Ch 20: Authenticating Wireless Clients

Question 1

Open Authentication requires the use of which one of the following?

1. 802.1x
2. RADIUS
3. HTTP/HTTPS
4. Pre-Shared Key
5. None of the above

Answer 1

5.

Open Authentication requires no other mechanism. The wireless client must simply send an 802.11 authentication request to the AP.

for reference…

802.1X: IEEE 802.1X is an IEEE Standard for port-based Network Access Control. It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as “EAP over LAN” or EAPOL.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812, that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.

RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport. Network access servers, the gateways that control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication.

Question 2

Open Authentication can be used in combination with which one of the following?

a. PSK
b. WebAuth
c. EAP
d. 802.1x

Answer 2

2.

Open Authentication cannot be used with authentication methods based on PSK, EAP, or 802.1x, because they are mutually exclusive.

It can be used with WebAuth to allow wireless clients to easily connect and view or authenticate through a web page.

Question 3

When PSK authentication is used on a WLAN, without the use of an ISE server, which of the following devices must be configured with the key string? (Choose two.)

1. One wireless client (each with a unique key string)
2. All wireless clients
3. All APs and WLCs
4. A RADIUS server

Answer 3

2 and 3.

The same key must be configured on all client devices that will need to connect to the WLAN. In addition, the key must be configured on all APs and WLCs where the WLAN will exist. These keys are not normally unique to each wireless client unless the identity PSK feature is used in conjunction with ISE. PSK-based authentication does not require a RADIUS server.

for reference…

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s routers and switches. The purpose is to simplify identity management across diverse devices and applications.

Question 4

Which of the following authentication methods does WPA2 personal mode use?

1. Open Authentication
2. Pre-Shared Key
3. EAP
4. 802.1x

Answer 4

2.

The WPA, WPA2, and WPA3 personal modes all use Pre-Shared Key authentication.

Question 5

Which of the following WPA versions is considered to have the most secure personal mode?

1. WPA
2. WPA1
3. WPA2
4. WPA3
5. The personal modes are all equivalent.

Answer 5

4.

Each successive WPA version is considered to be more secure than its predecessor. Therefore, WPA3 is the most secure due to its new and more complex features.

Question 6

Pre-Shared Key is used in which of the following wireless security configurations? (Choose all that apply.)

1. WPA personal mode
2. WPA enterprise mode
3. WPA2 personal mode
4. WPA2 enterprise mode
5. WPA3 personal mode
6. WPA3 enterprise mode

Answer 6

1, 3, and 5.

The personal modes of all WPA versions use Pre-Shared Key authentication.

Question 7

Which one of the following is used as the authentication method when 802.1x is used on a WLAN?

1. Open Authentication
2. WEP
3. EAP
4. WPA

Answer 7

3.

EAP works in conjunction with 802.1x in WPA enterprise mode.

for reference…

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol’s messages.

Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), was at one time widely in use and was often the first security choice presented to users by router configuration tools. Made obsolete by WPA.

Wi-Fi Protected Access (WPA), WPA2, and WPA3 are three security and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks.

Question 8

A Cisco WLC is configured for 802.1x authentication, using an external RADIUS server. The controller takes on which one of the following roles?

1. Authentication server
2. Supplicant
3. Authenticator
4. Adjudicator

Answer 8

3.

A controller becomes an authenticator in the 802.1x process.

Question 9

When WPA2 enterprise mode is used on a WLAN, where is the supplicant role located?

1. On the wireless client
2. On the AP
3. On the WLC
4. On the RADIUS server

Answer 9

A.

• The supplicant is located on the wireless client.
• The WLC becomes the authenticator.
• The RADIUS server is the authentication server (AS).

Question 10

Suppose an enterprise offers a wireless network that guests can use but only after they read and accept an acceptable use policy document. Which one of the following methods can inherently handle this process?

1. Open Authentication
2. WPA3 personal
3. WPA2 enterprise
4. WebAuth

Answer 10

D.

WebAuth authentication can display policies and require interaction from the end user, provided that the user opens a web browser after attempting to connect to the WLAN. WebAuth can integrate with the other authentication methods, but it is the only one that can display the policy and receive the users’ acceptance.

Question 11

What are the steps to create an Open Authentication WLAN?

Answer 11

To create a WLAN with Open Authentication, first create a new WLAN and map it to the correct VLAN. Go to the General tab and enter the SSID string, apply the appropriate con- troller interface, and change the status to Enabled.

Next, select the Security tab to configure the WLAN security and user authentication parameters. Select the Layer 2 tab and then use the Layer 2 Security drop-down menu to select None for Open Authentication, as shown in Figure 20-2. In this example, the WLAN is named guest, and the SSID Guest.

When you are finished configuring the WLAN, click the Apply button. You can verify the WLAN and its security settings from the WLANs > Edit General tab, as shown in Figure 20-3 or from the list of WLANs, as shown in Figure 20-4. In both figures, the Security Policies field is shown as None. You can also verify that the WLAN status is enabled and active.

Question 12

What is “personal mode” and “enterprise mode”?

Answer 12

All three WPA versions support two client authentication modes, Pre-Shared Key (PSK) or 802.1x, depending on the scale of the deployment. These are also known as personal mode and enterprise mode, respectively.

With personal mode, a key string must be shared or configured on every client and AP before the clients can connect to the wireless network. The pre-shared key is normally kept confidential so that unauthorized users have no knowledge of it. The key string is never sent over the air. Instead, clients and APs work through a four-way handshake procedure that uses the pre-shared key string to construct and exchange encryption key material that can be openly exchanged. When that process is successful, the AP can authenticate the client, and the two can secure data frames that are sent over the air.

Question 13

What is SAE?

Answer 13

With WPA-Personal and WPA2-Personal modes, a malicious user can eavesdrop and capture the four-way handshake between a client and an AP. He can then use a dictionary attack to automate the guessing of the pre-shared key. If he is successful, he can then decrypt the wireless data or even join the network, posing as a legitimate user.

WPA3-Personal avoids such an attack by strengthening the key exchange between clients and APs through a method known as Simultaneous Authentication of Equals (SAE). Rather than a client authenticating against a server or AP, the client and AP can initiate the authentication process equally and even simultaneously.

Even if a password or key is compromised, WPA3-Personal offers forward secrecy, which prevents attackers from being able to use a key to unencrypt data that has already been transmitted over the air.

Question 14

How many steps are required to configure personal mode on WPA2 or WPA3?

Answer 14

You can configure WPA2 or WPA3 personal mode and the pre-shared key in one step. Navigate to WLANs and select Create New or select the WLAN ID of an existing WLAN to edit. Make sure that the parameters on the General tab are set appropriately.

Next, select the Security > Layer 2 tab. In the Layer 2 Security drop-down menu, select the appropriate WPA version for the WLAN. In Figure 20-5, WPA+WPA2 has been selected for the WLAN named devices. Under WPA+WPA2 Parameters, the WPA version has been narrowed to only WPA2 by unchecking the box next to WPA and checking both WPA2 Policy and WPA2 Encryption AES.

For WPA2 personal mode, look under the Authentication Key Management section and check only the box next to PSK. You should then enter the pre-shared key string in the box next to PSK Format. In Figure 20-5, an ASCII text string has been entered. Be sure to click the Apply button to apply the WLAN changes you have made.

Question 15

What are the 4 types of authentication you can configure with wireless networks?

Answer 15

1. Open Auth
2. PSK (personal)
3. EAP / 802.1X / RADIUS (enterprise)
4. WebAuth

Question 16

Who are the 3 parties involved in 802.1x authentication?

Answer 16

With 802.1x the client uses Open Authentication to associate with the AP, and then the actual client authentication process occurs at a dedicated authentication server.

Figure 20-8 shows the three-party 802.1x arrangement, which consists of the following entities:

1. Supplicant: The client device that is requesting access
2. Authenticator: The network device that provides access to the network (usually a WLC)
3. Authentication server (AS): The device that takes user or client credentials and permits or denies network access based on a user database and policies (usually a RADIUS server)

Note: The controller becomes a middleman in the client authentication process, controlling user access with 802.1x and communicating with the authentication server using the EAP framework.

Question 17

T/F: You can define up to 6 RADIUS servers in dropdown list that are tried sequentially.

Answer 17

True.

By default, a controller uses the global list of RADIUS servers in the order you have defined under Security > AAA > RADIUS > Authentication. You can override that list on the AAA Servers tab, where you can define which RADIUS servers will be used for 802.1x authentication.

You can define up to six RADIUS servers that will be tried in sequential order, designated as Server 1, Server 2, and so on. Choose a predefined server by clicking the drop-down menu next to one of the server entries.

In Figure 20-11, the RADIUS server at 192.168.10.9 will be used as Server 1. Subsequently, another RADIUS server at 192.168.10.10 is configured as Server 2. After you finish selecting servers, you can edit other WLAN parameters or click the Apply button to make your configuration changes operational.

Question 18

T/F: A WLC needs to use a backend RADIUS server to support EAP.

Answer 18

False.

There is a local EAP server available to the controller.

Because the Local EAP server is local to the controller, you will have to maintain a local database of users or define one or more LDAP servers on the controller.

You can create a local list of users by navigating to Security > AAA > Local Net Users. In Figure 20-16, a user named testuser has been defined and authorized for access to the staff_eap WLAN.

Question 19

What type of Auth presents a user with an acceptable use agreement?

Answer 19

WebAuth does this, typically.

Question 20

Web Authentication can be handled locally on the WLC for smaller environments through Local Web Authentication (LWA). You can configure LWA in all of the following modes except one. Which is incorrect?

1. LWA with an internal database on the WLC
2. LWA with a PSK only
3. LWA with an external database on a RADIUS or LDAP server
4. LWA with an external redirect after authentication
5. LWA with an external splash page redirect, using an internal database on the WLC
6. LWA with passthrough, requiring user acknowledgement

Answer 20

2 is incorrect.

This is a layer 3 security and is configured as shown in the attached image.