How to Prepare for the CCNP Wireless Security (IAUWS) Exam Jerome Henry
How to Prepare for the CCNP Wireless Security (IAUWS) Exam Jerome Henry Technology Leader July 14th 2011 BRKCRT-3214 Cisco Career Certifications: CCNP Wireless Expand Your Professional Options and Advance Your Career Professional level recognition in wireless. CCIE Expert Recommended Training Through Cisco Learning Partners Conducting Cisco Unified Wireless Site Survey CCNP Professional CCNA Wireless CCNA Implementing Cisco Unified Wireless Mobility Services Associate Wireless LAN Certification BRKCRT-3214 Implementing Advanced Cisco Unified Wireless Security © 2011 Cisco and/or its affiliates. All rights reserved. Implementing Cisco Unified Wireless Voice Networks www.cisco.com/go/certifications Cisco Public 2 IAUWS Course Goal “To give network professionals the information to prepare them to use appropriate security policies and best practices to secure the wireless network from security threats and to ensure the proper implementation of security standards and configuration of security components.” Implementing Advanced Cisco Unified Wireless Security BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 IAUWS Covered Fields • Organizational and Regulatory Security Policies • Secure Client Devices Configuring EAP Authentication Configuring Certificate Services Impact of Security on Application and Roaming • Design and Implement Guest Access Services • Design and Integrate a Wireless Network with Cisco NAC Appliance • Internal and Integrated External Security Mitigations Mitigating Wireless Vulnerabilities Managing Rogue Access Points Configuring Management Frame Protection Integrating the WLAN Infrastructure with IPS BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Secure Client Devices BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 802.1X/EAP Overview BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Authentication BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Common EAP Methods PEAP-MS-CHAPv2 Protected EAP-MS-CHAPv2 Uses a TLS tunnel to protect MS-CHAPv2 exchange PEAP-GTC Protected EA-GTC Uses a TLS tunnel to protect GTC exchange EAP-FAST EAP-Flexible Authentication via Secured Tunnels Uses a tunnel similar to PEAP Does not require a PKI EAP-TLS EAP-Transport Layer Security Uses PKI to authenticate WLAN network and client Requires certificates for both client and authentication server BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 EAP-TLS Authentication BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 EAP-FAST Protected Access Credential A PAC consists of PAC-Key PAC-Opaque PAC-Info The server generates PAC-Key PAC-Opaque PAC-Info The PAC-Opaque contains PAC-Key Client user identity (I-ID) Key lifetime PAC-Opaque is encrypted with Master-Key PAC-Info contains the authority identity (A-ID) BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 EAP-FAST Phase Zero BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 EAP-FAST Phase One BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 EAP-FAST Phase Two BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 PEAP Phase One BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 PEAP Phase Two BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Group Transient Key BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Cisco Secure ACS RADIUS server TACACS+ server Three platforms Cisco Secure ACS Solution Engine Cisco Secure ACS for Windows Cisco Secure ACS Express Appliance 50 AAA clients 350 unique users in 24-hour period BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 TLS Parameters BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 EAP-FAST Parameters Bottom of Screen BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Fast Secure Roaming PKC Supported in WPA2 Layer 2 roaming Transparent to client Works across mobility groups Cisco CKM Proprietary to Cisco Created prior to WPA and WPA2 for 802.1X with WEP Supported in WPA and WPA2 Supported by Cisco Compatible Extensions clients Transparent to the user Works across mobility groups BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Fast Roaming with PKC BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Cisco CKM—Creating the PMK BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Working with Certificates BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Asymmetric Encryption Algorithms The typical key length is 512 to 4096 bits. Key lengths greater than or equal to 1024 bits can be trusted. Key lengths that are shorter than 1024 bits are considered unreliable for most algorithms. BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Asymmetric Confidentiality Process Alice gets the public key from Bob. Alice encrypts the message using Bob’s public key. Bob decrypts the message using his private key. BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Authentication Using Certificates Authentication no longer requires the presence of the CA server. Users exchange their certificates containing public keys. BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Using PKI in the WLAN BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Using the Certificates BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Integrating Wireless and Wired Sides Security BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Identity-Based Networking Client associates to SSID “data.” WLAN for SSID “data” mapped to VLAN 10. Client authenticated by Cisco Secure ACS. Client belongs to group 2. Group 2 mapped to VLAN 20. Cisco Secure ACS sends new VLAN ID (20) to controller. Controller maps client to VLAN 20. BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Enabling RADIUS (IETF) Attributes BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Enabling RADIUS (Cisco Airespace) Attributes BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 H-REAP in Connected Mode BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Standalone H-REAP with RADIUS Backup BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Standalone H-REAP with Local Authentication BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Cisco NAC Guest Server BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Sponsor Creates a Guest Access Account BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Guest Uses a Guest Access Account BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Cisco NAC Components BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Wireless Virtual Gateway Out-of-Band BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 802.1X Authentication BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Posture Assessment BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Remediation BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Authenticated and Authorized BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Wireless Security Beyond Wireless Users BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 TACACS+ Authentication Encrypted Traffic Authorization TCP port 49 ALL As many as three TACACS+ servers for redundancy MONITOR Configure controller WLAN CONTROLLER GUI WIRELESS CLI SECURITY MANAGEMENT COMMAND LOBBY Accounting BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Group Settings for Administrative Users BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Configuring the Management Group TACACS+ Section BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Rogue Detection BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Management Frame Protection BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Infrastructure Mode BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Client and Infrastructure Mode BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Controller-Based IDS Access point examines frames: Local mode access point: 802.11 management frames Monitor mode access point: 802.11 management and data frames Compares to signature Detects possible attack Sends alert to controller BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Locating a Rogue Access Point Most Likely Location BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Component Functions in a wIPS Deployment Cisco WCS Cisco MSE (running wireless IPS service) Cisco controller Local mode access point wIPS monitor mode access point BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 wIPS Alarm Flow BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Integrated Deployment BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Overlay Deployment BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Detecting Rogue APs with wIPS BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Rogue Detector Access Point Rogue detector access point listens to the wired I/F for MAC address from rogue access point or rogue client. Notifies controller if MAC detected. BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Exam Taking Tips! IAUWS BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Exam Taking Tips Eliminate options—look for subtleties Look for the best answer Budget time—total and individual Sw/Hw context—v5.2, not later Make an intelligent guess Provide feedback during exam BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Exam Format Test Practical Implementation Skills • Question formats Declarative Procedural Complex procedural (simulation) Drag and drop • Avoided question formats: Memorization of command syntax or interface/menus Trick questions BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Exam Format—Declarative A Declarative Exam Item Tests Simple Recall of Pertinent Facts: Which of the following is an 802.11b speed? A. 6 Mbps B. 11 Mbps C. 18 Mbps D. 48 Mbps BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Exam Format—Procedural A Procedural Exam Item Tests the Ability to Apply Knowledge to Solve a Given Issue: Internet s0 Pickens Division 10.10.126.0/24 Greene Division 10.11.127.252/24 BRKCRT-3214 Which two access list statements are necessary on s0 of the Guilford router to allow FTP access to the Greene Division server from the Internet while blocking all other traffic? (Select two) Gates Server 10.11.128.252/24 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Exam Format—Simulation A Complex Procedural Exam Item Tests the Ability to Apply Multiple Knowledge Points to Solve a Given Issue: BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Exam Format—Drag and Drop A Drag and Drop Tests the Ability to Relate Concepts: Click and drag the correct Layer to the Network Model to which it applies Internetwork OSI Model Session TCP/IP Model Link Presentation BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 IAUWS Exam Practice BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Practice Item #1 Which EAP frame does Cisco WLC generate to begin the EAP process? A. B. C. D. EAP Identity Request EAP Start Request EAP Start Response EAP Identity Response BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Practice Item #1 — Solution Which EAP frame does Cisco WLC generate to begin the EAP process? A. B. C. D. EAP Identity Request EAP Start Request EAP Start Response EAP Identity Response BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Practice Item #2 Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant? A. B. C. D. GTC TLS MD5 MSCHAPv2 BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Practice Item #2 — Solution Which two methods can be chosen for the inner method for EAP-FAST when configuring a standard Intel PROSet wireless supplicant? A. B. C. D. GTC TLS MD5 MSCHAPv2 BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Practice Item #3 Which inner method is used in EAP-FASTv1 during phase two? A. B. C. D. GTC TLS MD5 MSCHAPv2 BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Practice Item #3 — Solution Which inner method is used in EAP-FASTv1 during phase two? A. B. C. D. GTC TLS MD5 MSCHAPv2 BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Practice Item #4 What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers? A. B. C. D. CAPWAP EoIP GRE LWAPP BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Practice Item #4 — Solution What tunnel protocol is used to transport the wireless guest client user data between foreign and anchor controllers? A. B. C. D. CAPWAP EoIP GRE LWAPP BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Practice Item #5 What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute? A. B. C. D. Enable Session Timeout DHCP Required Allow WLAN Override Allow AAA Override BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 Practice Item #5 — Solution What must you configure on the WLAN on the controller to allow the controller to receive the session timeout RADIUS attribute? A. B. C. D. Enable Session Timeout DHCP Required Allow WLAN Override Allow AAA Override BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Practice Item #6 Which version of the Cisco Compatible Extensions introduced PEAP-GTC? A. B. C. D. v1 v2 v3 v4 BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Practice Item #6 — Solution Which version of the Cisco Compatible Extensions introduced PEAP-GTC? A. B. C. D. v1 v2 v3 v4 BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Practice Item #7 What communication method is used between the Cisco NAM and the controller? A. B. C. D. CAPWAP PEAP SSH SNMP BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Practice Item #7 — Solution What communication method is used between the Cisco NAM and the controller? A. B. C. D. CAPWAP PEAP SSH SNMP BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Practice Item #8 With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN? A. B. C. D. Access Switch Cisco NAS Cisco NAM WLAN Controller BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Practice Item #8 — Solution With wireless NAC OOB deployments, which equipment performs the VLAN mapping function mapping the quarantine VLAN to the access VLAN? A. B. C. D. Access Switch Cisco NAS Cisco NAM WLAN Controller BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Practice Item #9 In PEAP phase one, which combination of certificates is used? A. client user certificate and Cisco Secure ACS no certificate B. client user certificate and Cisco Secure ACS server certificate C. client no certificate and Cisco Secure ACS no certificate D. client no certificate and Cisco Secure ACS server certificate BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Practice Item #9 — Solution In PEAP phase one, which combination of certificates is used? A. client user certificate and Cisco Secure ACS no certificate B. client user certificate and Cisco Secure ACS server certificate C. client no certificate and Cisco Secure ACS no certificate D. client no certificate and Cisco Secure ACS server certificate BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 Practice Item #10 Which standard signature on the controller is not discovered by an access point in local mode? A. B. C. D. broadcast deauthentication EAPOL Management frame flood null probe response BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 Practice Item #10 — Solution Which standard signature on the controller is not discovered by an access point in local mode? A. B. C. D. broadcast deauthentication EAPOL Management frame flood null probe response BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Complete Your Online Session Evaluation • Receive 25 Cisco Preferred Access points for each session evaluation you complete. • Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. • Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. • Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and ondemand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com. BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Visit the Cisco Store for Related Titles http://theciscostores.com BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 90 BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Thank you. BRKCRT-3214 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
© Copyright 2025