attack. Adversaries use offline 
dictionary attacks in attempts to determine a network password by trying possible passwords without further 
network interaction.
WPA3-Personal protects individual users better by using more robust password-based authentication making 
the brute-force dictionary attack much more difficult and time-consuming. WPA3-Enterprise provides higher 
grade security protocols for sensitive data networks. 
Opportunistic Wireless Encryption (OWE) is an extension to IEEE 802.11 that provides encryption of the wireless 
medium. The purpose of OWE based authentication is avoid open unsecured wireless connectivity between the 
APs and clients. The OWE extension uses the Diffie-Hellman algorithm cryptography to setup the wireless 
encryption. With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure 
and use the resulting pairwise secret with the 4-way handshake. The use of OWE enhances wireless network 
security for network deployments using open or shared PSK. 
The use of older security methods, such as WEP or WPA, is not recommended due to known security 
vulnerabilities. 802.1x authentication requires an AAA server—such as Cisco ISE—that provides centralized 
policy-based management and control for end-users accessing the wireless network.
Typically, the AAA server will implement the RADIUS protocol between itself and the WLC. Authentication of 
end-users is accomplished via an extensible authentication protocol (EAP) session between the wireless device 
and the AAA server. The EAP session is transported via RADIUS between the WLC and the AAA server.
Depending upon the capabilities of wireless device, the capabilities of the AAA server, and the security 
requirements of the organization, multiple variants of EAP, such as PEAP and EAP-TLS, may be implemented.
PEAP makes use of standard user credentials (userid & password) for authentication. EAP-TLS makes use of 
digital certificates for authentication.
It is highly recommended that you deploy redundant AAA servers for high availability in case one or more 
servers become temporarily unavailable. Often the AAA server is configured to reference an external directory 
or data store such as Microsoft’s Active Directory (AD). This allows the network administrator to leverage 
existing AD credentials instead of duplicating them within the AAA server. This can also be extended to provide 
role-based access control (RBAC) for end-users through the use of AD groups. For example, it may be 
desirable to provide restricted network access to long-term contractors, as opposed to the access granted 
employees. The use of an external directory or data store can also provide a single point for granting or 
revoking credentials, not only for access to the network infrastructure, but for access to other resources within 
the organization. The AAA server itself can apply additional policy-based rules for authorization to the network, 
such device type, time of day, location, etc., depending upon the capabilities of the AAA server. AAA logs and 

© 2020 Cisco and/or its affiliates. All rights reserved. 
Page 63 of 76
accounting may be used to provide an audit trail of each employee’s access to the wireless network 
infrastructure.
The use of WPA2 with AES-CCMP encryption on the WLAN does not extend to management frames. Therefore, 
the optional use of protected management frames (PMF) is advisable for WLANs where possible. PMF is part of 
the IEEE 802.11 standard, which provides a level of cryptographic protection to robust management frames 
such as de-authentication and dissociation frames, preventing them from being spoofed. It should be noted 
that the benefits of PMF does require wireless clients to support PMF. Cisco also offers an earlier version of 
Management Frame Protection (MFP) that has both infrastructure and client components. 
In a home-office environment, it may be necessary to configure a WLAN to support WPA2 with pre-shared key 
(PSK). This is sometimes referred to as WPA Personal on wireless devices. This may be necessary because 
the implementation of an AAA server is not cost-effective for the number of end-users who access the WLAN.
This may also be necessary in other environments if there is no end-user associated with a wireless device, the 
wireless device does not support the ability to configure a userid & password, or the wireless device cannot 
support a digital certificate. Since the PSK is shared among all devices that access the wireless infrastructure, it 
may be necessary to change the PSK if an employee who knows the PSK leaves the organization. Furthermore, 
with WPA PSK, there is no easy audit trail of each employee’s access to the network. 
The use of a dedicated, open WLAN is still common, but not ideal, for wireless guest access. Therefore, the 
configuration of an unsecure WLAN on the network infrastructure may still be necessary. Open access guest 
WLANs are often implemented in order to minimize the complexity of onboarding a guest who needs only 
temporary wireless network connectivity. Typically, the guest WLAN is terminated outside the corporate 
firewall, which allows no access inbound to corporate resources, so guests may be allowed access to the 
Internet only. Depending upon the requirements of the organization, guests may be required to authenticate 
before being allowed to access the Internet. Typically, a captive-portal model is used with WebAuth, in which 
guest web sessions are redirected to a portal, which authenticates the guest before allowing Internet access. 

Download 2,16 Mb.

Do'stlaringiz bilan baham:
1   ...   55   56   57   58   59   60   61   62   ...   73



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish