CCNP ENCOR v8 Chapters 20 – 21: Wireless Security and Connectivity Test Online

Hint

802.1X port-based authentication defines specific roles for the devices in the network: Client (Supplicant) – The device that requests access to LAN and switch services Switch (Authenticator) – Controls physical access to the network based on the authentication status of the client Authentication server – Performs the actual authentication of the client

Hint

WPA2 Enterprise relies on an external RADIUS server to authenticate clients when they attempt to connect. WEP and WPA/WPA2 Personal both use a pre-shared key that the clients must know in order to authenticate.

Hint

IEEE 802.11i and WPA2 both use the Advanced Encryption Standard (AES) for encryption. AES is currently considered the strongest encryption protocol. WPA2 does not use TKIP (Temporal Key Integrity Protocol). It is WPA that uses TKIP. Although WPA provides stronger encryption than WEP, it is is not as strong as WPA2 (AES).

Hint

The RADIUS protocol uses security features to protect communications between the RADIUS server and clients. A shared secret is the password used between the WLC and the RADIUS server. It is not for end users.

Hint

With WPA-Personal and WPA2-Personal modes, a malicious user can eavesdrop and capture the four-way handshake between a client and an AP. WPA3-Personal avoids such attacks by strengthening the key exchange between clients and APs through a method knows as SAE (Simultaneous Authentication of Equals).

Hint

The RADIUS security system with EAP extensions is the only supported authentication server to be used in 802.1X port-based authentication.

Hint

Protocols such as WPA2 (PSK and Enterprise) and 802.1x are used to provide Layer 2 WLAN security by requiring successful authentication before access to the WLAN is allowed.

Hint

In an WLAN (802.1x) environment with EAP, the actual client authentication is done using a back-end server like Radius even though the client is able to authenticate with the AP.

Hint

WPA2 uses the encryption algorithm AES (Advanced Encryption Standard) which is a stronger algorithm than WPA is, which uses TKIP (Temporal Key Integrity Protocol.) WPA was created to replace WEP (Wired Equivalent Privacy) which was easily compromised. However, the WPA TKIP had to take into account the older devices still using WEP on the network and as a result still had some of the WEP vulnerabilities. This was overcome with the creation of WPA2.

Hint

When a WLAN is configured with WPA2 PSK, wireless users must know the pre-shared key to associate and authenticate with the AP.

Hint

To configure the WLC with the RADIUS server information, click the SECURITY tab > RADIUS > Authentication . Click New… to add the RADIUS server information.

Hint

In a 802.1x WLAN environment, WPA2 with EAP (Extensible Authentication Protocol) allows for a back-end authentication server like Radius. In this environment, even though the supplicant is authenticated by the AP, the actual authentication process is carried out by the back-end Radius server through the WLAN controller.

Hint

A wireless client first authenticates with an AP and then associates for network access. WPA versions use a four-way handshake procedure to exchange a pre-shared key between a client and an AP. WPA3-Personal prevents attackers from being able to use a key to unencrypt data that was already transmitted over the air.

Hint

To secure wireless connections on a WLAN, you can leverage one of the three WPA versions (WPA1, WPA2, or WPA3). All three WPA versions support two client authentication modes: Pre-Shared Key (PSK) or personal mode for smaller scale deployments 802.1x or enterprise mode for larger scale deployments

Hint

To create a WLAN with Open Authentication, first create a new WLAN and map it to the correct VLAN. The General tab should be accessed, the SSID string should be entered, the appropriate controller interface applied, and the status changed to Enabled.

Hint

The WLC GUI is used to monitor and troubleshoot wireless issues. The default screen shows the network summary information that includes connected APs and client information.

Hint

If a technician selects a particular AP within the WLC GUI, four tabs appear across the top: CLIENTS , RF TROUBLESHOOT , CLEAN AIR , and TOOLS . If the performance summary for a particular AP shows a poor air quality value, the RF TROUBLESHOOT tab can be used to see neighbor and rogue APs as well as the specific AP channels that could cause issues. If the AP supports both 2.4 and 5 GHz frequencies, information can be shown for each of them.

Hint

When an AP is an issue, one of the best places to start is the WLC GUI. A particular AP can be selected, and the performance summary shows an overall view of the resources being used, clients, and the status of a particular AP. On the CLEAN AIR tab, the duty cycle shows the percentage of time the offending device is transmitting. A duty cycle value of 100% means the offending device can affect the channel all the time. The technician should track down the offending device or select a different RF channel for the AP.

Hint

In order to be shown in the list of active APs in the wireless LAN controller (WLC) GUI, an AP must be connected to an access layer switch and have connectivity with the WLC.

Hint

RSSI stands for Received Signal Strength Indicator. It is an estimated measure of power level that a RF client device is receiving from an access point or router. The greater the RSSI value, the stronger the signal.

Hint

When a single client is having wireless issues in the corporate environment, check the distance from the client to the AP, client authentication, and that the client has IP addressing information.

Hint

CAPWAP is an IEEE standard protocol that enables a WLC to manage multiple APs and WLANs. CAPWAP is also responsible for the encapsulation and forwarding of WLAN client traffic between an AP and a WLC.

Hint

When users from the same area report an issue, check the AP to see that it is working or is misconfigured.

Hint

The client connection status on the WLC GUI shows a dot for particular steps used by a client when joining a wireless network. The dot can be black if a step is unsuccessful and green if the step is successful. The DHCP step shows whether the WLC has learned the client IP address from a DHCP server.

Hint

After a new WLAN is created and configured on a WLC, it should be enabled before it can be accessed by users.

Hint

The channel utilization indicates how much of the available airtime is being consumed. If the wireless network is not well deployed, other APs and clients may use the same channel 11 somewhere nearby. If those devices are busy transmitting on channel 11 and this AP is within range to receive their signals, the AP will note that the channel is in use.

Hint

On the Access Point View screen, a technician can check the operating status of connected APs. One important indicator is the noise level on a channel. Noise is usually considered to be the energy received from non-802.11 sources. Ideally, the noise level should be as low as possible, usually around −90 or −100 dBm, so that 802.11 signals can be received intelligibly and accurately.

Hint

Successfully operating a lightweight AP and providing a working BSS require the following:

• The AP must have connectivity to the access layer switch.
• The AP must have connectivity to the WLC, unless it is operating in FlexConnect mode.

The facts that no wireless clients can associate with the LAP and that the radio is working suggest that the AP has lost the connection to the WLC.

Hint

The connection score shown in the Client View window is determined by dividing the current data rate of the client by the lower maximum supported date rate. It is a measure of how much of its maximum capability it is using. If the client had a maximum rate of 100 Mbps, then a connection score of 78% would mean the client is currently using 78 Mbps.

Hint

The connection score shown in the Client View window is determined by dividing the current data rate of the client by the lower maximum supported date rate of either the client or the AP. A connection score of 21% results from the client current data rate of 30 Mbps divided by the maximum data rate which would be 144 Mbps (30 / 144 = .21). This indicates that the client is too far away from the associated AP.

Hint

WAP2 Enterprise provides stronger secure user authentication than WPA2 PSK does. Instead of using a pre-shared key for all users to access a WLAN, WPA2 Enterprise requires that users enter their own username and password credentials to be authenticated before they can access the WLAN. The RADIUS server is required for deploying WPA2 Enterprise authentication.