基于用户名密码的认证Word格式文档下载.docx
《基于用户名密码的认证Word格式文档下载.docx》由会员分享,可在线阅读,更多相关《基于用户名密码的认证Word格式文档下载.docx(42页珍藏版)》请在冰点文库上搜索。
ComponentsUsed
Theinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:
∙Cisco2006WLCthatrunsfirmwarerelease4.0
∙Cisco1000SeriesLAPs
∙Cisco802.11a/b/gWirelessClientAdapterthatrunsfirmwarerelease2.6
∙CiscoSecureACSserverversion3.2
Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
Conventions
RefertoCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.
AuthenticationonWLCs
TheCiscoUnifiedWirelessNetwork(UWN)securitysolutionbundlespotentiallycomplicatedLayer1,Layer2,andLayer3802.11AccessPoint(AP)securitycomponentsintoasimplepolicymanagerthatcustomizessystem-widesecuritypoliciesonaper-wirelessLAN(WLAN)basis.TheCiscoUWNsecuritysolutionprovidessimple,unified,andsystematicsecuritymanagementtools.
ThesesecuritymechanismscanbeimplementedonWLCs.
Layer1Solutions
Restrictclientaccessbasedonthenumberofconsecutivefailedattempts.
Layer2Solutions
NoneAuthentication—WhenthisoptionisselectedfromtheLayer2Securitymenu,NoLayer2authenticationisperformedontheWLAN.Thisisthesameastheopenauthenticationofthe802.11standard.
StaticWEP—WithStaticWiredEquivalentPrivacy(WEP),allAPsandclientradioNICsonaparticularWLANmustusethesameencryptionkey.EachsendingstationencryptsthebodyofeachframewithaWEPkeybeforetransmission,andthereceivingstationdecryptsitusinganidenticalkeyuponreception.
802.1x—ConfigurestheWLANtousethe802.1xbasedauthentication.TheuseofIEEE802.1Xoffersaneffectiveframeworkinordertoauthenticateandcontrolusertraffictoaprotectednetwork,aswellasdynamicallyvaryencryptionkeys.802.1XtiesaprotocolcalledExtensibleAuthenticationProtocol(EAP)toboththewiredandWLANmediaandsupportsmultipleauthenticationmethods.
StaticWEP+802.1x—ThisLayer2securitysettingenablesboth802.1xandStaticWEP.ClientscaneitheruseStaticWEPor802.1xauthenticationinordertoconnecttothenetwork.
Wi-FiProtectedAccess(WPA)—WPAorWPA1andWPA2arestandard-basedsecuritysolutionsfromtheWi-FiAlliancethatprovidedataprotectionandaccesscontrolforWLANsystems.WPA1iscompatiblewiththeIEEE802.11istandardbutwasimplementedbeforethestandard'
sratification.WPA2istheWi-FiAlliance'
simplementationoftheratifiedIEEE802.11istandard.
Bydefault,WPA1usesTemporalKeyIntegrityProtocol(TKIP)andmessageintegritycheck(MIC)fordataprotection.WPA2usesthestrongerAdvancedEncryptionStandardencryptionalgorithmusingCounterModewithCipherBlockChainingMessageAuthenticationCodeProtocol(AES-CCMP).BothWPA1andWPA2use802.1Xforauthenticatedkeymanagementbydefault.However,theseoptionsarealsoavailable:
PSK,CCKM,andCCKM+802.1x.IfyouselectCCKM,CiscoonlyallowsclientswhichsupportCCKM.IfyouselectCCKM+802.1x,Ciscoallowsnon-CCKMclientsalso.
CKIP—CiscoKeyIntegrityProtocol(CKIP)isaCisco-proprietarysecurityprotocolforencrypting802.11media.CKIPimproves802.11securityininfrastructuremodeusingkeypermutation,MIC,andmessagesequencenumber.Softwarerelease4.0supportsCKIPwithstatickey.Forthisfeaturetooperatecorrectly,youmustenableAironetinformationelements(IEs)fortheWLAN.TheCKIPsettingsspecifiedinaWLANaremandatoryforanyclientthatattemptstoassociate.IftheWLANisconfiguredforbothCKIPkeypermutationandMMHMIC,theclientmustsupportboth.IftheWLANisconfiguredforonlyoneofthesefeatures,theclientmustsupportonlythisCKIPfeature.WLCsonlysupportstaticCKIP(likestaticWEP).WLCsdonotsupportCKIPwith802.1x(dynamicCKIP).
Layer3Solutions
None—WhenthisoptionisselectedfromtheLayer3securitymenu,NoLayer3authenticationisperformedontheWLAN.
Note:
TheconfigurationexampleforNoLayer3authenticationandNoLayer2authenticationisexplainedintheNoneAuthenticationsection.
WebPolicy(WebAuthenticationandWebPassthrough)—Webauthenticationistypicallyusedbycustomerswhowanttodeployaguest-accessnetwork.Inaguest-accessnetwork,thereisinitialusernameandpasswordauthentication,butsecurityisnotrequiredforthesubsequenttraffic.Typicaldeploymentscaninclude"
hotspot"
locations,suchasT-MobileorStarbucks.
WebauthenticationfortheCiscoWLCisdonelocally.YoucreateaninterfaceandthenassociateaWLAN/servicesetidentifier(SSID)withthatinterface.
Webauthenticationprovidessimpleauthenticationwithoutasupplicantorclient.Keepinmindthatwebauthenticationdoesnotprovidedataencryption.Webauthenticationistypicallyusedassimpleguestaccessforeithera"
orcampusatmospherewheretheonlyconcernistheconnectivity.
WebpassthroughisasolutionthroughwhichwirelessusersareredirectedtoanacceptableusagepolicypagewithouthavingtoauthenticatewhentheyconnecttotheInternet.ThisredirectionistakencareofbytheWLCitself.TheonlyrequirementistoconfiguretheWLCforwebpassthrough,whichisbasicallywebauthenticationwithouthavingtoenteranycredentials.
VPNPassthrough—VPNPassthroughisafeaturewhichallowsaclienttoestablishatunnelonlywithaspecificVPNserver.Therefore,ifyouneedtosecurelyaccesstheconfiguredVPNserveraswellasanotherVPNserverortheInternet,thisisnotpossiblewithVPNPassthroughenabledonthecontroller.
Inthenextsections,configurationexamplesareprovidedforeachoftheauthenticationmechanisms.
ConfigurationExamples
BeforeyouconfiguretheWLANsandtheauthenticationtypes,youmustconfiguretheWLCforbasicoperationandregistertheLAPstotheWLC.ThisdocumentassumesthattheWLCisconfiguredforbasicoperationandthattheLAPsareregisteredtotheWLC.IfyouareanewusertryingtosetuptheWLCforbasicoperationwithLAPs,refertoLightweightAP(LAP)RegistrationtoaWirelessLANController(WLC).
Layer1SecuritySolutions
WirelessclientscanberestrictedaccessbasedonthenumberofconsecutivefailedattemptstoaccesstheWLANnetwork.Clientexclusionoccursintheseconditionsbydefault.Thesevaluescannotbechanged.
∙Consecutive802.11AuthenticationFailure(5consecutivetimes,6thtryisexcluded)
∙Consecutive802.11AssociationFailures(5consecutivetimes,6thtryisexcluded)
∙Consecutive802.1xAuthenticationFailures(3consecutivetimes,4thtryisexcluded)
∙ExternalPolicyServerFailure
∙AttempttouseIPaddressalreadyassignedtoanotherdevice(IPTheftorIPReuse)
∙ConsecutiveWebAuthentication(3consecutivetimes,4thtryisexcluded)
ThiswindowshowstheClientExclusionPolicies.Inordertogettoit,clickSecurityinthetopmenuandthenselectClientExclusionPoliciesintheleftsidemenuundertheWirelessProtectionPoliciessection.
Theexclusiontimercanbeconfigured.Exclusionoptionscanbeenabledordisabledpercontroller.TheexclusiontimercanbeenabledordisabledperWLAN.
TheMaximumNumberofConcurrentLoginsforasingleusernamebydefaultis0.Youcanenteranyvaluebetween0and8.ThisparametercanbesetatSECURITY>
AAA>
UserLoginPoliciesandallowsyoutospecifythemaximumnumberofconcurrentloginsforasingleclientname,betweenoneandeight,or0=unlimited.Hereisanexample:
Layer2SecuritySolutions
NoneAuthentication
ThisexampleshowsaWLANwhichisconfiguredwithNoauthentication.
ThisexamplealsoworksforNoLayer3authentication.
ConfigureWLCforNoAuthentication
CompletethesestepsinordertoconfiguretheWLCforthissetup:
1.ClickWLANsfromthecontrollerGUIinordertocreateaWLAN.
TheWLANswindowappears.ThiswindowliststheWLANsconfiguredonthecontroller.
2.ClickNewinordertoconfigureanewWLAN.
3.EntertheWLANIDandWLANSSID.
Inthisexample,theWLANisnamedNullAuthenticationandtheWLANIDis1.
4.ClickApply.
5.IntheWLAN>
Editwindow,definetheparametersspecifictotheWLAN.
6.FromtheLayer2andLayer3Securitypulldownmenu,chooseNone.
ThisenablesNoauthenticationforthisWLAN.Selecttheotherparameters,whichdependonthedesignrequirements.Thisexampleusesthedefaults.
7.ClickApply.
ConfigureWirelessClientforNoAuthentication
CompletethesestepsinordertoconfiguretheWirelessLANClientforthissetup:
ThisdocumentusesanAironet802.11a/b/gClientAdapterthatrunsfirmware3.5,andexplainstheconfigurationoftheclientadapterwithADUversion3.5.
1.Inordertocreateanewprofile,clicktheProfileManagementtabontheADU.
2.ClickNew.
3.WhentheProfileManagement(General)windowdisplays,completethesestepsinordertosettheProfileName,ClientName,andSSID:
a.EnterthenameoftheprofileintheProfileNamefield.
ThisexampleusesNoAuthenticationastheProfileName.
b.EnterthenameoftheclientintheClientNamefield.
TheclientnameisusedtoidentifythewirelessclientintheWLANnetwork.
升级会员 