Register Cisco APs with Cisco vWLC 8.1 on EVE-NG (FlexConnect Mode)

EVE (Emulated Virtual Environment) is running in VMWare Workstation in my Laptop. Cisco AP is connected to the Ethernet port of my laptop directly. PoE is given by a power injector. You can see the EVE topology on this capture. A core switch is bridged to external world and connected to vWLC. Service Port of vWLC is bridged to NAT interface of the VMware. If you are not familiar with these kind of virtual networking, following post will be helpful for you to understand how to make this a reality..

https://practicalnetstuff.blogspot.com/2017/01/connect-virtual-devices-in-unleve-to_31.html

Cisco vWLC will not support the Local mode hence we have to go with the FlexConnet..

Note:- 

Find the matching country code of your physical access point before you start configuring your WLC. As an example; my AP is Cisco AIR-CAP2602I-E-K9; the 'E' there is indicating the the region, Europe.. This is why I am configuring my WLC country code as GB (Great Britain)

Configuration in WLC

How the WLC is configured can be found in the following post.
https://practicalnetstuff.blogspot.com/2017/02/deploy-vwlc-on-eve-unl.html

After initial configuration, you will have to activate licences.

Log in to WLC with web-GUI and go to Advanced..
Go to Management > Software Activation > Licenses

Click on the ap count and click on the set status tab and accept..

You will not see anything changed, but trust me, this will hold your AP from registering.
After accepting the license, go to Commands > Reboot and click on Save and Reboot tab

Configuration in CORE

CORE(config)#vlan 50
CORE(config-vlan)#name WLC-Mangement
CORE(config)#vlan 60
CORE(config-vlan)#name AP-Management
CORE(config)#vlan 70
CORE(config-vlan)#name SSID-1
CORE(config)#vlan 80
CORE(config-vlan)#name SSID-2

CORE(config)#interface vlan 50
CORE(config-if)#ip address 192.168.50.254 255.255.255.0

CORE(config)#interface vlan 60
CORE(config-if)#ip address 192.168.60.254 255.255.255.0

CORE(config)#interface vlan 70
CORE(config-if)#ip address 192.168.70.254 255.255.255.0

CORE(config)#interface vlan 80
CORE(config-if)#ip address 192.168.80.254 255.255.255.0

CORE(config)#interface e0/0
CORE(config-if)#switchport trunk encapsulation dot1q
CORE(config-if)#switchport mode access
CORE(config-if)#switchport trunk access vlan 60

CORE(config)#interface e0/1
CORE(config-if)#switchport trunk encapsulation dot1q
CORE(config-if)#switchport mode trunk
CORE(config-if)#switchport trunk allowed vlan 50,70,80

Configuration in AP

ap#capwap ap ip address 192.168.60.10 255.255.255.0
ap#capwap ap ip default-gateway 192.168.60.254
ap#capwap ap controller ip address 192.168.50.51

Now the AP should register on WLC but we are not finished yet.. If still AP is not joining because of a license issue (you can see this on the log of AP and WLC) you may need to reset the AP and try again..

To know the correct way to reset a Cisco AP please go the following link..
https://practicalnetstuff.blogspot.com/2017/07/correct-way-to-factory-reset-cisco-ap.html

Configure SSIDs in WLC

It's easy.. 1st you will have to create some interfaces.
Go to Controller > Interfaces & New..
Fill the required boxes.. I have shown you one which I gave the interface IP address 192.168.70.2 which belongs to VLAN 70.

Go to the WLANs tab of WLC and Create New..
Bind the created interface and remember to tick Status & Broadcast SSID..

Don't forget to tick the FlexConnect Local Switching Enabled on the Advanced tab..

Change the Mode of AP to Flex Connect

The SSID you created will not be broadcast unless you do this..
Go to Wireless and click on the name of the AP, change AP mode to FlexConnect and apply..
Then go to the FlexConnect tab and tick VLAN support and enter the Native VLAN ID as your AP's VLAN, mine is 60

Now go tot the VLAN Mappings and make sure the VLANs of SSIDs are correct.

Now you can Apply the settings..
After you applied the settings, you should change the port configurations as following.

CORE(config)#interface e0/0
CORE(config-if)#switchport trunk encapsulation dot1q
CORE(config-if)#switchport mode trunk
CORE(config-if)#switchport trunk allowed vlan 60,70,80
CORE(config-if)#switchport trunk native vlan 60

You will see your SSID is live around you.. :)

Correct Way to Factory Reset Cisco AP (Clear Configurations Completely)

If you have tried to clear old configurations / reset using mode button of a Cisco Lightweight AP and tried to join it to a new WLC, you may have experienced that it is not clearing it's old configurations completely. May be it will join the previous controller again. Sometimes only IP address is clearing, primary controller address is still visible in SET variables. Well, this is the correct way to completely reset it..


The AP I am using is a Cisco 2602i which is a very common AP.

01. First console the AP and log in with username and password, go to privilege mode..

Default Username: Cisco
Default Password: Cisco
Default Enable Password: Cisco

02. Unlock hidden commands..

Because erase command is hidden, you will need to unlock it by the following command.
AP#debug capwap console cli

Note:- 

This command can be used to go to config mode of a Cisco Lightweight AP too.

03. Erase NVRAM.

NVRAM is where the startup configuration file is located and where the AP maintains the list of previously learned WLC IPs.

Hit the following command to erase the nvram..
AP#erase /all nvram:

After erasing nvram, it will be like this..

04. Delete the Flash or env_vars file in Flash..

Hit a dir flash:/ to see what is inside it..















If you really want to get your AP to fresh factory reset, you will issue the following command to erase full flash with all the files in it. But proceed with caution because it wipes out the OS too.

Hit the following command to delete flash..
AP#delete /force /recursive flash:

Note:- 

Flash is where the IOS image and the recovery OS image are stored. If you issue the above command it will wipe out both images. So you will have to upload the recovery image from a TFTP server (your PC) after doing this in rommon mode. If you want to know how to do it please refer this.

A brand new AP comes with a recovery image only. It will download the IOS image from the WLC after it joined one.

So if you don't want to delete the OS, but if you need to clear all the old configurations, hit the following command to delete the SET variables.. (you can delete these files in rommon mode too)
AP#delete flash:/env_vars

To delete usernames/passwords (you can delete these files in rommon mode too)
AP#delete flash:/private-multiple-fs

This file is where the set variables are stored. If you don't delete this some of the set variables will be intact even after you reset pushing the mode button.

05. Reset AP using the Mode button

Unplug and plug again the power source of the AP holding the mode button..
Release it after the LED turns steady red.. (about 10 seconds)

Now issue set command and you can see all the set variables are also cleared..
If you did not delete the entire Flash, you can give the following command to set the IOS image to bootup instead of recovery image.

ap:set BOOT flash:/<image-directory>/<image>

In my case it is set BOOT flash:/ap3g2-k9w8-mx.153-3.JBB1/ap3g2-k9w8-mx.153-3.JBB1

How EAP-PEAP (Protected EAP) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-PEAP

EAP-PEAP (Protected EAP) is an authentication mechanism which has 2 phases involved..
1st phase will create a tunnel using the server certificate.
2nd phase will exchange the identities.

Note:- 

Certificate is a public key verified by a trusted authority.
When EAP-PEAP is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).

(01) The client sends 802.11 Open Authentication Request
(02) AP sends 802.11 open Authentication Response
(03) The client then sends the Association Request
(04) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes..

Phase 1

(05) The client sends the EAPoL Start (this is optional)
(06) AP/WLC continues with an EAP message requesting the Supplicant Identity (username)
(07) The client sends its Identity to AP/WLC (here this can be a fake ID)
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server
(09) The RADIUS server sends its certificate to the client through AP/WLC
(10) The client generates a Master Encryption Key and encrypts it using the server certificate and             sends it to the RADIUS server

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. But only the server is authenticated (by its certificate). So the client still needs to be authenticated. Therefore a second authentication phase starts (EAP inside the 1st EAP tunnel, thus the name Protected EAP) where the client is authenticated using a username and password with MSCHAPv2 (for PEAPv0) or GTC (for PEAPv1).

Phase 2

(10) RADIUS server asks client to send credentials to authenticate
(11) The client forwards the credentials to RADIUS server (this is the real username and password)

Now RADIUS server can derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(12) RADIUS server generates the PMK (Pairwise Master Key)
(13) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(14) WLC use the PMK to generate encryption keys for the client traffic

Note:- 

RADIUS server does not keep the PMK, it just generates it and hands it over to WLC & the client also generates the PMK which is identical to the PMK generated by the Authentication Server..

At this point, the work of the EAP-PEAP is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..

How EAP-TLS (Transport Layer Security) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-TLS

EAP-TLS (Transport Layer Security) is an authentication mechanism that relies on certificates. Key pairs (certificate & private key) are installed on the clients and on the RADIUS server.

Note:- 

Certificate is a public key verified by a trusted authority.

When EAP-TLS is used Following steps will take place..

First 4 steps are common in any EAP method (basic wireless connectivity).

(01) The client sends 802.11 Open Authentication Request

(02) AP sends 802.11 open Authentication Response
(03) The client then sends the Association Request

(04) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes.. 

(05) The client sends the EAPoL Start (this is optional)

(06) AP/WLC continues with an EAP message requesting the Supplicant Identity (username)
(07) The client sends its Identity to AP/WLC
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server

(09) The RADIUS server sends its certificate to the client through AP/WLC

(10) The client verifies the server certificate and sends its own certificate to the RADIUS server

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. They use this secure connection to agree on  a way to derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(11) RADIUS server & client generate the PMK (Pairwise Master Key)

(12) RADIUS server forwards the PMK to the WLC with an authentication success message

(13) WLC use the PMK to generate encryption keys for the client traffic

Note:- 

RADIUS server does not keep the PMK, it just generates it and hands it over to WLC & the client also generates the PMK which is identical to the PMK generated by the Authentication Server..

At this point, the work of the EAP-TLS is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..

Note:- 

EAP-TLS is a very secure method for authentication but certificates will be needed to install on each client so it is not widely used as the enterprises are moving towards BYOD..

802.1X/EAP Authentication Concept in Wireless Security

Because of the weakness in WEP (Wired Equivalent Privacy) which provide one single key for all users in the WLAN and if this key is found (which can be done easily with Kali Linux) the WLAN is compromised. So the need to use a new security concept which separates authentication from encryption was required. Using 802.1x and EAP (Extensible Authentication Protocol), IEEE offered a better solution which is used in WPA/WPA2 (Wireless Protected Access) nowadays.

802.1X

This is a protocol which defines port-based access control. 802.1X states following 3 roles..

1. Supplicant = the end point which wants to access the network
2. Authenticator = the point of connection to the network
3. Authentication Server = the server which actually authenticates the users

When a supplicant connects to the authenticator, the authenticator closes its port except for authentication-related exchanges and asks the supplicant for credentials. Authenticator then passes the received credentials to the authentication server. Authentication server then responds to the authenticator with either a success or a failure message. If the response is a success, the port will be opened and user traffic will be allowed.

In wireless world, the AP (or the AP/WLC pair in a centralized network) acts as the authenticator.
Following steps will take place..
First 4 steps are about basic wireless connectivity.

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes..
(5) 802.1X/EAP process starts at this point..
(6) When the 802.1X/EAP process is successful, the client traffic is allowed through the AP..

RADIUS (Remote Dial In User Service) is the main protocol described for the communication in between the authenticator and the authentication server in the 802.1X protocol. This means that the supplicant exchanges the 802.1X messages with the authenticator and the authenticator then translates those 802.1X messages to RADIUS messages and forwards them to a RADIUS server.

So the 802.1X and the RADIUS protocols are the protocols used to transport the authentication dialog between the supplicant and the authentication server.

RADIUS server uses UDP port 1812 for authentication and UDP 1813 for authorization..

That authentication dialog is what defined by EAP..

EAP (Extensible Authentication Protocol)

The 802.1X does not contain specific methods for wireless clients to send their credentials to the authentication server, nor does it specify how this authentication should occur. So IEEE added EAP to fulfill this requirement.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..
Ex:-
EAP-TLS : Which uses certificates from both Authentication Server & Supplicant
EAP-PEAP : Which uses certificate from Authentication Server & Credentials from Supplicant
EAP-FAST : Which uses a FAST Authentication Server (Cisco Proprietary)

There are 4 different types of EAP messages.

Type 1 - Request
Type 2 - Response
Type 3 - Success
Type 4 - Failure

EAP messages are encapsulated in EAP over LAN(EAPOL) frames. There are 5 different types of EAPOL frames.

1. Type 0 – EAP Packets (encapsulated EAP frame)
2. Type 1 – EAPOL-Start (optional frame that supplicant can use to start EAP Process)
3. Type 2 – EAPOL-Logoff (this frame terminates an EAP session & shut virtual ports)
4. Type 3 – EAPOL-Key (used to exchange dynamic keying info in 4way-handshake)
5. Type 4 – EAPOL-Encapsulated-ASF-Alert (used to send alerts such as SNMP traps ports)

If you want to know how EAP-TLS works go here.
If you want to know how PEAP works go here.

Light Weight Access Point Registration Process with Cisco WLC

This is a 4 step process. They are Getting an IP address, Finding WLCs, Selecting WLCs & Registering with the Primary WLC.. Simple like that.. In Light Weight mode, APs act as end point dumb devices to Wireless LAN Controllers. What they just need is to find a WLC to build it's tunnel (CAPWAP) to transport user traffic where they will be handled as required..

Step 01: Getting an IP address

AP can be assigned an IP address in 2 methods..
1. Static assignment
2. DHCP

If it is not configured statically, it will send a DHCP discover to find a DHCP server to get an IP address along with other network details.. Nothing amazing here as this is what any end point will do when it is plugged in to a network..


Step 02: Finding WLCs

There are 2 WLC discovery methods in Cisco APs; L2 discovery & L3 discovery..
L2 discovery happens first..

Note:- 

LWAPP & CAPWAP are 2 Light Weight mode protocols which allows APs to join with WLCs. LWAPP stands for Light Weight Access Point Protocol and CAPWAP stands for Control And Provisioning Wireless Access Point. Both accomplishes same task in different ways. CAPWAP seems to do it in a better more secure way. LWAPP is older and only supports in few old platforms.

1. Layer 2 Discovery (supports only on few old platforms using LWAPP)
2. Layer 3 Discovery (supports on all platforms with both LWAPP or CAPWAP)

Steps of L3 Discovery :-

(i). CAPWAP Discovery request broadcast on local subnet (IP broadcast).

(ii). CAPWAP Discovery request sent to controller IP addresses learnt via OTAP feature.

When the feature called OTAP (Over the air provisioning) is configured on a controller, APs that are already been joined to the controller advertise their known controller addresses in neighbor messages that are sent over the air. New APs attempting to discover controllers receive these messages and unicast a discovery request to each controller. WLCs unicast discovery response to APs after receiving these messages.

(iii). CAPWAP discovery request sent to all locally stored WLC IP addresses.

APs maintain a list of WLC IPs previously learnt in its NVRAM. They send unicast messages to these IP addresses. WLCs unicast discovery response to APs after receiving these messages.

(iv). CAPWAP discovery request sent to IP addresses learnt from DHCP option 43.

DHCP option 43 is the IP of the WLC.. You can configure this in DHCP server settings.

(v). CAPWAP discovery request sent to IP addresses learnt from DNS address
CISCO-CAPWAP-CONTROLLER.localdomain

If a WLC gets a discovery request from any above step, it sends a unicast response to AP.
AP runs all these steps to create a list of WLCs. This is called the WLC hunting algorithm.

WLC Hunting Algorithm :-

1. If L2 discovery is supported, send a discovery request in an Ethernet broadcast
2. If L2 discovery is not supported or step 1 fails to find a WLC, proceed to L3 discovery
3. If L3 discovery fails to find  a candidate WLC, reboot and return to step 1


Step 03: Selecting WLCs

WLCs embed the following important information in the LWAPP/CAPWAP Discovery response
1. The controller sysName - hostname of WLC
2. The controller type - platform
3. The controller AP capacity and its current AP load
4. The master controller flag
5. The AP manager IP address

The AP uses this information to make a controller selection

1. If the LAP has been previously configured with primary, secondary and tertiary controller, the LAP will attempt to join these first (specified using the controller sysName)
2. Attempt to join a WLC configured as a master controller
3. Attempt to join a WLC with the greatest excess capacity


Step 04: Registering with the Primary WLC

1. AP sends a join request first..
Join request contains X.509 certificate of AP which WLC validates.

2. WLC sends a join response then..
Join response indicates AP is registered and contains X.509 certificate of WLC which AP validates.

After the joining is complete, following things happen between the WLC & AP..
- Sync firmware on WLC & LAP if it is not matching
- WLC provisions the LAP with configuration parameters (SSID, Security, QoS, etc)

Now the registration is complete. If the primary controller fails, it will register with the secondary controller available in his list..

Create a Local User Who Can Only View Running-Config in Cisco IOS

You will need to create a user who cannot do any other thing except viewing the running config. It will be a requirement when you create usernames for other 3rd parties. Problem is with the architecture of the Cisco IOS. Users can only view the configurations which they are allowed to modify. So if a user is given a level of 7 and if you assign show running-config command to level 7, it will not work because configuration mode is in level 15. If you assign configure terminal command to level 7 to correct this problem, the user will gain access to all the configuration commands.

So if you only need to create a user who can only view the running-config, you can simply do this..

Create a username with level 15
Router(config)#username TEST privilege 15 password cisco

Specify show run command to enter automatically when logged in
Router(config)#username TEST autocommand show run

Of course you will need to specify local login method in telnet/console which the user is using
Router(config)#line vty 0 4
Router(config)#login local