Tuesday, 30 October 2018

AP Recovery from ROMMON Mode


Configure the IP Address in AP 
ap: set IP_ADDR 192.168.100.20

Configure the Mask in AP
ap: set NETMASK 255.255.255.0

Configure the Gateway in AP
ap: set DEFAULT_ROUTER 192.168.100.1

Prepare the Access Point for TFTP
ap: tftp_init
ap: ether_init
ap: flash_init

Enter the tar command to load and inflate the new image from your TFTP server
ap: tar -xtract tftp://192.168.100.10/FILE-NAME.tar flash:

Check the dir flash
ap:dir flash:

Set the file-name/ios for boot
ap:set BOOT flash:/FILE-NAME.tar

Reload the AP
ap:boot

WLC Radius Server Fallback Modes


Active Mode
In active mode, when a server does not respond to the WLC authentication request, the WLC marks the server as dead and then moves the server to the non-active server pool and starts to send probe messages periodically until that server responds.

If the server responds, then the WLC moves the dead server to the active pool and stops sending probe messages.

In this mode, when an authentication request comes, the WLC always picks the lowest index (highest priority) server from the active pool of RADIUS servers.

The WLC sends a probe packet after timeout (the default is 300 seconds) in order to determine server status in case the server was unresponsive earlier.

Passive Mode
In passive mode, if a server does not respond to the WLC authentication request, the WLC moves the server to the inactive queue and sets a timer. 

When the timer expires, the WLC moves the server to active queue irrespective of the server's actual status. When an authentication request comes, the WLC picks the lowest index (highest priority) server from the active queue (which might include the non-active server).

If the server does not respond then the WLC marks it as inactive, sets the timer, and moves to the next highest priority server. This process continues until the WLC finds an active RADIUS server, or the active server pool is exhausted.

The WLC assumes the server is active after timeout (the default is 300 seconds) in case the server was unresponsive earlier. If it is still unresponsive, the WLC waits for another timeout and tries again when an authentication request comes in.

Off Mode
In off mode, the WLC supports failover only. In other words, fallback is disabled. When the primary RADIUS server goes down, the WLC will failover to the next active backup RADIUS server. The WLC continues to use the secondary RADIUS server forever, even if the primary server is available.

Aggressive Failover
If the aggressive failover feature is enabled in the WLC, the WLC is too aggressive to mark the AAA server as "not responding". However this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. The WLC can still mark the AAA server as "not responding" and "not functional".

In order to overcome this, disable the aggressive failover feature. Enter the "config radius aggressive-failover disable" command from the controller in order to perform this. 

If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

WLC Commands to enable Fallback Radius
The first step is to select the mode of RADIUS server fallback. As mentioned earlier, the WLC supports active and passive modes of fallback.

In order to select the mode of fallback, enter this command:
WLC1 > config radius fallback-test mode {active/passive/off}
  • active - Sends probes to dead servers to test the status.
  • passive - Sets server status based on the last transaction.
  • off - Disables the server fallback test (default).
The next step is to select the interval which specifies the probe interval for active mode or the inactive time for the passive modes of operation.

In order to set the interval, enter this command:
WLC1 > config radius fallback-test mode interval {180 - 3600}
<180 to 3600> - Enter the probe interval or inactive time in seconds (the default is 300 seconds).

The interval specifies the probe interval in the case of active mode fallback or inactive time in the case of passive mode fallback.
For the active mode of operation, you need to configure a username which will be used in the probe request sent to the RADIUS server.

In order to configure the username, enter this command:
WLC1 >config radius fallback-test username {username}
    <username> - Enter a name up to 16 alphanumeric characters (the default  is cisco-probe)

    Thursday, 25 October 2018

    WLC Auto Anchoring


    Auto Anchoring is used when you are anchoring a WLAN to a particular controller in the mobility domain.

    Most common use of Auto Anchor is Wireless Guest service where all guest traffic tunnel back to DMZ controller irrespective of where they associate to network.


    In this we configure the WLC IP Address and MAC Address in each other’s mobility groups.

    WLC GUI
    Controller-> Mobility Groups


    we need to make sure that both wlc has been added and control and data path is up.


    WLC - IP Address
    WLC - Mobility Group Name
    WLC - MAC Address


    Must be added for data and control path to go UP.
    Once we are done with this, we now need to map the anchor in WLAN.

    Go at the end of WLAN drop down menu select Mobility Anchors


    Configure the same in anchor WLC (Anchor WLC itself is a Anchor so we need to select local in Anchor WLC)


    After all these settings when clients connect to the SSID where an anchor is mapped, actual client details is seen in anchor controller.

    Always remember Layer 2 security is handled by Foreign WLC and Layer 3 security is handled by Anchor WLC.

    In an Auto Anchor mobility, Client point of attachment is known as Export Foreign and Client Point of presence is known as Export Anchor.

    Roaming in WLC



    There are 3 types of Roaming

    1. Intra Controller
    2. Inter Controller
    3. Inter Controller - L3
    Intra Controller


    In intra controller roaming, when client goes from one AP to different AP and both AP is connected in single WLC then only client state & security context will be updated in WLC.

    Inter Controller


    In inter controller roaming, when client goes from one AP to different AP and other AP is connected in different WLC then client state & security context will be moved in WLC.

    Inter Controller - L3
    In inter controller - L3 roaming, when client goes from one AP to different AP and other AP is connected in different WLC with different VLAN for WLAN in which the client is connecting then client state & security context will be copied in WLC.



    In this scenario, original WLC marks the client entry as Anchor and new WLC marks the client entry as Foreign.

    The two WLC is now referred to Anchor WLC and Foreign WLC respectively, client will keep the IP address unchanged and that is the real advantage.


    Tuesday, 23 October 2018

    DHCP Snooping and IP ARP Inspection




    DHCP snooping is a DHCP security feature to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

    It provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

    DHCP Snooping works along with IP ARP inspection, it is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.

    DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t match with database/snooping table or with access-list, it will be dropped.

    We first need to enable DHCP snooping, both globally and for VLAN
    Switch(config)#ip dhcp snooping
    Switch(config)#ip dhcp snooping vlan 20

    Trust the interface pointing towards DHCP Server to accept DHCP messages from and to DHCP Server
    Switch(config)#interface fastethernet0/1
    Switch(config)#ip dhcp snooping trust 
    Switch#show ip dhcp snooping
    Switch DHCP snooping is enabled
    DHCP snooping is configured on following VLANs:
    20
    DHCP snooping is operational on following VLANs:
    20
    DHCP snooping is configured on the following L3 Interfaces:
    Insertion of option 82 is enabled
       circuit-id format: vlan-mod-port
       remote-id format: MAC
    Option 82 on untrusted port is not allowed
    Verification of hwaddr field is enabled
    Verification of giaddr field is enabled
    DHCP snooping trust/rate is configured on the following Interfaces:
    Interface               Trusted Allow option  Rate limit (pps)
    --------------------   ---------- -----------------  ---------------------
    Fastethernet0/1     yes            yes               unlimited
     Custom circuit-ids:

    Option 82 
    By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server. Actually, information option addition task is supposed to be done by DHCP realy device with giaddr field to non-zero vlaue. DHCP server assigns ip addresses based on option 82 parameters and forwards packets to ip address mentioned in giaddr field. But when switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remians to 0.0.0.0 only.
    DHCP server expects a packet with option field should have giaddr field to some non-zero value but observs that its zero hence rejects them
    To avoid this configure "no ip dhcp snooping information option" in switch, so that switch does not add option field in dhcp packet

    Lets check our table !
    Switch#show ip dhcp snooping binding 
    MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
    ------------------  ---------------  ----------  -------------  ----  --------------------
    00:11:22:33:44:55   192.168.0.1      65330       dhcp-snooping   20   FastEthernet0/3
    Total number of bindings: 1
    As you can see above, we have 1 dhcp client available in dhcp binding database.

    Now lets configure ip arp inspection
    Switch(config)#ip arp inspection vlan 20
    Switch(config)#interface fastethernet0/1
    Switch(config)#ip arp inspection trust
    Switch#show ip arp inspection
    Source Mac Validation      : Disabled
    Destination Mac Validation : Disabled
    IP Address Validation      : Disabled
    Vlan     Configuration    Operation   ACL Match          Static ACL
     ----     -------------    ---------   ---------          ----------
       20     Enabled          Active
    Vlan     ACL Logging      DHCP Logging      Probe Logging
     ----     -----------      ------------      -------------
       20     Deny             Deny              Off
    Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
     ----      ---------        -------     ----------      ---------
       20              0              0              0              0
    Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
     ----   ------------    -----------  -------------   -------------------
       20              0              0              0                     0
    Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
     ----   -----------------   ----------------------   ---------------------
       20                   0                        0                       0
    Source MAC, destination MAC, and IP address validation are showing as disabled.
    you can enable optionally (optional) to have thorough security with “ip arp inspection validate” command.

    Below is the details to use the option
    dst-mac(Optional) : Enables validation of the destination MAC address in the Ethernet header against the target MAC address in the ARP body for 
    ARP responses. The device classifies packets with different MAC addresses as invalid and drops them.
    ip(Optional) : Enables validation of the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. The device checks the sender IP addresses in all ARP requests and responses and checks the target IP addresses only in ARP responses.
    src-mac (Optional)  : Enables validation of the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them.

    Lets look at the ARP Inspection to allow static clients to reach the destination
    As an example now if Attacker/Rogue Device with static IP configured with it, tries to ping DHCP Server, it will fail reason being is, there is no entry found in the dhcp snooping binding table, also there is no ACL configured to accept the packet from this device.
    To allow untrust to trust either "ip arp inspection trust" command is required or ACL must be configured.
    ACL can be configured to accept the packet if the port is untrust and static IP is assigned to the device, in our case it is the Static client who wants to connect to the network and for this we can configure the access-list.

    Below is the command to configure access-list
    Switch(config)#arp access list acl-name
    Switch(config-arp-acl)#permit ip host IP_ADDRESS mac host MAC_ADDRESS 

    Applying access list
    Switch(config)#ip arp inspection filter acl-name vlan 20

    That's it for DHCP Snooping and IP ARP Inspection !

    Monday, 22 October 2018

    WLC useful commands


    To configure IP Address in AP
    config ap static-ip enable AP-NAME IP-ADDRESS MASK GATEWAY

    To configure AP Credentials for Telnet/SSH
    config ap telnet enable AP-NAME
    config ap ssh enable AP-NAME
    config ap mgmtuser add username USERNAME password PASSWORD enablesecret ENABLE-PASSWORD AP-NAME

    config ap mgmtuser add username USERNAME password PASSWORD enablesecret ENABLE-PASSWORD all 

    To change AP mode
    config ap mode MODE AP-NAME

    To configure ap group name in AP
    config ap group-name GROUP-NAME AP-NAME

    To configure flexconnect native vlan in AP
    config ap flexconnect vlan native VLAN-ID AP-NAME

    To check vlan id of interface
    show interface summary

    To check wlan id of interface
    show wlan summary

    To map vlan id to wlan in flexconnect AP
    config ap flexconnect vlan wlan WLAN-ID VLAN-ID AP-NAME

    To configure wlan and mapping wlan interface in ap group
    config wlan apgroup interface-mapping add GROUP-NAME WLAN-ID INTERFACE-NAME

    To downgrade AP to autonomous from WLC
    config ap tftp-downgrade TFTP-IP-ADDRESS FILENAME AP-NAME

    To check cdp neighbour of AP
    show ap cdp neighbors detail AP-NAME

    To disable wireless clients from connecting network (Adding clients in exclusion list)
    config exclusionlist add MAC-ADDRESS DESCRIPTION


    To configure AP Group in access point from WLC CLI
    config ap group-name AP-GROUP-NAME AP-NAME

    To configure AP High Availability from WLC CLI

    config ap primary-base WLC-NAME AP-NAME WLC-IP-ADDRESS

    To enable LED of AP
    config ap led-state enable AP_NAME

    To disable LED of AP
    config ap led-state disable AP_NAME

    To reload AP
    config ap reset AP-NAME

    To configure ip address in interface

    config interface address management IP-ADDRESS SUBNET_MASK GATEWAY

    To configure vlan in interface

    config interface vlan management VLAN-ID

    To apply filter in WLC for quick findings
    grep include “pattern” “commands”

    Examples..
    grep include "AP Serial Number" "show ap config general AP-NAME"
    grep include "MAC Address" "show ap config general AP-NAME”
    grep include "IP Address" "show ap config general AP-NAME"

    Upgrading IOS in L2 switches


    Copy the new IOS image to switch
    copy tftp: flash:

    verify the image
    verify /md5 flash:IOS-NAME

    Configure the boot path to new IOS
    boot system switch all flash:/PATH

    Verify the path
    sh boot

    Save the config
    write
    Now you are all set to reboot the device !

    What are Sticky Clients ?

    What are Sticky Clients ? CREDIT : http://wifinigel.blogspot.com/2015/03/what-are-sticky-clients.html One term you'll often hear banded ...