基于用户名密码的认证.docx

基于用户名密码的认证.docx

《基于用户名密码的认证.docx》由会员分享，可在线阅读，更多相关《基于用户名密码的认证.docx（42页珍藏版）》请在冰豆网上搜索。

基于用户名密码的认证

基于用户名密码的认证

Introduction

ThisdocumentprovidesconfigurationexamplesthatexplainhowtoconfiguredifferenttypesofLayer1,Layer2,andLayer3authenticationmethodsonWirelessLANControllers（WLCs）.

Prerequisites

Requirements

Ensurethatyoumeettheserequirementsbeforeyouattemptthisconfiguration:

∙KnowledgeoftheconfigurationofLightweightAccessPoints（LAPs）andCiscoWLCs

∙Knowledgeof802.11isecuritystandards

ComponentsUsed

Theinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:

∙Cisco2006WLCthatrunsfirmwarerelease4.0

∙Cisco1000SeriesLAPs

∙Cisco802.11a/b/gWirelessClientAdapterthatrunsfirmwarerelease2.6

∙CiscoSecureACSserverversion3.2

Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared（default）configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.

Conventions

RefertoCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.

AuthenticationonWLCs

TheCiscoUnifiedWirelessNetwork（UWN）securitysolutionbundlespotentiallycomplicatedLayer1,Layer2,andLayer3802.11AccessPoint（AP）securitycomponentsintoasimplepolicymanagerthatcustomizessystem-widesecuritypoliciesonaper-wirelessLAN（WLAN）basis.TheCiscoUWNsecuritysolutionprovidessimple,unified,andsystematicsecuritymanagementtools.

ThesesecuritymechanismscanbeimplementedonWLCs.

Layer1Solutions

Restrictclientaccessbasedonthenumberofconsecutivefailedattempts.

Layer2Solutions

NoneAuthentication—WhenthisoptionisselectedfromtheLayer2Securitymenu,NoLayer2authenticationisperformedontheWLAN.Thisisthesameastheopenauthenticationofthe802.11standard.

StaticWEP—WithStaticWiredEquivalentPrivacy（WEP）,allAPsandclientradioNICsonaparticularWLANmustusethesameencryptionkey.EachsendingstationencryptsthebodyofeachframewithaWEPkeybeforetransmission,andthereceivingstationdecryptsitusinganidenticalkeyuponreception.

802.1x—ConfigurestheWLANtousethe802.1xbasedauthentication.TheuseofIEEE802.1Xoffersaneffectiveframeworkinordertoauthenticateandcontrolusertraffictoaprotectednetwork,aswellasdynamicallyvaryencryptionkeys.802.1XtiesaprotocolcalledExtensibleAuthenticationProtocol（EAP）toboththewiredandWLANmediaandsupportsmultipleauthenticationmethods.

StaticWEP+802.1x—ThisLayer2securitysettingenablesboth802.1xandStaticWEP.ClientscaneitheruseStaticWEPor802.1xauthenticationinordertoconnecttothenetwork.

Wi-FiProtectedAccess（WPA）—WPAorWPA1andWPA2arestandard-basedsecuritysolutionsfromtheWi-FiAlliancethatprovidedataprotectionandaccesscontrolforWLANsystems.WPA1iscompatiblewiththeIEEE802.11istandardbutwasimplementedbeforethestandard'sratification.WPA2istheWi-FiAlliance'simplementationoftheratifiedIEEE802.11istandard.

Bydefault,WPA1usesTemporalKeyIntegrityProtocol（TKIP）andmessageintegritycheck（MIC）fordataprotection.WPA2usesthestrongerAdvancedEncryptionStandardencryptionalgorithmusingCounterModewithCipherBlockChainingMessageAuthenticationCodeProtocol（AES-CCMP）.BothWPA1andWPA2use802.1Xforauthenticatedkeymanagementbydefault.However,theseoptionsarealsoavailable:

PSK,CCKM,andCCKM+802.1x.IfyouselectCCKM,CiscoonlyallowsclientswhichsupportCCKM.IfyouselectCCKM+802.1x,Ciscoallowsnon-CCKMclientsalso.

CKIP—CiscoKeyIntegrityProtocol（CKIP）isaCisco-proprietarysecurityprotocolforencrypting802.11media.CKIPimproves802.11securityininfrastructuremodeusingkeypermutation,MIC,andmessagesequencenumber.Softwarerelease4.0supportsCKIPwithstatickey.Forthisfeaturetooperatecorrectly,youmustenableAironetinformationelements（IEs）fortheWLAN.TheCKIPsettingsspecifiedinaWLANaremandatoryforanyclientthatattemptstoassociate.IftheWLANisconfiguredforbothCKIPkeypermutationandMMHMIC,theclientmustsupportboth.IftheWLANisconfiguredforonlyoneofthesefeatures,theclientmustsupportonlythisCKIPfeature.WLCsonlysupportstaticCKIP（likestaticWEP）.WLCsdonotsupportCKIPwith802.1x（dynamicCKIP）.

Layer3Solutions

None—WhenthisoptionisselectedfromtheLayer3securitymenu,NoLayer3authenticationisperformedontheWLAN.

Note:

 TheconfigurationexampleforNoLayer3authenticationandNoLayer2authenticationisexplainedintheNoneAuthenticationsection.

WebPolicy（WebAuthenticationandWebPassthrough）—Webauthenticationistypicallyusedbycustomerswhowanttodeployaguest-accessnetwork.Inaguest-accessnetwork,thereisinitialusernameandpasswordauthentication,butsecurityisnotrequiredforthesubsequenttraffic.Typicaldeploymentscaninclude"hotspot"locations,suchasT-MobileorStarbucks.

WebauthenticationfortheCiscoWLCisdonelocally.YoucreateaninterfaceandthenassociateaWLAN/servicesetidentifier（SSID）withthatinterface.

Webauthenticationprovidessimpleauthenticationwithoutasupplicantorclient.Keepinmindthatwebauthenticationdoesnotprovidedataencryption.Webauthenticationistypicallyusedassimpleguestaccessforeithera"hotspot"orcampusatmospherewheretheonlyconcernistheconnectivity.

WebpassthroughisasolutionthroughwhichwirelessusersareredirectedtoanacceptableusagepolicypagewithouthavingtoauthenticatewhentheyconnecttotheInternet.ThisredirectionistakencareofbytheWLCitself.TheonlyrequirementistoconfiguretheWLCforwebpassthrough,whichisbasicallywebauthenticationwithouthavingtoenteranycredentials.

VPNPassthrough—VPNPassthroughisafeaturewhichallowsaclienttoestablishatunnelonlywithaspecificVPNserver.Therefore,ifyouneedtosecurelyaccesstheconfiguredVPNserveraswellasanotherVPNserverortheInternet,thisisnotpossiblewithVPNPassthroughenabledonthecontroller.

Inthenextsections,configurationexamplesareprovidedforeachoftheauthenticationmechanisms.

ConfigurationExamples

BeforeyouconfiguretheWLANsandtheauthenticationtypes,youmustconfiguretheWLCforbasicoperationandregistertheLAPstotheWLC.ThisdocumentassumesthattheWLCisconfiguredforbasicoperationandthattheLAPsareregisteredtotheWLC.IfyouareanewusertryingtosetuptheWLCforbasicoperationwithLAPs,refertoLightweightAP（LAP）RegistrationtoaWirelessLANController（WLC）.

Layer1SecuritySolutions

WirelessclientscanberestrictedaccessbasedonthenumberofconsecutivefailedattemptstoaccesstheWLANnetwork.Clientexclusionoccursintheseconditionsbydefault.Thesevaluescannotbechanged.

∙Consecutive802.11AuthenticationFailure（5consecutivetimes,6thtryisexcluded）

∙Consecutive802.11AssociationFailures（5consecutivetimes,6thtryisexcluded）

∙Consecutive802.1xAuthenticationFailures（3consecutivetimes,4thtryisexcluded）

∙ExternalPolicyServerFailure

∙AttempttouseIPaddressalreadyassignedtoanotherdevice（IPTheftorIPReuse）

∙ConsecutiveWebAuthentication（3consecutivetimes,4thtryisexcluded）

ThiswindowshowstheClientExclusionPolicies.Inordertogettoit,clickSecurityinthetopmenuandthenselectClientExclusionPoliciesintheleftsidemenuundertheWirelessProtectionPoliciessection.

Theexclusiontimercanbeconfigured.Exclusionoptionscanbeenabledordisabledpercontroller.TheexclusiontimercanbeenabledordisabledperWLAN.

TheMaximumNumberofConcurrentLoginsforasingleusernamebydefaultis0.Youcanenteranyvaluebetween0and8.ThisparametercanbesetatSECURITY>AAA>UserLoginPoliciesandallowsyoutospecifythemaximumnumberofconcurrentloginsforasingleclientname,betweenoneandeight,or0=unlimited.Hereisanexample:

Layer2SecuritySolutions

NoneAuthentication

ThisexampleshowsaWLANwhichisconfiguredwithNoauthentication.

Note:

 ThisexamplealsoworksforNoLayer3authentication.

ConfigureWLCforNoAuthentication

CompletethesestepsinordertoconfiguretheWLCforthissetup:

1.ClickWLANsfromthecontrollerGUIinordertocreateaWLAN.

TheWLANswindowappears.ThiswindowliststheWLANsconfiguredonthecontroller.

2.ClickNewinordertoconfigureanewWLAN.

3.EntertheWLANIDandWLANSSID.

Inthisexample,theWLANisnamedNullAuthenticationandtheWLANIDis1.

4.ClickApply.

5.IntheWLAN>Editwindow,definetheparametersspecifictotheWLAN.

6.FromtheLayer2andLayer3Securitypulldownmenu,chooseNone.

ThisenablesNoauthenticationforthisWLAN.Selecttheotherparameters,whichdependonthedesignrequirements.Thisexampleusesthedefaults.

7.ClickApply.

ConfigureWirelessClientforNoAuthentication

CompletethesestepsinordertoconfiguretheWirelessLANClientforthissetup:

Note:

 ThisdocumentusesanAironet802.11a/b/gClientAdapterthatrunsfirmware3.5,andexplainstheconfigurationoftheclientadapterwithADUversion3.5.

1.Inordertocreateanewprofile,clicktheProfileManagementtabontheADU.

2.ClickNew.

3.WhentheProfileManagement（General）windowdisplays,completethesestepsinordertosettheProfileName,ClientName,andSSID:

a.EnterthenameoftheprofileintheProfileNamefield.

ThisexampleusesNoAuthenticationastheProfileName.

b.EnterthenameoftheclientintheClientNamefield.

TheclientnameisusedtoidentifythewirelessclientintheWLANnetwork.