How to Prepare for the CCNP Wireless Security (IAUWS) Exam Jerome Henry

How to Prepare for the
CCNP Wireless Security
(IAUWS) Exam
Jerome Henry
Technology Leader
July 14th 2011
BRKCRT-3214
Cisco Career Certifications:
CCNP Wireless
Expand Your Professional Options
and Advance Your Career
Professional level recognition in wireless.
CCIE
Expert
Recommended Training Through
Cisco Learning Partners
Conducting Cisco Unified Wireless Site
Survey
CCNP
Professional
CCNA Wireless
CCNA
Implementing Cisco Unified Wireless Mobility
Services
Associate
Wireless LAN
Certification
BRKCRT-3214
Implementing Advanced Cisco Unified Wireless
Security
© 2011 Cisco and/or its affiliates. All rights reserved.
Implementing Cisco Unified Wireless Voice
Networks
www.cisco.com/go/certifications
Cisco Public
2
IAUWS Course Goal
“To give network professionals the information to
prepare them to use appropriate security policies and
best practices to secure the wireless network from
security threats and to ensure the proper
implementation of security standards and
configuration of security components.”
Implementing Advanced Cisco Unified Wireless Security
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
IAUWS Covered Fields
• Organizational and Regulatory Security Policies
• Secure Client Devices
Configuring EAP Authentication
Configuring Certificate Services
Impact of Security on Application and Roaming
• Design and Implement Guest Access Services
• Design and Integrate a Wireless Network with Cisco NAC Appliance
• Internal and Integrated External Security Mitigations
Mitigating Wireless Vulnerabilities
Managing Rogue Access Points
Configuring Management Frame Protection
Integrating the WLAN Infrastructure with IPS
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
Secure Client Devices
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
802.1X/EAP Overview
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
Authentication
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
Common EAP Methods
PEAP-MS-CHAPv2
Protected EAP-MS-CHAPv2
Uses a TLS tunnel to protect MS-CHAPv2 exchange
PEAP-GTC
Protected EA-GTC
Uses a TLS tunnel to protect GTC exchange
EAP-FAST
EAP-Flexible Authentication via Secured Tunnels
Uses a tunnel similar to PEAP
Does not require a PKI
EAP-TLS
EAP-Transport Layer Security
Uses PKI to authenticate WLAN network and client
Requires certificates for both client and authentication server
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
EAP-TLS Authentication
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
EAP-FAST Protected Access Credential
A PAC consists of
PAC-Key
PAC-Opaque
PAC-Info
The server generates
PAC-Key
PAC-Opaque
PAC-Info
The PAC-Opaque contains
PAC-Key
Client user identity (I-ID)
Key lifetime
PAC-Opaque is encrypted with Master-Key
PAC-Info contains the authority identity (A-ID)
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
EAP-FAST Phase Zero
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
EAP-FAST Phase One
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
EAP-FAST Phase Two
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
PEAP Phase One
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
PEAP Phase Two
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
Group Transient Key
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Cisco Secure ACS
RADIUS server
TACACS+ server
Three platforms
Cisco Secure ACS Solution Engine
Cisco Secure ACS for Windows
Cisco Secure ACS Express
Appliance
50 AAA clients
350 unique users in 24-hour period
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
TLS Parameters
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
EAP-FAST Parameters
Bottom of Screen
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
Fast Secure Roaming
PKC
Supported in WPA2
Layer 2 roaming
Transparent to client
Works across mobility groups
Cisco CKM
Proprietary to Cisco
Created prior to WPA and WPA2 for 802.1X with WEP
Supported in WPA and WPA2
Supported by Cisco Compatible Extensions clients
Transparent to the user
Works across mobility groups
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
Fast Roaming with PKC
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Cisco CKM—Creating the PMK
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Working with Certificates
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Asymmetric Encryption Algorithms
The typical key length is 512 to 4096 bits.
Key lengths greater than or equal to 1024 bits can be trusted.
Key lengths that are shorter than 1024 bits are considered unreliable for most
algorithms.
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
Asymmetric Confidentiality Process
Alice gets the public key from Bob.
Alice encrypts the message using Bob’s public key.
Bob decrypts the message using his private key.
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Authentication Using Certificates
Authentication no longer requires the presence of the CA server.
Users exchange their certificates containing public keys.
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
Using PKI in the WLAN
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Using the Certificates
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
Integrating Wireless and Wired
Sides Security
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Identity-Based Networking
Client associates to SSID “data.”
WLAN for SSID “data” mapped to VLAN 10.
Client authenticated by Cisco Secure ACS.
Client belongs to group 2.
Group 2 mapped to VLAN 20.
Cisco Secure ACS sends new VLAN ID (20)
to controller.
Controller maps client to VLAN 20.
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Enabling RADIUS (IETF) Attributes
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
Enabling RADIUS (Cisco Airespace)
Attributes
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
H-REAP in Connected Mode
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
Standalone H-REAP with RADIUS Backup
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
Standalone H-REAP with Local Authentication
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
Cisco NAC Guest Server
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
Sponsor Creates a Guest Access Account
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
Guest Uses a Guest Access Account
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
Cisco NAC Components
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
Wireless Virtual Gateway Out-of-Band
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
802.1X Authentication
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
Posture Assessment
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
Remediation
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Authenticated and Authorized
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
Wireless Security Beyond
Wireless Users
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
TACACS+
Authentication
Encrypted Traffic
Authorization
TCP port 49
ALL
As many as three TACACS+ servers
for redundancy
MONITOR
Configure controller
WLAN
CONTROLLER
GUI
WIRELESS
CLI
SECURITY
MANAGEMENT
COMMAND
LOBBY
Accounting
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Group Settings for Administrative Users
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
Configuring the Management Group
TACACS+ Section
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Rogue Detection
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
Management Frame Protection
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
Infrastructure Mode
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
Client and Infrastructure Mode
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
Controller-Based IDS
Access point examines frames:
Local mode access point: 802.11 management frames
Monitor mode access point: 802.11 management and data frames
Compares to signature
Detects possible attack
Sends alert to controller
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
Locating a Rogue Access Point
Most Likely Location
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Component Functions
in a wIPS Deployment
Cisco WCS
Cisco MSE (running wireless
IPS service)
Cisco controller
Local mode access point
wIPS monitor mode access point
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
wIPS Alarm Flow
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
Integrated Deployment
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
Overlay Deployment
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
Detecting Rogue APs with wIPS
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Rogue Detector Access Point
Rogue detector access point listens to the wired I/F for MAC address from rogue
access point or rogue client.
Notifies controller if MAC detected.
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
Exam Taking Tips!
IAUWS
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
Exam Taking Tips
Eliminate options—look for subtleties
Look for the best answer
Budget time—total and individual
Sw/Hw context—v5.2, not later
Make an intelligent guess
Provide feedback during exam
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
Exam Format
Test Practical Implementation Skills
• Question formats
Declarative
Procedural
Complex procedural (simulation)
Drag and drop
• Avoided question formats:
Memorization of command syntax or interface/menus
Trick questions
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
Exam Format—Declarative
A Declarative Exam Item Tests Simple Recall of
Pertinent Facts:
Which of the following is an 802.11b speed?
A. 6 Mbps
B. 11 Mbps
C. 18 Mbps
D. 48 Mbps
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Exam Format—Procedural
A Procedural Exam Item Tests the Ability to Apply
Knowledge to Solve a Given Issue:
Internet
s0
Pickens Division
10.10.126.0/24
Greene Division
10.11.127.252/24
BRKCRT-3214
Which two access list
statements are
necessary on s0 of the
Guilford router to allow
FTP access to the
Greene Division server
from the Internet while
blocking all other traffic?
(Select two)
Gates Server
10.11.128.252/24
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Exam Format—Simulation
A Complex Procedural Exam Item Tests the Ability to
Apply Multiple Knowledge Points to Solve a
Given Issue:
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
Exam Format—Drag and Drop
A Drag and Drop Tests the Ability to
Relate Concepts:
Click and drag the correct Layer to the Network
Model to which it applies
Internetwork
OSI Model
Session
TCP/IP Model
Link
Presentation
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
IAUWS Exam Practice
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68
Practice Item #1
Which EAP frame does Cisco WLC generate to begin the EAP process?
A.
B.
C.
D.
EAP Identity Request
EAP Start Request
EAP Start Response
EAP Identity Response
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
Practice Item #1 — Solution
Which EAP frame does Cisco WLC generate to begin the EAP process?
A.
B.
C.
D.
EAP Identity Request
EAP Start Request
EAP Start Response
EAP Identity Response
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
70
Practice Item #2
Which two methods can be chosen for the inner method for EAP-FAST
when configuring a standard Intel PROSet wireless supplicant?
A.
B.
C.
D.
GTC
TLS
MD5
MSCHAPv2
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
Practice Item #2 — Solution
Which two methods can be chosen for the inner method for EAP-FAST
when configuring a standard Intel PROSet wireless supplicant?
A.
B.
C.
D.
GTC
TLS
MD5
MSCHAPv2
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
72
Practice Item #3
Which inner method is used in EAP-FASTv1 during phase two?
A.
B.
C.
D.
GTC
TLS
MD5
MSCHAPv2
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
73
Practice Item #3 — Solution
Which inner method is used in EAP-FASTv1 during phase two?
A.
B.
C.
D.
GTC
TLS
MD5
MSCHAPv2
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
Practice Item #4
What tunnel protocol is used to transport the wireless guest client user
data between foreign and anchor controllers?
A.
B.
C.
D.
CAPWAP
EoIP
GRE
LWAPP
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
75
Practice Item #4 — Solution
What tunnel protocol is used to transport the wireless guest client user
data between foreign and anchor controllers?
A.
B.
C.
D.
CAPWAP
EoIP
GRE
LWAPP
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
76
Practice Item #5
What must you configure on the WLAN on the controller to allow the
controller to receive the session timeout RADIUS attribute?
A.
B.
C.
D.
Enable Session Timeout
DHCP Required
Allow WLAN Override
Allow AAA Override
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
77
Practice Item #5 — Solution
What must you configure on the WLAN on the controller to allow the
controller to receive the session timeout RADIUS attribute?
A.
B.
C.
D.
Enable Session Timeout
DHCP Required
Allow WLAN Override
Allow AAA Override
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78
Practice Item #6
Which version of the Cisco Compatible Extensions introduced
PEAP-GTC?
A.
B.
C.
D.
v1
v2
v3
v4
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
Practice Item #6 — Solution
Which version of the Cisco Compatible Extensions introduced
PEAP-GTC?
A.
B.
C.
D.
v1
v2
v3
v4
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
Practice Item #7
What communication method is used between the Cisco NAM and the
controller?
A.
B.
C.
D.
CAPWAP
PEAP
SSH
SNMP
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
81
Practice Item #7 — Solution
What communication method is used between the Cisco NAM and the
controller?
A.
B.
C.
D.
CAPWAP
PEAP
SSH
SNMP
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
82
Practice Item #8
With wireless NAC OOB deployments, which equipment performs the
VLAN mapping function mapping the quarantine VLAN to the access
VLAN?
A.
B.
C.
D.
Access Switch
Cisco NAS
Cisco NAM
WLAN Controller
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
83
Practice Item #8 — Solution
With wireless NAC OOB deployments, which equipment performs the
VLAN mapping function mapping the quarantine VLAN to the access
VLAN?
A.
B.
C.
D.
Access Switch
Cisco NAS
Cisco NAM
WLAN Controller
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
84
Practice Item #9
In PEAP phase one, which combination of certificates is used?
A. client user certificate and Cisco Secure ACS no certificate
B. client user certificate and Cisco Secure ACS server
certificate
C. client no certificate and Cisco Secure ACS no certificate
D. client no certificate and Cisco Secure ACS server
certificate
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
85
Practice Item #9 — Solution
In PEAP phase one, which combination of certificates is used?
A. client user certificate and Cisco Secure ACS no certificate
B. client user certificate and Cisco Secure ACS server
certificate
C. client no certificate and Cisco Secure ACS no certificate
D. client no certificate and Cisco Secure ACS server
certificate
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
86
Practice Item #10
Which standard signature on the controller is not discovered by an access
point in local mode?
A.
B.
C.
D.
broadcast deauthentication
EAPOL
Management frame flood
null probe response
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
87
Practice Item #10 — Solution
Which standard signature on the controller is not discovered by an access
point in local mode?
A.
B.
C.
D.
broadcast deauthentication
EAPOL
Management frame flood
null probe response
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
88
Complete Your Online
Session Evaluation
• Receive 25 Cisco Preferred Access points for each session evaluation
you complete.
• Give us your feedback and you could win fabulous prizes. Points are
calculated on a daily basis. Winners will be notified by email after
July 22nd.
• Complete your session evaluation online now (open a browser
through our wireless network to access our portal) or visit one of the
Internet stations throughout the Convention Center.
• Don’t forget to activate your Cisco Live and Networkers Virtual
account for access to all session materials, communities, and ondemand and live activities throughout the year. Activate your account
at any internet station or visit www.ciscolivevirtual.com.
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
89
Visit the Cisco Store for
Related Titles
http://theciscostores.com
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90
90
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
91
Thank you.
BRKCRT-3214
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92