ENCOR (350 401) - WLAN EAP Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey welcome back to the channel everybody in this week's video we're gonna have Charles Judd explained to us in fact he's gonna demonstrate the configuration of EAP that's extensible authentication protocol on a Cisco wireless LAN controller after all if we have a really large wireless environment we probably don't want to be handing out a single shared secret key to everybody that's not scalable so what we can do instead is have every user have their own account and Charles is going to show us how to set up a user account locally on the wireless LAN controller or a point to a radius server that might have a database of users already and we can just leverage that and by the way as I record this on April fifteenth twenty twenty a Cisco just announced that we can now do online testing it's proctored online testing you're going to have a webcam and there's gonna be a proctor that's watching you take the exam trying to cut down on cheating but great news we're no longer prevented from taking Cisco exams and by the way this training coming up today in this video this is from our encore video training series and if you like this video do me a favor and click on the like button down below and also subscribe to our channel so you don't miss any of our weekly content now let's join Charles as we take a look at how to set up extensible authentication protocol on a Cisco wireless LAN controller I'm gonna take a look now at how to configure EAP based authentication first using an external radius server the radius server is going to be our triple-a server where the user database is stored so the first thing we're gonna need to do is to configure the wireless LAN controller so that it recognizes the external radius server and we'll first do that by logging in to the wireless LAN controller which I've already done here you can see that that lands us at a main monitoring page with a summary from there we can choose the security page that's found along the top navigation menu and then you can see that our first sub menu on the left-hand side is already expanded and that's the submenu for triple-a services from there you can see we have options for both radius and textplus and underneath the radius option which is expanded we can choose the authentication submenu from there that's going to allow us to define our external radius server from there at the top right we have a new button so that's what we want to choose we want to make a new server to define a new radius server after I choose that right up top you can see that we have something called the server index or the priority and the server with the lowest server index is going to be assumed to be the most preferred server for use with this wireless LAN controller so if that server becomes unresponsive then the wireless LAN controller is going to switch to the next lowest server index so if you have multiple radius servers you'll want to make sure that your primary server is configured with the lowest server index now in our case I'm only going to configure a single instance of radius server so we can leave that index priority value set to 1 next we want to enter the radius server's IP address in my case I'll use the IP address 10.10 10.5 and next we want to enter a shared secret key the radius shared secret is used to make sure there is secure communication between a radius server and a radius client and in this case the client is going to be our wireless LAN controller now at this point in the configuration we would already have a shared secret key configured on the actual radius server so here you just want to make sure that that key matches when it's input on the wireless LAN controller that's going to make sure there are no communication errors also notice that you can input that in either ASCII or hex now ASCII is the most common format for that so I'm going to leave that be and we'll enter the same shared secret key that is configured on the radius server itself so we have that done next up notice there is the key wrap option and that is disabled by default now what the key wrap does is it wraps the shared secret key with an aes encryption so it's really strong it encapsulates that shared secret with super strong encryption and you can see it stated that this is designed for FIPS customers and phipps stands for federal information processing standards these are cryptographic standards specified by the United States government now these would be mandatory for any US government employee computer so any computer used for government work that would need to be fips-compliant I'm gonna leave that disabled in our example and next we want to check the port number by default Radiesse uses UDP port 1812 for authentication that's already populated as you can see so we can leave that there now if you do happen to have your radius server configured for communication on another port for some reason obviously you want to change that here as well so that they have communication and finally you can see that the server status is set to enabled which is what we want now if we had multiple radius servers configured under here that would allow you to easily disable a server maybe you had a server fail or maybe it needs servicing you can simply click on that and change the status to disabled and that will take that out of service temporarily once we have all that populated we can hit the apply button to save that and we've now identified our external radius server we can see that listed here under the list of radius authentication servers the next thing we need to do is enable 802 One X authentication on our wireless network back along the top menu we can see the W lands menu near the left so we want to choose that and from there we can see our SS IDs that are configured I'm going to choose the corporate network so I have a couple of SSIDs I have a corporate and a guest so I'll choose corporate and from there I'll select the Security tab the second tab from the left if we look at these settings you can see that the default settings that are in place are actually already going to take care of what we want to do layer to security that defaults to WPA plus wpa2 so it is going to be wpa2 capable and we can see that the wpa2 policy has a blue checkmark meaning that it is enabled also right below that AES also has a blue checkmark so that means we are using the strongest security option here and under the authentication key management area we see the very top option is 802 w1x that is also already enabled now if we have older clients maybe they're not capable of 802 dot 1x authentication we could also enable PSK pre-shared key so that allows us to do that but ideally in an enterprise environment we don't want to do that so we're gonna leave that 802 One X authentication enabled and that completes everything inside of this layer to tab now at the top we can move over to the Triple A servers tab and from here we'll be able to see our list of configured radius servers by default these are gonna be populated according to the server index that you've given them when you configure the external servers so again since we only have a single instance of a radius server identified that's all we see in this list we see the IP address and the port number listed here in the drop down so we can choose that and then we can go up and hit the apply button on the top right notice that we do get a message here saying that that's going to temporarily disable our wireless network so here's a protip you don't want to do that during production you'll have some very very unhappy users so in my case in a lab environment that's okay I'm gonna just go ahead and click the ok button and then that's finished and that's all we need to do to complete the configuration for EAP using an external radius server now maybe you have a smaller environment or maybe you don't have a radius server in that case you can use something called local EAP instead and local EAP is going to use an authentication server that is actually built into the wireless LAN controller so we can set that up by going back to the security tab near the top and now on the left menu structure about halfway down we see the local EAP option so we want to choose that that's going to expand the sub menu and we want to click profiles notice that we don't currently have any profiles I don't have local EAP setup yet so we'll want to go to the right and we want to click new to create a new profile we want to give that a name I'm just filling that local - EAP and we can hit the apply button now we can see our new profile listed in the local EAP profiles window now we want to actually click on the profile name and that's going to allow us to edit some of the attributes of that profile and you can see all of the parameters that we have there you see that we can actually choose which type of EAP we want to use I'm gonna choose protected EAP and I'm gonna hit apply again now that we have a local EAP profile we can go back to the W lands menu near the top left and we want to choose one of our networks I'm gonna choose again the corporate network and I'm going to go back to that security tab as well then I want to choose Triple A servers under the sub tabs the first thing we want to do if we're using local EAP want to make sure that we don't have any external radius servers enabled here and you see that we do actually have the radius server that we already configured listed and enabled there so what we want to do besides server one we want to go and click in that drop down and we want to choose none that's gonna make sure that it's not looking for that external server instead so we want to make sure that none of those are defined when we're using local EAP now if we scroll down to the bottom of that window you can see that we see the option for local EAP authentication and of course by default that is disabled so we can enable that simply by clicking the box and then the name of our profile that we set up already is populated in there we only have the single local EAP profile that I made if we had multiple profiles again you would be able to choose from those there so it already populated the profile that we had in place so that's good and now we're gonna go back up and choose the apply button we're gonna get that same warning again letting us know that this is gonna temporarily disable our wireless networks click OK and then that's completed the last thing we need to do for a local EAP is to actually configure our user database so since we're authenticating locally we actually need to have some local users stored on this wireless LAN controller otherwise they're not going to be able to authenticate so let's go under the security tab at the top again and on the left under the triple a menu that's expanded if we look about halfway down we'll see the local net users option so let's click on that and you see this is not populated with any users yet we don't have any local users configured so we can click the new button on the right and we can begin to configure our users in there for authentication so I'll just put a test user in there so I've created a user called test I've created the password re-enter that and now we can choose a specific wireless network that they can be authenticated on notice that we can choose one of the SSID s that we have configured already so that's going to allow them to be authorized access on a specific network so in my case again I have the corporate and the guest network I'll choose corporate and again I'll click apply to apply that you can see that we now have the user listed under our local net users and that's the last thing we need to do to configure local EAP on the wireless LAN controller if we go back to our main W LANs window and we see our list of networks here if you look over on the right under security policies notice that both of these networks display the off 802 dot 1 X beside them under the security policies column so this is how we can verify that both of these networks are in fact using EAP based authentication methods we can also insure from here that they are both in the enabled state and they are in fact in that state so that's exactly what we would want to see so that's a look at how we can configure EAP based authentication both locally on a Cisco wireless LAN controller and using an external radius server [Music] you [Music]
Info
Channel: Kevin Wallace Training, LLC
Views: 8,572
Rating: undefined out of 5
Keywords: 350-401, cisco ccnp enterprise, ccnp enterprise, cisco, wireless, eap, extensible authentication protocol, cisco wlan controller, ccna, ccnp, CCIE, 200-301, #kwtrain, wireless networking, wireless security
Id: JSbUPJxg-yg
Channel Id: undefined
Length: 13min 46sec (826 seconds)
Published: Wed Apr 15 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.