基于用户名密码的认证.docx
- 文档编号:11855968
- 上传时间:2023-04-06
- 格式:DOCX
- 页数:42
- 大小:776.87KB
基于用户名密码的认证.docx
《基于用户名密码的认证.docx》由会员分享,可在线阅读,更多相关《基于用户名密码的认证.docx(42页珍藏版)》请在冰豆网上搜索。
基于用户名密码的认证
基于用户名密码的认证
Introduction
ThisdocumentprovidesconfigurationexamplesthatexplainhowtoconfiguredifferenttypesofLayer1,Layer2,andLayer3authenticationmethodsonWirelessLANControllers(WLCs).
Prerequisites
Requirements
Ensurethatyoumeettheserequirementsbeforeyouattemptthisconfiguration:
∙KnowledgeoftheconfigurationofLightweightAccessPoints(LAPs)andCiscoWLCs
∙Knowledgeof802.11isecuritystandards
ComponentsUsed
Theinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:
∙Cisco2006WLCthatrunsfirmwarerelease4.0
∙Cisco1000SeriesLAPs
∙Cisco802.11a/b/gWirelessClientAdapterthatrunsfirmwarerelease2.6
∙CiscoSecureACSserverversion3.2
Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
Conventions
RefertoCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.
AuthenticationonWLCs
TheCiscoUnifiedWirelessNetwork(UWN)securitysolutionbundlespotentiallycomplicatedLayer1,Layer2,andLayer3802.11AccessPoint(AP)securitycomponentsintoasimplepolicymanagerthatcustomizessystem-widesecuritypoliciesonaper-wirelessLAN(WLAN)basis.TheCiscoUWNsecuritysolutionprovidessimple,unified,andsystematicsecuritymanagementtools.
ThesesecuritymechanismscanbeimplementedonWLCs.
Layer1Solutions
Restrictclientaccessbasedonthenumberofconsecutivefailedattempts.
Layer2Solutions
NoneAuthentication—WhenthisoptionisselectedfromtheLayer2Securitymenu,NoLayer2authenticationisperformedontheWLAN.Thisisthesameastheopenauthenticationofthe802.11standard.
StaticWEP—WithStaticWiredEquivalentPrivacy(WEP),allAPsandclientradioNICsonaparticularWLANmustusethesameencryptionkey.EachsendingstationencryptsthebodyofeachframewithaWEPkeybeforetransmission,andthereceivingstationdecryptsitusinganidenticalkeyuponreception.
802.1x—ConfigurestheWLANtousethe802.1xbasedauthentication.TheuseofIEEE802.1Xoffersaneffectiveframeworkinordertoauthenticateandcontrolusertraffictoaprotectednetwork,aswellasdynamicallyvaryencryptionkeys.802.1XtiesaprotocolcalledExtensibleAuthenticationProtocol(EAP)toboththewiredandWLANmediaandsupportsmultipleauthenticationmethods.
StaticWEP+802.1x—ThisLayer2securitysettingenablesboth802.1xandStaticWEP.ClientscaneitheruseStaticWEPor802.1xauthenticationinordertoconnecttothenetwork.
Wi-FiProtectedAccess(WPA)—WPAorWPA1andWPA2arestandard-basedsecuritysolutionsfromtheWi-FiAlliancethatprovidedataprotectionandaccesscontrolforWLANsystems.WPA1iscompatiblewiththeIEEE802.11istandardbutwasimplementedbeforethestandard'sratification.WPA2istheWi-FiAlliance'simplementationoftheratifiedIEEE802.11istandard.
Bydefault,WPA1usesTemporalKeyIntegrityProtocol(TKIP)andmessageintegritycheck(MIC)fordataprotection.WPA2usesthestrongerAdvancedEncryptionStandardencryptionalgorithmusingCounterModewithCipherBlockChainingMessageAuthenticationCodeProtocol(AES-CCMP).BothWPA1andWPA2use802.1Xforauthenticatedkeymanagementbydefault.However,theseoptionsarealsoavailable:
PSK,CCKM,andCCKM+802.1x.IfyouselectCCKM,CiscoonlyallowsclientswhichsupportCCKM.IfyouselectCCKM+802.1x,Ciscoallowsnon-CCKMclientsalso.
CKIP—CiscoKeyIntegrityProtocol(CKIP)isaCisco-proprietarysecurityprotocolforencrypting802.11media.CKIPimproves802.11securityininfrastructuremodeusingkeypermutation,MIC,andmessagesequencenumber.Softwarerelease4.0supportsCKIPwithstatickey.Forthisfeaturetooperatecorrectly,youmustenableAironetinformationelements(IEs)fortheWLAN.TheCKIPsettingsspecifiedinaWLANaremandatoryforanyclientthatattemptstoassociate.IftheWLANisconfiguredforbothCKIPkeypermutationandMMHMIC,theclientmustsupportboth.IftheWLANisconfiguredforonlyoneofthesefeatures,theclientmustsupportonlythisCKIPfeature.WLCsonlysupportstaticCKIP(likestaticWEP).WLCsdonotsupportCKIPwith802.1x(dynamicCKIP).
Layer3Solutions
None—WhenthisoptionisselectedfromtheLayer3securitymenu,NoLayer3authenticationisperformedontheWLAN.
Note:
TheconfigurationexampleforNoLayer3authenticationandNoLayer2authenticationisexplainedintheNoneAuthenticationsection.
WebPolicy(WebAuthenticationandWebPassthrough)—Webauthenticationistypicallyusedbycustomerswhowanttodeployaguest-accessnetwork.Inaguest-accessnetwork,thereisinitialusernameandpasswordauthentication,butsecurityisnotrequiredforthesubsequenttraffic.Typicaldeploymentscaninclude"hotspot"locations,suchasT-MobileorStarbucks.
WebauthenticationfortheCiscoWLCisdonelocally.YoucreateaninterfaceandthenassociateaWLAN/servicesetidentifier(SSID)withthatinterface.
Webauthenticationprovidessimpleauthenticationwithoutasupplicantorclient.Keepinmindthatwebauthenticationdoesnotprovidedataencryption.Webauthenticationistypicallyusedassimpleguestaccessforeithera"hotspot"orcampusatmospherewheretheonlyconcernistheconnectivity.
WebpassthroughisasolutionthroughwhichwirelessusersareredirectedtoanacceptableusagepolicypagewithouthavingtoauthenticatewhentheyconnecttotheInternet.ThisredirectionistakencareofbytheWLCitself.TheonlyrequirementistoconfiguretheWLCforwebpassthrough,whichisbasicallywebauthenticationwithouthavingtoenteranycredentials.
VPNPassthrough—VPNPassthroughisafeaturewhichallowsaclienttoestablishatunnelonlywithaspecificVPNserver.Therefore,ifyouneedtosecurelyaccesstheconfiguredVPNserveraswellasanotherVPNserverortheInternet,thisisnotpossiblewithVPNPassthroughenabledonthecontroller.
Inthenextsections,configurationexamplesareprovidedforeachoftheauthenticationmechanisms.
ConfigurationExamples
BeforeyouconfiguretheWLANsandtheauthenticationtypes,youmustconfiguretheWLCforbasicoperationandregistertheLAPstotheWLC.ThisdocumentassumesthattheWLCisconfiguredforbasicoperationandthattheLAPsareregisteredtotheWLC.IfyouareanewusertryingtosetuptheWLCforbasicoperationwithLAPs,refertoLightweightAP(LAP)RegistrationtoaWirelessLANController(WLC).
Layer1SecuritySolutions
WirelessclientscanberestrictedaccessbasedonthenumberofconsecutivefailedattemptstoaccesstheWLANnetwork.Clientexclusionoccursintheseconditionsbydefault.Thesevaluescannotbechanged.
∙Consecutive802.11AuthenticationFailure(5consecutivetimes,6thtryisexcluded)
∙Consecutive802.11AssociationFailures(5consecutivetimes,6thtryisexcluded)
∙Consecutive802.1xAuthenticationFailures(3consecutivetimes,4thtryisexcluded)
∙ExternalPolicyServerFailure
∙AttempttouseIPaddressalreadyassignedtoanotherdevice(IPTheftorIPReuse)
∙ConsecutiveWebAuthentication(3consecutivetimes,4thtryisexcluded)
ThiswindowshowstheClientExclusionPolicies.Inordertogettoit,clickSecurityinthetopmenuandthenselectClientExclusionPoliciesintheleftsidemenuundertheWirelessProtectionPoliciessection.
Theexclusiontimercanbeconfigured.Exclusionoptionscanbeenabledordisabledpercontroller.TheexclusiontimercanbeenabledordisabledperWLAN.
TheMaximumNumberofConcurrentLoginsforasingleusernamebydefaultis0.Youcanenteranyvaluebetween0and8.ThisparametercanbesetatSECURITY>AAA>UserLoginPoliciesandallowsyoutospecifythemaximumnumberofconcurrentloginsforasingleclientname,betweenoneandeight,or0=unlimited.Hereisanexample:
Layer2SecuritySolutions
NoneAuthentication
ThisexampleshowsaWLANwhichisconfiguredwithNoauthentication.
Note:
ThisexamplealsoworksforNoLayer3authentication.
ConfigureWLCforNoAuthentication
CompletethesestepsinordertoconfiguretheWLCforthissetup:
1.ClickWLANsfromthecontrollerGUIinordertocreateaWLAN.
TheWLANswindowappears.ThiswindowliststheWLANsconfiguredonthecontroller.
2.ClickNewinordertoconfigureanewWLAN.
3.EntertheWLANIDandWLANSSID.
Inthisexample,theWLANisnamedNullAuthenticationandtheWLANIDis1.
4.ClickApply.
5.IntheWLAN>Editwindow,definetheparametersspecifictotheWLAN.
6.FromtheLayer2andLayer3Securitypulldownmenu,chooseNone.
ThisenablesNoauthenticationforthisWLAN.Selecttheotherparameters,whichdependonthedesignrequirements.Thisexampleusesthedefaults.
7.ClickApply.
ConfigureWirelessClientforNoAuthentication
CompletethesestepsinordertoconfiguretheWirelessLANClientforthissetup:
Note:
ThisdocumentusesanAironet802.11a/b/gClientAdapterthatrunsfirmware3.5,andexplainstheconfigurationoftheclientadapterwithADUversion3.5.
1.Inordertocreateanewprofile,clicktheProfileManagementtabontheADU.
2.ClickNew.
3.WhentheProfileManagement(General)windowdisplays,completethesestepsinordertosettheProfileName,ClientName,andSSID:
a.EnterthenameoftheprofileintheProfileNamefield.
ThisexampleusesNoAuthenticationastheProfileName.
b.EnterthenameoftheclientintheClientNamefield.
TheclientnameisusedtoidentifythewirelessclientintheWLANnetwork.
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 基于 用户名 密码 认证