CNET324 Lab 4-Wireless VLAN with RADIUS Authentication

Lab 5: Wireless VLAN with RADIUS Authentication Lab 4 Lab 4: Wireless VLAN with RADIUS Authentication *By signing above, you attest that you have contributed to this submission and confirm that all work you have contributed to this submission is your own work. Any suspicion of copying or plagiarism in this work will result in an investigation of Academic Misconduct and may result in a “0” on the School of Engineering Technology and Applied Science (SETAS) Information and Computing Engineering Technology (ICET) CNET 324 - Wireless Networks Course Lead: Dr. Sattar Hussain Section No. 002 Group No. 06 Obtained Mark (out of 20) Due Date February 12, 2024 Name Student ID Signature* Saad 301284248 S Shivani Bajaj 301312712 SB Alka 301281875 A

Lab 5: Wireless VLAN with RADIUS Authentication Overview If you use VLANs on your wireless network and assign different SSIDs to these VLANs, you can use any of the security settings on the Express Security page of the Cisco AP1242G Aironet Access Point. Without VLANs, encryption settings options apply to an interface are limited. Just as you use the Express Setup page to assign basic setting, you can use the Express Security page to create unique SSIDs and assign one of four security types to them. For detailed security, refer to the Cisco IOS Software Configuration Guide for Cisco Access Points . When the access point configuration is set to factory defaults, the first SSID that you create by using the Express Security page overwrites the default SSID, which has no security settings. The SSIDs that you create appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the access point. The four security types provided by the Express Setup page are: No Security: This is the least secure option. You should use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network. Static WEP Key: Static WEP keys are vulnerable to attack. If you configure this setting, you should consider limiting association to the wireless device based on MAC address or, if your network does not have a RADIUS server, consider using an access point as a local authentication server. EAP Authentication: This option enables 802.1X authentication (such as LEAP, PEAP, EAP-TLS, EAP-FAST, EAP-TTLS, EAP-GTC, EAP-SIM, and other 802.1X/EAP based products). This setting uses mandatory encryption, WEP, open authentication + EAP, network EAP authentication, no key management, RADIUS server authentication port 1645. You are required to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.1X authentication provides dynamic encryption keys, you do not need to enter a WEP key. WPA: Wi-Fi Protected Access (WPA) permits wireless access to users authenticated against a database through the services of an authentication server, then encrypts their IP traffic with stronger algorithms than those used in WEP. This setting uses encryption ciphers, TKIP, open authentication + EAP, network EAP authentication, key management WPA mandatory, and RADIUS server authentication port 1645. As with EAP authentication, you must enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Learning Objectives By completion of this lab, students will be able to: - Configure VLANs on Cisco Access Points using of the command−line interface (CLI) - Configure Cisco 2950 Catalyst switch using of the command−line interface (CLI) - Configure VLANs with RADIUS authentications - Test the VALNs connectivity with RADIUS authentication Required Equipment - 1 Cisco AP1242G Aironet Access Point - 2 desktop computers running WINDOWS 7 or Windows 10 operating system - 2 Laptops with WINDOWS 7 or Windows 10 operating system - 1 Cisco 2950 Catalyst switch - 2 Whip WiFi 2.4 GHz antennas

Lab 5: Wireless VLAN with RADIUS Authentication The numbering plan to be used for this lab is as follows: Cisco 1242G Factory Setting         Default IP address 10.0.0.1       Subnet Mask 255.255.255.0       User name:       Password: Cisco       NOTE: Change LAN settings to static IP address.                 Group # Network Host Name VLAN to be used IP Address Subnet Mask 1 AP As per lab instructions As per lab instructions 255.255.255.0 2 AP As per lab instructions As per lab instructions 255.255.255.0 3 AP As per lab instructions As per lab instructions 255.255.255.0 4 AP As per lab instructions As per lab instructions 255.255.255.0 5 AP As per lab instructions As per lab instructions 255.255.255.0 6 AP As per lab instructions As per lab instructions 255.255.255.0 7 AP As per lab instructions As per lab instructions 255.255.255.0 8 AP As per lab instructions As per lab instructions 255.255.255.0 Procedure Important: read the following notes before starting your lab a) The following procedure is based on Windows 7. If a different system is used, the procedure may be slightly different. b) In each laptop, turn off MacAfee Protection. Turn Off the Windows Firewall for Home or work (private) networks. Make sure each laptop is disconnected from Centennial WiFi network. c) EACH OF THE PCS , CELLPHONES AND THE AP SHOULD HAVE UNIQUE IP ADDRESS BUT ALL MUST BE IN THE SAME SUBNET TO COMMUNICATE. d) Handle lab equipment with extra care. Dropping or misusing equipment may damage them. Ask your professor if you are not sure about any step of the lab procedure e) Read the label on the power adapter (charger) of the access point. Make sure that you are using the right one. Using a different charger will damage the wireless access point.

Lab 5: Wireless VLAN with RADIUS Authentication Task 1: Set up WAP on 802.11g Radio Interface Note: If you have not copied the configuration file from lab 4, repeat these steps exactly as you have done in lab 4 1. Before you power up the access point , connect two 2.4-GHz external antennas as shown. Make sure to connect these antennas to 2.4 GHz side of the AP . Notice the difference in the shape of the 2.4 GHz and the 5 GHz antenna. This will help in identifying the 2.4 GHz antenna. 1. Use a Hyper terminal or PuTTY to go on CLI. 2. Use the USB to Serial adapter. Load the drivers if it is required and verify the COMM port by going through the Device manager. 3. Set up a terminal emulator on your PC to communicate with the access point. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control. Commands are: ap > Enable ap # Config terminal ap (config) # Interface bvi1 ap (config-if) # IP address 10.0.x.1 255.255.255.0 (Replace x with your group number) ap (config-if) # end Exit 4. Change the Local Area Network (Ethernet) Adapter IP address of to be in the same subnet of the access point (10.0.x.X) where X any number 2-254. 5. Open the Browser and type 10.0.x.1. Login with  Username {blank}  Password: Cisco You should now see the summary status 5 GHz antennas 2.4 GHz antennas

Lab 5: Wireless VLAN with RADIUS Authentication Task 2: Enabling Radio Interfaces You may refer to lab 4 this task or simply follow these steps: To enable the radio interfaces, follow these instructions: a) Click Network Interfaces > Radio0-802.11G and the 2.4 GHz radio status page appears. b) Click Settings tab on the top of the page. The radio settings page appears. c) Click Enable in the Enable Radio field. d) Click Apply . e) Close your web-browser. Task 3: Configuring Security Setting The following steps are required to complete the VLANs configuration:  Configure the native VLAN on the AP.  Configure VLANs for the guest users and the admin users on the AP.  Configure the Catalyst switch. REFER TO LAB 4 INSTRUCTIONs ON HOW TO CONFIGURE THE FOLLOWING STEPS

Lab 5: Wireless VLAN with RADIUS Authentication Configure the Native VLAN on the AP Configure VLANs for Guest Users and Admin Users on the AP Configure the Catalyst Switch Erase and reload the switch Create VLANS Configure Fa0/10 as a trunk port Testing and Verifying the Networks Task 4: RADIUS 802.1x Authentication Setup This configuration is to use the LOCAL RADIUS SERVER for authentication of cisco LEAP protocol (Windows 7) or Protected EAP (PEAP)(Windows 10). As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks. This is not a new attack or new vulnerability of Cisco LEAP. The creation of a strong password policy is the most effective way to mitigate dictionary attacks. This includes the use of strong passwords and the periodical expiration of passwords. This document uses this configuration for both GUI and CLI: a) Use IP address provided. b) The SSID provided c) User Name: user1 d) Password: Testuser 1. On the cisco access point portal, go to Security>> Server Manager . a. Enter the IP address of the authentication server in the Server field. ( IP address of your access point) b. Choose the secret key CNET324 c. Enter the ports numbers 1812 and 1813 as the Local Radius Listening Ports. d. Click Apply and OK

Lab 5: Wireless VLAN with RADIUS Authentication 3. Go to Security>> SSID Manger and  Select the desired SSID  In SSID properties of right hand side, check the box labelled Radio0-802.11G interface  Under " Methods Accepted," in Client Authentication settings. Check the box labelled   Open   Authentication and use the dropdown list to choose   With EAP .  Under " Methods Accepted," in Client Authentication settings. Make sure Shared Authentication is unchecked .  Under " Methods Accepted," in Client Authentication settings. Check the box labelled   Network EAP and use the dropdown list to choose   No Addition .  Under " Server Priorities," in Client Authentication settings. In EAP authentication server, check the Customize and select the Access point IP address in Priority 1 filed  Click Apply and OK . 4. Go to Local RADIUS Server in Security and a. Go to General Setup b. Under Local RADIUS Server Authentication Settings, check LEAP and click Apply c. Define the IP address (IP address of AP) and shared secret ( CNET324 ) of the RADIUS server d. Click Apply and OK e. Scroll down to the Local RADIUS Server under the General Setup and define the individual users and passwords i. User name: user1 ii. Password: Testuser

Lab 5: Wireless VLAN with RADIUS Authentication f. Click Apply and OK 5. [2 marks] Take a screen shot of the SSID manager and place it below 6. [2 marks] Take a screen shot of the User Name/Password Security Setup and place it below

Lab 5: Wireless VLAN with RADIUS Authentication iii. Click Ok twice to close the dialog boxes 4. Click on your SSID in wireless connection to connect to network 5. Enter the username and password created earlier in dialog box of leap credentials 6. Change the IP address of connected network and verify the connectivity using Ping

Lab 5: Wireless VLAN with RADIUS Authentication 7. Using the PC. Use these commands to troubleshoot your configuration on the AP: [3 marks] show vlans

Lab 5: Wireless VLAN with RADIUS Authentication

Lab 5: Wireless VLAN with RADIUS Authentication [1 mark] show vlans dot1q [1 mark] show dot11 associations

Lab 5: Wireless VLAN with RADIUS Authentication On the Catalyst 2950 switch, you can use these commands in order to troubleshoot the configuration: [2 mark] show vlans

Lab 5: Wireless VLAN with RADIUS Authentication [2 mark] show interface fastethernet x / x switchport