Cisco Systems 3.2 Manuale Utente
5-3
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 5 Configuring Security Solutions
Cisco WLAN Solution Security
Layer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as
VPNs (virtual private networks), L2TP (Layer Two Tunneling Protocol), and IPSec (IP security)
protocols. The Cisco WLAN Solution L2TP implementation includes IPSec, and the IPSec
implementation includes IKE (internet key exchange), DH (Diffie-Hellman) groups, and three optional
levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI X9.52-1998 data
encryption standard), or AES/CBC (advanced encryption standard/cipher block chaining). Disabling is
also used to automatically block Layer 3 access after an operator-set number of failed authentication
attempts.
VPNs (virtual private networks), L2TP (Layer Two Tunneling Protocol), and IPSec (IP security)
protocols. The Cisco WLAN Solution L2TP implementation includes IPSec, and the IPSec
implementation includes IKE (internet key exchange), DH (Diffie-Hellman) groups, and three optional
levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI X9.52-1998 data
encryption standard), or AES/CBC (advanced encryption standard/cipher block chaining). Disabling is
also used to automatically block Layer 3 access after an operator-set number of failed authentication
attempts.
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication using:
MD5 (message digest algorithm), or SHA-1 (secure hash algorithm-1).
MD5 (message digest algorithm), or SHA-1 (secure hash algorithm-1).
The Cisco WLAN Solution supports local and RADIUS MAC (media access control) filtering. This
filtering is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
filtering is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
Finally, the Cisco WLAN Solution supports local and RADIUS user/password authentication. This
authentication is best suited to small to medium client groups.
authentication is best suited to small to medium client groups.
Rogue Access Point Solutions
This section describes security solutions for rogue access points.
Rogue Access Point Challenges
Rogue access points can disrupt WLAN operations by hijacking legitimate clients and using plaintext or
other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to
capture sensitive information, such as passwords and username. The hacker can then transmit a series of
clear-to-send (CTS) frames, which mimics an access point informing a particular NIC to transmit and
instructing all others to wait, which results in legitimate clients being unable to access the WLAN
resources. WLAN service providers thus have a strong interest in banning rogue access points from the
air space.
other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to
capture sensitive information, such as passwords and username. The hacker can then transmit a series of
clear-to-send (CTS) frames, which mimics an access point informing a particular NIC to transmit and
instructing all others to wait, which results in legitimate clients being unable to access the WLAN
resources. WLAN service providers thus have a strong interest in banning rogue access points from the
air space.
The Operating System Security solution uses the Radio Resource Management (RRM) function to
continuously monitor all nearby access points, automatically discover rogue access points, and locate
them as described in the
continuously monitor all nearby access points, automatically discover rogue access points, and locate
them as described in the
Tagging and Containing Rogue Access Points
When the Cisco WLAN Solution is monitored using WCS, WCS generates the flags as rogue access
point traps, and displays the known rogue access points by MAC address. The operator can then display
a map showing the location of the Cisco 1000 Series lightweight access points closest to each rogue
access point, allowing Known or Acknowledged rogue access points (no further action), marking them
as Alert rogue access points (watch for and notify when active), or marking them as contained rogue
access points. Between one and four Cisco 1000 Series lightweight access points discourage rogue
access point clients by sending the clients deauthenticate and disassociate messages whenever they
associate with the rogue access point.
point traps, and displays the known rogue access points by MAC address. The operator can then display
a map showing the location of the Cisco 1000 Series lightweight access points closest to each rogue
access point, allowing Known or Acknowledged rogue access points (no further action), marking them
as Alert rogue access points (watch for and notify when active), or marking them as contained rogue
access points. Between one and four Cisco 1000 Series lightweight access points discourage rogue
access point clients by sending the clients deauthenticate and disassociate messages whenever they
associate with the rogue access point.
When the Cisco WLAN Solution is monitored using a GUI or a CLI, the interface displays the known
rogue access points by MAC address. The operator then has the option of marking them as Known or
Acknowledged rogue access points (no further action), marking them as Alert rogue access points (watch
rogue access points by MAC address. The operator then has the option of marking them as Known or
Acknowledged rogue access points (no further action), marking them as Alert rogue access points (watch