User's Manual
Table Of Contents
- Welcome to the Product Guide!
- Legal Information
- Obtaining Documentation
- Documentation Feedback
- Cisco Product Security Overview
- Obtaining Technical Assistance
- Obtaining Additional Publications and Information
- FCC Statements for Cisco 1000 Series Lightweight Access Points
- Industry Canada Required User Information for Cisco 1000 Series Lightweight Access Points
- FCC Statements for Cisco 4100 Series Wireless LAN Controllers
- FCC Statements for Cisco 2000 Series Wireless LAN Controllers
- Safety Considerations
- OVERVIEWS
- About the Cisco Structured Wireless-Aware Network
- Single-Cisco Wireless LAN Controller Deployments
- Multiple-Cisco Wireless LAN Controller Deployments
- About the Operating System Software
- About Operating System Security
- About Cisco SWAN Wired Security
- Layer 2 and Layer 3 LWAPP Operation
- About Radio Resource Management (RRM)
- About the Master Cisco Wireless LAN Controller
- About the Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers
- About Client Roaming
- About Client Location
- About External DHCP Servers
- About Controller Mobility Groups
- About Cisco SWAN Wired Connections
- About Cisco SWAN WLANs
- About Access Control Lists
- About Identity Networking
- About File Transfers
- About Power Over Ethernet
- Pico Cell Functionality
- Intrusion Detection Service (IDS)
- About Cisco Wireless LAN Controllers
- About Cisco 2000 Series Wireless LAN Controllers
- Cisco 4100 Series Wireless LAN Controllers
- Cisco Wireless LAN Controller Features
- Cisco 2000 Series Wireless LAN Controller Model Numbers
- Cisco 4100 Series Wireless LAN Controller Model Numbers
- Appliance Mode
- About Distribution System Ports
- About the Management Interface
- About the AP-Manager Interface
- About Operator-Defined Interfaces
- About the Virtual Interface
- About the Service Port
- About the Service-Port Interface
- About the Startup Wizard
- About Cisco Wireless LAN Controller Memory
- Cisco Wireless LAN Controller Failover Protection
- Cisco Wireless LAN Controller Automatic Time Setting
- Cisco Wireless LAN Controller Time Zones
- Network Connection to Cisco Wireless LAN Controllers
- VPN/Enhanced Security Module
- About Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points
- About Cisco 1030 IEEE 802.11a/b/g Remote Edge Lightweight Access Points
- About Cisco 1000 Series Lightweight Access Point Models
- About Cisco 1000 Series Lightweight Access Point External and Internal Antennas
- About Cisco 1000 Series Lightweight Access Point LEDs
- About Cisco 1000 Series Lightweight Access Point Connectors
- About Cisco 1000 Series Lightweight Access Point Power Requirements
- About Cisco 1000 Series Lightweight Access Point External Power Supply
- About Cisco 1000 Series Lightweight Access Point Mounting Options
- About Cisco 1000 Series Lightweight Access Point Physical Security
- About Cisco 1000 Series Lightweight Access Point Monitor Mode
- About Rogue Access Points
- About the Cisco Wireless Control System
- About the Web User Interface
- About the Command Line Interface
- About the Cisco Structured Wireless-Aware Network
- SOLUTIONS
- Operating System Security
- Converting a Cisco SWAN from Layer 2 to Layer 3 Mode
- Converting a Cisco SWAN from Layer 3 to Layer 2 Mode
- Configuring a Firewall for Cisco WCS
- Configuring the System for SpectraLink NetLink Telephones
- Using Management over Wireless
- Configuring a WLAN for a DHCP Server
- Customizing the Web Auth Login Screen
- Configuring Identity Networking for Operating System 2.2
- TASKS
- Using the Cisco SWAN CLI
- Configuring Cisco Wireless LAN Controllers
- Collecting Cisco Wireless LAN Controller Parameters
- Configuring System Parameters
- Configuring Cisco Wireless LAN Controller Interfaces
- Creating Access Control Lists
- Configuring WLANs
- Configuring Controller Mobility Groups
- Configuring RADIUS
- Configuring SNMP
- Configuring Other Ports and Parameters
- Adding SSL to the Web User Interface
- Transferring Files To and From a Cisco Wireless LAN Controller
- Updating the Operating System Software
- Using the Startup Wizard
- Adding SSL to the Web User Interface
- Adding SSL to the 802.11 Interface
- Saving Configurations
- Clearing Configurations
- Erasing the Cisco Wireless LAN Controller Configuration
- Resetting the Cisco Wireless LAN Controller
- Using the Cisco Wireless Control System
- Starting and Stopping Windows Cisco WCS
- Starting and Stopping Linux Cisco WCS
- Starting and Stopping the Cisco WCS Web Interface
- Using Cisco WCS
- Checking the Cisco SWAN Network Summary
- Adding a Cisco Wireless LAN Controller to Cisco WCS
- Creating an RF Calibration Model
- Adding a Campus Map to the Cisco WCS Database
- Adding a Building to a Campus
- Adding a Standalone Building to the Cisco WCS Database
- Adding an Outdoor Area to a Campus
- Adding Floor Plans to a Campus Building
- Adding Floor Plans to a Standalone Building
- Adding APs to Floor Plan and Outdoor Area Maps
- Monitoring Predicted Coverage (RSSI)
- Monitoring Channels on Floor Map
- Monitoring Transmit Power Levels on a Floor Map
- Monitoring Coverage Holes on a Floor Map
- Monitoring Users on a Floor Map
- Monitoring Clients From a Floor Map
- Troubleshooting with Cisco WCS
- Detecting and Locating Rogue Access Points
- Acknowledging Rogue APs
- Locating Clients
- Finding Coverage Holes
- Pinging a Network Device from a Cisco Wireless LAN Controller
- Viewing Current Cisco Wireless LAN Controller Status and Configurations
- Viewing Cisco WCS Statistics Reports
- Updating OS Software from Cisco WCS
- Managing Cisco WCS and Database
- Installing Cisco WCS
- Updating Windows Cisco WCS
- Updating Linux Cisco WCS
- Reinitializing the Windows Cisco WCS Database
- Reinitializing the Linux Cisco WCS Database
- Administering Cisco WCS Users and Passwords
- Using the Web User Interface
- Troubleshooting Tips
- REFERENCES
4/1/05 Operating System Security
OL-7426-02
Layer 3 SolutionsLayer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as
VPNs (virtual private networks), L2TP (Layer Two Tunneling Protocol), and IPSec (IP security) proto-
cols. The Cisco SWAN L2TP implementation includes IPsec, and the IPSec implementation includes IKE
(internet key exchange), DH (Diffie-Hellman) groups, and three optional levels of encryption: DES
(ANSI X.3.92 data encryption standard), 3DES (ANSI X9.52-1998 data encryption standard), or AES/
CBC (advanced encryption standard/cipher block chaining). Disabling is also used to automatically
block Layer 3 access after an operator-set number of failed authentication attempts.
The Cisco SWAN IPSec implementation also includes industry-standard authentication using: MD5
(message digest algorithm), or SHA-1 (secure hash algorithm-1).
The Cisco SWAN supports local and RADIUS MAC (media access control) filtering. This filtering is best
suited to smaller client groups with a known list of 802.11 access card MAC addresses.
Finally, the Cisco SWAN supports local and RADIUS user/password authentication. This authentication
is best suited to small to medium client groups.
Single Point of Configuration Policy Manager SolutionsSingle Point of Configuration Policy Manager Solutions
When the Cisco SWAN is equipped with Cisco Wireless Control System, you can configure system-wide
security policies on a per-WLAN basis. SOHO access points force you to individually configure security
policies on each AP, or use a third-party appliance to configure security policies across multiple APs.
Because the Cisco SWAN security policies can be applied across the whole system from the Cisco
Wireless Control System, errors can be eliminated and the overall effort is greatly reduced.
Rogue Access Point SolutionsRogue Access Point Solutions
Rogue Access Point ChallengesRogue Access Point Challenges
Rogue Access Points can disrupt WLAN operations by hijacking legitimate clients and using plaintext or
other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a Rogue AP to capture
sensitive information, such as passwords and username. The hacker can then transmit a series of
clear-to-send (CTS) frames, which mimics an access point informing a particular NIC to transmit and
instructing all others to wait, which results in legitimate clients being unable to access the WLAN
resources. WLAN service providers thus have a strong interest in banning Rogue APs from the air
space.
The Operating System Security solution uses the Radio Resource Management (RRM)
function to
continuously monitor all nearby Cisco 1000 Series lightweight access points, and automatically discover
Rogue APs, and locate them as described in Detecting and Locating Rogue Access Points
.
Tagging and Containing Rogue Access PointsTagging and Containing Rogue Access Points
When the Cisco SWAN is monitored using Cisco Wireless Control System, Cisco WCS generates the
flags as Rogue AP traps, and displays the known Rogue APs by MAC address. The operator can then
display a map showing the location of the Cisco 1000 Series lightweight access points closest to each
Rogue AP, allowing Known or Acknowledged rogues (no further action), marking them as Alert rogues
(watch for and notify when active), or marking them as Contained rogues (have between one and four
Cisco 1000 Series lightweight access points Discourage Rogue AP clients by sending the clients
deauthenticate and disassociate messages whenever they associate with the Rogue AP).
When the Cisco SWAN is monitored using a Web User Interface
or a Command Line Interface, the
interface displays the known Rogue APs by MAC address. The operator then has the option of marking
them as Known or Acknowledged rogues (no further action), marking them as Alert rogues (watch for
and notify when active), or marking them as Contained rogues (have between one and four Cisco 1000