Académique Documents
Professionnel Documents
Culture Documents
1x Radius
server and autonomous Wireless AP
Table of Contents
1 Summary..............................................................................1
2 Test network.........................................................................2
3 Test results...........................................................................4
3.1 Aruba.............................................................................................................. 4
3.2 Cisco............................................................................................................... 4
4 Recommendations.................................................................6
4.1
4.2
4.3
4.4
Aruba.............................................................................................................. 6
Cisco............................................................................................................... 6
Encryption types [1]......................................................................................... 6
Further design considerations.........................................................................7
8 References..........................................................................33
1 Summary
This report contains the details of the testing that was performed on two
wireless access points Aruba iAP-93 and Cisco AIR AP1131G.
Based on the test results, if the Aruba AP is used, it is recommended that
two separate SSIDs are set up, one for staff and students and the other for
guests with the following recommended authentication and encryption
combinations. If only one SSID is desired, then the guest will need to
access the network via 802.1x authentication as well. To do this, a guest
account for use by all guests will need to be set up on the Radius server.
There are two options available if the Cisco wireless access point is used.
One option is enable just one SSID for all users staff, students and
guests, and configure a guest account on the Radius server for guests to
use when connecting to the network. Alternatively, multiple SSIDs would
need to be configured, one per VLAN, as dynamic VLAN is not supported.
2 Test network
The diagram below shows the prototype network.
Two different wireless access points (Aruba and Cisco) and their
interoperability with two different access switches (HP and Maipu) were
tested.
The details of the hardware and software versions used on the test
network are detailed in the table below.
Network
equipment
Hardware
Software
Wireless access
point 1
(device under test)
Aruba iAP-93
Version 6.1.3.4-3.1.0.0
Wireless access
point 2
(device under test)
Cisco AP1131G
School access
switch 1
(interoperability
test)
HP A5120-48G
EI
School access
switch 2
(interoperability
test)
Maipu SM330028T
HP A5500-24GSFP EI
School router
Cisco 1941/K9
(revision 1.0)
R1
Cisco 1941/K9
(revision 1.0)
Cisco 1941/K9
(revision 1.0)
HP A5500-24GSFP EI
3 Test results
The following are the finding that were found during testing:
3.1 Aruba
-
The following issues were seen while testing the Aruba access point.
-
3.2 Cisco
-
Description
Interoperability with the HP access
switch
Interoperability with the Maipu access
switch
Dynamic VLAN Support
802.1x with WEP
802.1x with WPA1 (TKIP)
802.1x with WPA2 (AES)
802.1x with WPA2 and WPA1
Multiple SSID
Interoperability with Mac OS clients
Interoperability with Windows clients
Guest network captive portal
Assign user to Guest VLAN when user
connects to the 802.1x network but does
not enter authentication details
Assign user to Auth-Fail VLAN when user
enters incorrect authentication details
Result
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Failed the user was
not redirected to the
captive portal
Not supported
Not supported
Description
Interoperability with the HP access
switch
Interoperability with the Maipu access
switch
Dynamic VLAN Support
5
6
7
8
9
10
Pass
Pass
Pass
Pass (Only if one SSID is
configured. Multiple SSID
and Dynamic VLAN is not
supported)
Worked with the Mac OS,
but failed with the
Windows PC
Pass
Pass
Pass (But Dynamic VLAN
will not be supported)
Pass
Pass
Not supported
11
Not supported
4 Recommendations
Based on the test findings, the following setup is recommended.
4.1 Aruba
It is recommended that two separate SSIDs are set up, one for staff and
students and the other for guests with the following recommended
authentication and encryption combinations.
Users
Staff and
students
Guests
Network
Type
Employee
Authentication
Encryption
802.1x
AES (WPA2)
Guest
Captive Portal*
None/WEP?
*During testing, the captive portal functionality was not working. At the
time of writing, there is an open query with Aruba on this. If a captive
portal is not used, then it is recommended that at least WEP is setup to
prevent two many users using the access point.
If only one SSID is desired, then the guest will need to access the network
via 802.1x authentication as well. To do this, a guest account for use by all
guests will need to be set up on the Radius server.
4.2 Cisco
When multiple SSID is enabled on the Cisco wireless access point, dynamic
VLAN is not supported. Therefore, there are two options available if the
Cisco wireless access point is used.
One option is enable just one SSID for all users staff, students and
guests, and configure a guest account on the Radius server for guests to
use when connecting to the network. a
Alternatively, multiple SSIDs would need to be configured, one per VLAN,
as dynamic VLAN is not supported. i.e.
Users
Staff
Students
Guests
Authentication
802.1x
802.1x
None
Encryption
AES (WPA2)
AES (WPA2)
None/WEP/WPA
[1]
Both The Cisco and Aruba wireless access points support the following
encryption types:
WEP
WEP is an authentication method where all users typically share the same
key. WEP is easily broken and is not secure.
TKIP
TKIP uses the same encryption algorithm as WEP, but TKIP is more secure
and has additional message integrity checks. Recently, vulnerabilities in
the TKIP encryption method has been exposed. It is recommended that
users migrate from TKIP to AES.
AES
The Advanced Encryption Standard (AES) encryption algorithm is now
widely supported and is the recommended encryption type for all
wireless networks that contain confidential data. AES leverages
802.1x to generate per station keys for all devices. AES provides a high
level of security.
WEP and TKIP are limited to WLAN connection speeds of 54 Mbps. For
802.11n connections, only AES encryption is supported.
10
11
12
Default VLAN: 5
13
14
Configure the external Radius server by clicking the Edit button on the
Authentication server 1 field.
Enter the details of the Radius server. The NAS IP address should be
configured to be the IP address of the Aruba wireless Virtual Controller.
(Note that the Radius server must be configured with the details of the
Aruba NAS IP as well).
Similarly, if necessary, configure the backup external Radius server by
clicking the Edit button on the Authentication server 2 field.
15
Click Finish. The network is added and listed in the Networks tab.
16
17
18
19
20
Click Finish. The network is added and listed in the Networks tab
21
22
After selecting OK, there will be a message box informing you to reboot
the access point for the changes to take effect. Before rebooting the
access point, configure the IP address of the Virtual Controller.
23
24
25
6.4 Verification
6.4.1
26
6.4.2
27
6.4.3
Connect to the guest network. (Do not need to authenticate to the Radius
server).
The user is able to connect and is assigned an IP in the guest VLAN as expected.
However two problems were encountered:
1. The captive portal was not displayed
2. In the client list on the GUI, the Username of the client was incorrect (it
should have been blank), but the IP address listed is correct.
28
no cdp enable
bridge-group 5
bridge-group 5 subscriber-loop-control
bridge-group 5 block-unknown-source
no bridge-group 5 source-learning
no bridge-group 5 unicast-flooding
bridge-group 5 spanning-disabled
!
! Dott11 sub-interface for VLAN 100
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
no cdp enable
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
! Dott11 sub-interface for VLAN 200
interface Dot11Radio0.200
encapsulation dot1Q 200
no ip route-cache
no cdp enable
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
!
! FastEthernet interface
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
! FastEthernet sub-interface for VLAN 1
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
! FastEthernet sub-interface for VLAN 5
interface FastEthernet0.5
encapsulation dot1Q 5
no ip route-cache
31
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
!
! FastEthernet sub-interface for VLAN 100
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
! FastEthernet sub-interface for VLAN 200
interface FastEthernet0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
no bridge-group 200 source-learning
bridge-group 200 spanning-disabled
!
! BVI interface to manage the AP and for radius communication
interface BVI1
ip address 172.23.4.38 255.255.255.224
no ip route-cache
!
! Default gateway to the access switch
ip default-gateway 172.23.4.33
ip http server
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
! Define the Windows NAP Radius server
ip radius source-interface BVI1
radius-server host 172.23.4.50 auth-port 1812 acct-port 1813
key 7 1513090F
bridge 1 route ip
!
line con 0
line vty 0 4
!
end
ap#
32
This was using the Cisco access point, HP remote access switch, Dynamic
VLAN, WPAv2 authentication and MacOs.
When connecting to the network, a user with a staff account was used to
authenticate with the Radius server. The radius server specified that the
vlan 200 should be used. The output below shows, that the user was
correctly assigned an IP address in VLAN 200 and that the WPAv2
authentication was used.
ap# sh dot11 associations all-client
Address
: 001f.5bc7.8576
IP Address
: 172.23.4.195
0
Device
: unknown
CCX Version
: NONE
State
:
SSID
:
VLAN
:
Hops to Infra
:
Clients Associated:
Tunnel Address
:
Key Mgmt type
:
Current Rate
:
ShortHdr ShortSlot
Supported Rates
:
48.0 54.0
Voice Rates
:
Signal Strength
:
Signal to Noise
:
Power-save
:
ago
Apsd DE AC(s)
:
EAP-Assoc
cisco_test
200
1
0
0.0.0.0
WPAv2
54.0
Packets Input
:
Bytes Input
:
Duplicates Rcvd
:
Decrypt Failed
:
MIC Failed
:
Packets Redirected:
Session timeout
:
Reauthenticate in :
164
19082
0
0
0
0
0 seconds
never
Name
Interface
: NONE
: Dot11Radio
: self
Association Id
: 1
Repeaters associated: 0
Encryption
Capability
: AES-CCMP
: WMM
1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0
disabled
-36 dBm
57 dB
Off
Bandwidth
: 20 MHz
Connected for
: 49 seconds
Activity Timeout : 56 seconds
Last Activity
: 4 seconds
NONE
Packets Output
:
Bytes Output
:
Data Retries
:
RTS Retries
:
MIC Missing
:
Redirect Filtered:
20
2644
1
0
0
0
ap#
33
7.2.2
This was using the Cisco access point, Maipu remote access switch,
Dynamic VLAN, WPAv2 authentication and Windows OS.
When connecting to the network, a user with a student account was used
to authenticate. The user was correctly assigned an IP address in VLAN
100.
ap# sh dot11 associations all-client
Address
: 001f.3cdb.d59c
IP Address
: 172.23.4.131
0
Device
: ccx-client
CCX Version
: 4
State
:
SSID
:
VLAN
:
Hops to Infra
:
Clients Associated:
Tunnel Address
:
Key Mgmt type
:
Current Rate
:
ShortHdr ShortSlot
Supported Rates
:
48.0 54.0
Voice Rates
:
Signal Strength
:
Signal to Noise
:
Power-save
:
ago
Apsd DE AC(s)
:
EAP-Assoc
cisco_test
100
1
0
0.0.0.0
WPAv2
48.0
Packets Input
:
Bytes Input
:
Duplicates Rcvd
:
Decrypt Failed
:
MIC Failed
:
Packets Redirected:
Session timeout
:
Reauthenticate in :
113
12667
0
0
0
0
0 seconds
never
Name
Interface
: ap
: Dot11Radio
: self
Association Id
: 1
Repeaters associated: 0
Encryption
Capability
: AES-CCMP
: WMM
1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0
disabled
-36 dBm
58 dB
Off
Bandwidth
: 20 MHz
Connected for
: 15 seconds
Activity Timeout : 60 seconds
Last Activity
: 0 seconds
NONE
Packets Output
:
Bytes Output
:
Data Retries
:
RTS Retries
:
MIC Missing
:
Redirect Filtered:
22
2570
3
0
0
0
ap#
34
8 References
[1] Aruba Instant User Guide 6.1.3.4-3.1.0.0
[2] Cisco IOS Software Configuration Guide for Cisco Aironet Access Points,
12.4 (3g)JA & 12.3(8)JEB
http://www.cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configu
ration/guide/ios1243gjaconfigguide.html
35