There are two ways to deploy the generated profiles: ■ To existing clients ■ Via an MSI that will also install the SSC The Cisco Client Extension Program The Cisco Client Extension CCX p
Trang 1322 CCNA Wireless Official Exam Certification Guide
SSC Groups
In the SSC, connections are logically grouped with a name You can create your own groups, as well as move connections between groups You can also add basic wireless con-nections (PSK-based), but not secured or wired concon-nections
Note: The user interface of SSC talks about profiles For administrators, the Secure Ser-vices Client Administration Utility (SSCAU) talks about networks
A network can be a wireless connection, a home type like the ones created with the SSC, or
an enterprise type, based on individual authentication instead of a common passphrase A network can also be a wired connection
The significance of this is that all profiles are networks, but at the same time a network can
be more than just an SSC profile
SSCAU Overview With the SSCAU, you can create new configuration profiles The profile is saved as an XML file and then can be deployed to devices in the network You also can modify exist-ing configuration profiles Furthermore, you can process existexist-ing configuration profiles to verify the profile’s policy logic, encrypt the credentials, and sign the file
There are two ways to deploy the generated profiles:
■ To existing clients
■ Via an MSI that will also install the SSC
The Cisco Client Extension Program
The Cisco Client Extension (CCX) program is no-cost licensing of technology for use in WLAN adapters and devices This allows for the following:
■ Independent testing to ensure interoperability with the Cisco infrastructure’s latest innovation
■ Marketing of compliant products by Cisco and product suppliers under the “Cisco Compatible” brand
CCX for Wi-Fi RFID Tags allows vendors to have a common set of features More informa-tion on the Cisco Compatible Extension Program can be found at http://www.cisco.com/ web/partners/pr46/pr147/partners_pgm_concept_home.html
Trang 2Chapter 16: Wireless Clients 323
Table 16-4 Key Topics for Chapter 16
Figure 16-12 Three options when installing the ADU 308
Exam Preparation Tasks Review All the Key Topics
Review the most important topics from this chapter, denoted with the Key Topic icon
Table 16-4 lists these key topics and the page number where each one can be found
Complete the Tables and Lists from Memory
Print a copy of Appendix B, “Memory Tables” (found on the CD) or at least the section for this chapter, and complete the tables and lists from memory Appendix C, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work
Definition of Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
WZC, SSID, AirPort Extreme, NetworkManager, iwconfig, WPA, WPA2, ADU, ACAU, 802.1x, CSSU, CSSC, SSCAU, CCX
Trang 3Cisco Published 640-721 IUWNE Exam Topics Covered in This Part
Describe WLAN fundamentals
■ Describe 802.11 authentication and encryption methods (Open, Shared, 802.1X, EAP, TKIP, AES)
Implement basic WLAN Security
■ Describe the general framework of wireless security and security components (authentication, encryption, MFP, IPS)
■ Describe and configure authentication methods (Guest, PSK, 802.1X, WPA/WPA2 with EAP-TLS, EAP-FAST, PEAP, LEAP)
■ Describe and configure encryption methods (WPA/WPA2 with TKIP, AES)
■ Describe and configure the different sources of authentication (PSK, EAPlocal or -external, Radius)
Operate basic WCS
■ Describe key features of WCS and Navigator (versions and licensing)
■ Install/upgrade WCS and configure basic administration parameters (ports, O/S ver-sion, strong passwords, service vs application)
■ Configure controllers and APs (using the Configuration tab not templates)
■ Configure and use maps in the WCS (add campus, building, floor, maps, position AP)
■ Use the WCS monitor tab and alarm summary to verify the WLAN operations
Conduct basic WLAN Maintenance and Troubleshooting
■ Identify basic WLAN troubleshooting methods for controllers, access points, and clients methodologies
■ Describe basic RF deployment considerations related to site survey design of data
or VoWLAN applications, Common RF interference sources such as devices, build-ing material, AP location Basic RF site survey design related to channel reuse, signal strength, cell overlap
■ Describe the use of WLC show, debug and logging
■ Describe the use of the WCS client troubleshooting tool
■ Transfer WLC config and O/S using maintenance tools and commands
■ Describe and differentiate WLC WLAN management access methods (console port, CLI, telnet, ssh, http, https, wired versus wireless management)
Trang 4Chapter 17 Securing the Wireless Network Chapter 18 Enterprise Wireless Management with the WCS and
the Location Appliance Chapter 19 Maintaining Wireless Networks Chapter 20 Troubleshooting Wireless Networks
Part III: WLAN Maintenance and Administration
Trang 5This chapter covers the following subjects:
Threats to Wireless Networks: Discusses threats to wireless networks
Simple Authentications: Looks at basic wireless security
Centralized Authentication: Shows how centralized authentication works using various EAP methods
Authentication and Encryption: Describes WPA and WPA2
Trang 6CHAPTER 17
Securing the Wireless Network
Table 17-1 “Do I Know This Already?” Section-to-Question Mapping
It’s usually obvious that wireless networks can be less secure than wired networks This calls for a great deal of thought when you deploy a wireless network What security do you need? What security measures can you perform? What are the security capabilities
of your equipment? Should you authenticate users when they access the network? Should you encrypt traffic over the wireless space? As you can see, there are many options to think about But let’s break this into small parts First, who are your users? The answer will
be different for networks that allow guest access versus those that don’t Second, how hid-den do you need to make your users’ traffic? Again, this answer will differ depending on the users If you are offering guest access, encryption probably is not a big concern If all
or even a portion of your users are internal, encryption probably is a concern In this chapter, you will learn about various methods of securing a wireless network Some meth-ods provide a way to identify the user Others offer a way to hide user data Still other methods do both
You should take the “Do I Know This Already?” quiz first If you score 80 percent or higher, you might want to skip to the section “Exam Preparation Tasks.” If you score be-low 80 percent, you should review the entire chapter Refer to Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes,” to confirm your answers
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you determine your level of knowledge of this chapter’s topics before you begin Table 17-1 details the major topics discussed in this chapter and their corresponding quiz questions
Trang 7328 CCNA Wireless Official Exam Certification Guide
1. Threats to wireless networks include which of the following? (Choose all that apply.)
a. Rogue APs
b. Client misassociation
c. Unauthorized port access
d. Stateful inspection
2. Which of the following can be used to prevent misassociation attacks? (Choose all that apply.)
a. Client MFP
b. Spoofing
c. Infrastructure MFP
d. Rogue-AP containment
3. Client MFP allows clients to perform what function?
a. Detect invalid clients
b. Detect invalid APs
c. Detect invalid controllers
d. Detect invalid SSIDs
4. To perform Client MFP, what version of CCX is required?
a. v1.x
b. v2.x
c. v5.x
d. v6.x
5. WEP uses which of the following encryption algorithms?
a. AES
b. TKIP
c. MD5
d. RC4
6. What key size should be selected to perform 128-bit WEP with a Windows client?
a. 40-bit
b. 104-bit
c. 128-bit
d. 192-bit
Trang 8Chapter 17: Securing the Wireless Network 329
7. How many bits does an IV add to a WEP key?
a. 24 bits
b. 48 bits
c. 188 bits
d. 8 bits
8. In centralized authentication, a certificate is used based on information from a trusted third party What information is not included in a certificate?
a. Username
b. Public key
c. Validity dates
d. Session keys
9. Central authentication uses which IEEE specification?
a. 802.11a
b. 802.1q
c. 802.1d
d. 802.1x
10. Which protocol is used for the authentication server?
a. RADIUS
b. Active Directory
c. LDAP
d. TACACS+
11. Which EAP method uses certificates on both the client and the server?
a. EAP-FAST
b. EAP-MD5
c. EAP-TLS
d. PEAP
12. Which EAP method uses a PAC instead of certificates?
a. EAP-FAST
b. EAP-MD5
c. EAP-TLS
d. PEAP
Trang 9330 CCNA Wireless Official Exam Certification Guide
13. Which protocol requires the use of TKIP, but can optionally use AES?
a. WPA2
b. GTK
c. MS-CHAPv2
d. WPA
14. Which protocol mandates that AES must be supported but not TKIP?
a. WPA2
b. GTK
c. MS-CHAPv2
d. WPA
Trang 10Chapter 17: Securing the Wireless Network 331
Foundation Topics Threats to Wireless Networks
Throughout this book, you have learned about the many threats to wireless networks If you really wanted to simplify the threats, you could think of it like this: You want legiti-mate clients to connect to legitilegiti-mate APs and access corporate resources Some attacks are formed from the perspective of an AP trying to gain information from clients Other attacks are from the perspective of getting illegitimate clients onto the network to use corporate resources at no charge or to actually steal data or cause harm to the network
These threats include the following:
■ Ad hoc networks
■ Rogue APs
■ Client misassociation
■ Wireless attacks
Ad Hoc Networks
An ad hoc network is a wireless network formed between two clients The security risk in-volves bypassing corporate security policies An attacker could form an ad hoc network with a trusted client, steal information, and even use it as a means of attacking the corpo-rate network by bridging to the secure wired LAN
Rogue APs
A rogue AP is not part of the corporate infrastructure It could be an AP that’s been brought in from home or an AP that’s in a neighboring network A rogue AP is not always bad It could be an AP that’s part of the corporate domain yet still operating in au-tonomous mode Part of an administrator’s job is determining if the AP is supposed to be there Fortunately, you don’t have to do all the work yourself A few functions of the AP’s software can detect rogue APs and even indicate if they are on your network
Something to consider when looking for rogue APs is what happens to clients that can connect to those rogue APs If a client connects to a rogue AP, it should be considered a rogue client The reason is that rogue APs typically are installed with default configura-tions, meaning that any client that connects bypasses any corporate security policy So you do not know if the client is a corporate user or an attacker
Client Misassociation When a client connects to an AP, operating system utilities normally allow the client to save the SSID In the future, when that SSID is seen again, the client can create a connec-tion automatically There is a possibility that clients will be unaware of the connecconnec-tion If the SSID is being spoofed, the client could connect to a potentially unsafe network Con-sider the following scenario An attacker learns the SSID of your corporate network Us-ing this information, he sends beacons advertisUs-ing your SSID A wireless station in the