Description:
If an access point is installed in a public space and is freely accessible,=
we recommend that you configure a secure network scenario that ensures tha=
t a client (e.g. a notebook PC) is unable to gain access to a company netwo=
rk even if it is connected by cable to the Ethernet socket that is intended=
for use by the access point.
This document uses an example to demonstrate how to modify the configuratio=
n of an existing scenario to prevent an unauthorized client from gaining ac=
cess to the company network.
Requirements:
- LANCOM WLAN-Controller
- LCOS-based access point
- GS-23xx series switch
- LCOS as of version 8.80 (download latest version)
- LANtools as of version 8.80 (download latest versio=
n)
- Installed and functional Wi-Fi.
- Installed and functional Public Spot.
Scenario:
- A hotel operates an internal management network for use by the hotel=E2=
=80=99s employees, including their Wi-Fi devices.
- The access points are connected by Ethernet to a central switch and are=
managed by a LANCOM WLAN controller.
- The access points are set up with two SSIDs, so that hotel guests can a=
lso use the hotel's Wi-Fi by means of a Public Spot.
The following adjustments to the configuration ensure =
that solely the access point is able to access the company network when it =
is connected to the Ethernet socket:
- The switch port that the access point connects to performs authenticati=
on as per IEEE 802.1X.
- In the final configuration state only one MAC address is permitted per =
switch port, so one WLC tunnel per SSID is configured between the access po=
int and WLAN controller.
Procedure:
1) Configuration steps on the LANCOM=
WLAN controller:
1.1) Open the configuration of the WLAN controller in LANconfig, go to the =
menu RADIUS =E2=86=92 Server and enable the WLAN cont=
roller's RADIUS server by setting the checkmark for RADIUS authenti=
cation active.
1.2) Open the RADIUS services ports menu and ensure that t=
he Authentication port is set to the value 1812.
1.3) In the User table, create an account for each=
access point in order for it to use 802.1X to authenticate at the=
RADIUS server of the WLAN controller.
1.4) In this example, both the Name/MAC address and the Password are set to ap1. In live operation,=
please be sure to use secure usernames and passwords.
1.5) Switch to the menu RADIUS =E2=86=92 Server =E2=86=92 IPv4 clie=
nts and add the LANCOM switch as an approved RADIUS commun=
ication partner.
- In this example, the LANCOM switch has the local IP address 192=
.168.1.200 and the subnet mask is 255.255.255.255=
- Set the protocols to RADIUS.
- In order for the switch to authenticate as a permitted RADIUS client at=
the RADIUS server, you need to set a password (sh=
ared secret). The password set here is required f=
or the subsequent configuration of the switch (see step 3.3).
1.6) Switch to the menu WLAN controller =E2=86=92 Profiles =E2=
=86=92 Logical WLAN networks (SSIDs) and create the necessary=
WLC tunnels for the SSIDs used; in this example, these ar=
e Hotel-Internal and Hotel-Guest.
1.7) The SSID Hotel-Internal is to be connected with the <=
strong>WLC-Tunnel-1.
The SSID Hotel-Internal is secured with WPA2 encryption and a passp=
hrase.
1.8) The SSID Hotel-Guest is to be connected with the WLC-Tunnel-2.
The SSID Hotel-Guest is operated without encryption as gue=
sts login to this Wi-Fi network via the Public Spot.
1.9) Navigate to the menu Public-Spot =E2=86=92 Server =E2=86=
=92 Operational settings =E2=86=92 Interfaces.
1.10) Enable user authentication on the Public Spot for the WLC-Tun=
nel-2.
2) Configuration steps on the LANCOM=
access point:
In order for the access point to be able to authenticate at the RADIUS serv=
er of the WLAN controller, the authentication method must be set and u=
ser data have to be set for logging in. This example uses the authe=
ntication method TLS. The user data of the access=
point were configured on the WLAN controller in step 1.4.
2.1) Open a Telnet or SSH session on the access point and =
go to the path Supplicant-Ifc-Setup:
cd =
/Setup/LAN/IEEE802.1x/Supplicant-Ifc-Setup
2.2) Go to the path for the LAN interface. For this exampl=
e we are using interface LAN-1.
cd =
LAN-1
2.3) Use the following command to set the user data for authenticat=
ion at the RADIUS server:
set=
credentials <username>:<password>
In this example, the command is set credentials ap1:ap1
2.4) Use the following command to set the authentication method as PEAP/MSCHAPv2:
set=
Method PEAP/MSCHAPv2
3) Configuration steps on th=
e LANCOM switch:
3.1) Open the configuration interface for the LANCOM switch and navigate to=
the menu item Security =E2=86=92 NAS =E2=86=92 Configura=
tion.
- Set the Mode option to Enabled.
- Under Port configuration, set the option Singl=
e 802.1 X for those ports that are to operate with authentication =
as per 802.1X.
3.2) Scroll to the end of the configuration page and=
click on apply to accept the new settings.
3.3) Switch to the menu Security =E2=86=92 AAA =E2=86=92 =
Configuration. In the section RADIUS authentication server=
configuration, set the option in the first line to Enable=
d.
- In the section IP address/host name, enter the local IP address of the LANCOM WLAN controller.
- The default port 1812 can be accepted as the WLAN cont=
roller also uses this as the RADIUS authentication port.=
li>
- In the field Secret you enter the same shared =
secret as that entered into the configuration of LANCOM WL=
AN controller in step 1.5.
3.4) Scroll to the end of the configuration page and click=
on Apply to accept the new settings.
3.5) In order for the settings to be saved as boot persistent, go to the Maintenance =E2=86=92 Save/restore men=
u and save the configuration as the start configuration.
3.6) The configuration of the switch is now complete.
|